SSH is ubiquitous. It is the de-facto solution for remote administration of critical systems. But SSH key-based authentication has some challenging issues when it comes to usability, operability and security. SSH certificates offer a fantastic method to solve some of the pain points that we’ve experienced with SSH keys. SSH certificates are digitally signed objects that have metadata like username/hostname, restrictions, end date, and more. This helps avoid many of the challenges and risks associated with traditional SSH keys because usage can be tracked and, like TLS certificates, they are set to expire and need to be renewed regularly to support security initiatives.
The pain points of SSH keys management
SSH key based authentication is far from perfect, and businesses face various pain points trying to manage the increasing number of SSH keys. These management challenges include:
- Poor user experience. SSH user on-boarding is slow and manual. Connecting to new hosts produces confusing security warnings. Since SSH keys are not governed by established protocols and processes, users are left with little guidance on how to manage them.
- SSH keys do not scale. Key sprawl is real issue when it comes to SSH key approval and distribution. Host names can’t be reused. Homegrown tools scatter SSH keys across your distributed enterprise making management a painful exercise.
- SSH encourages bad security practices. SSH rekeying is hard, so it’s not done. Users are exposed to key material and encouraged to reuse keys across devices. Keys are trusted permanently, and mistakes can be really damaging.
The good news is this is all easy to fix. None of these issues are inherent in the SSH protocol. They’re actually problems with SSH public key authentication. A surprisingly easy solution is to switch to SSH certificate authentication.
Say hello to SSH certificates
SSH certificate authentication eliminates public key approval and distribution. Instead of scattering public keys across static files, you associate a public key to a name with a digital certificate. The resulting SSH certificates can be cryptographically verified and, like traditional SSH keys, are exchanged between client and host during the SSH handshake.
To enable certificate authentication, simply configure clients and hosts to verify certificates using your CA’s public key (i.e., trust certificates issued by your CA). Static keys are no longer needed. Instead, peers learn one another’s public keys on demand, when connections are established, by exchanging certificates. Once certificates have been exchanged the protocol proceeds as it would with public key authentication.
Benefits of SSH certificates
What are the benefits of using SSH certificates? We will focus on three – user experience, operability, and security
- Improved user experience
Since certificate authentication uses certificates to communicate public key bindings, clients are always able to authenticate, even if it’s the first time connecting to a host. Once accepted, the client will not prompt the user again unless there is a new public key. This process is called Trust on First Use (TOFU).
- Enhanced operational benefits
Eliminating key approval and distribution has immediate operational benefits. You are no longer wasting effort and time on repetitive key management tasks. You also eliminate any recurring costs associated with monitoring and maintaining homegrown solutions for adding, removing, synchronizing, and auditing static public key files across your ecosystem.
The ability to issue SSH user certificates via a variety of authentication mechanisms also facilitates operational automation. If a cron job or script needs SSH access it can obtain an ephemeral SSH certificate automatically, when it’s needed, instead of being pre-provisioned with a long-lived, static private key.
- Improved security
While the SSH protocol itself is secure, public key authentication encourages bad security practices and makes good security hygiene hard to achieve. With public key authentication, keys are trusted permanently. A compromised private key or illegitimate key binding may go unnoticed or unreported for a long time. Key management oversights, such as forgetting to remove a former employee’s public keys from hosts, can result in unauthorized access.
SSH certificates, on the other hand, expire. Short-lived certificates minimize the damage of compromised credentials, even if the security incident goes unnoticed. Access expires naturally if no action is taken to extend it. And when SSH users and hosts check in periodically with your CA to renew their credentials, a complete audit record is produced as a byproduct.
Public key authentication also makes rekeying difficult for users. What is worse, users often copy private keys and reuse them across devices. Key reuse is a serious security flaw. Private keys are never supposed to be transferred across a network. It’s a recipe for misuse and abuse. SSH certificates eliminate these problems by making it easy to manage certificates and onboard new users and hosts.
These are just a few advantages of SSH certificates but it’s clear that SSH certificates are here to help enforce SSH policies, reduce the complexity of managing SSH keys and minimize your threat vector when it comes to SSH.
Venafi SSH Protect safeguards enterprise SSH machine identities and the host-to-host connections they enable by discovering, protecting and automating their lifecycle. Plus, it provides you with an easy path to upgrade to SSH certificates. To learn how you can get an accurate and prioritized view of your enterprise SSH keys and the risks associated with them, as well as mitigation recommendations, contact our experts or sign up for Venafi’s free confidential SSH risk assessment.