SSH is a protocol and software suite used for securely transmitting data, application tunneling and remote systems administration. It is deployed on millions of servers and is used in almost all data center environments. Privileged users, such as system administrators and application developers, use SSH for secure interactive and remote access. SSH is even more widely used for automated machine-to-machine processes including backups, database updates, system health monitoring applications and automated systems management. In short, SSH performs a critical role in the functioning of the modern, highly automated digital networks found in every business or data center.
SSH is a total solution to allow trusted, encrypted connections to other systems, networks, and platforms, which can be remote, in the data cloud, or distributed across many locations. It replaces separate security measures that previously were used to encrypt data transfers between computers. However, that usage is rarely appropriately secured, routinely assessed, documented, and managed in a systematic and risk-aware way. As a result, poor SSH access controls within IT environments constitute a major operational and security risk. SSH users and businesses using SSH encryption must do everything necessary to protect the security of their SSH encryption keys and other elements to uphold the trust placed in the system.
All About SSH Keys
SSH keys enable the automation that makes modern cloud services and other computer-dependent services possible and cost-effective. They offer convenience and improved security when properly managed.
Functionally SSH keys resemble passwords. They grant access and control who can access what. In identity and access management, they need similar policies, provisioning, and termination as user accounts and passwords. One cannot have confidentiality, integrity, or any guarantees of continued availability of systems without controlling SSH keys. Technically the keys are cryptographic keys using a public key cryptosystem. However, functionally they are authentication credentials and need to be managed as such.
SSH keys can be categorized according to the function they perform. There are user keys, host keys and session keys.
User keys are authorized and identity keys. An authorized key in SSH is a public key used for granting login access to users. The authentication mechanism is called public key authentication. They are analogous to locks that the corresponding private key can open. Identity keys are private keys that an SSH client uses to authenticate itself when logging into an SSH server. They are analogous to physical keys that can open one or more locks. Authorized keys and identity keys relate to user authentication, as opposed to host keys that are used for host authentication.
Host keys are used for authenticating hosts, i.e., computers. Their purpose is to prevent man-in-the-middle attacks. Certificate-based host authentication can be a very attractive alternative in large organizations. It allows device authentication keys to be rotated and managed conveniently and every connection to be secured. One of the unique features of SSH is that by default, it trusts and remembers the host's key when first connecting to it. The resulting ease of deployment was one of the main reasons SSH became successful.
A session key in SSH is an encryption key used for encrypting the bulk of the data in a connection. The session key is negotiated during the initialization of the connection and then used with a symmetric encryption algorithm and a message authentication code algorithm to protect the data.
How does authentication in SSH work?
Initializing a connection in SSH consists of negotiating the version of the protocol, the cryptographic algorithms, and the session key to use, authenticating the server using its host key and the user using a password, public key authentication, or other means. Upon completion of the negotiation process, data can be exchanged, including terminal data, graphics, and files.
Public key authentication is inherently more secure than other forms of authentication such as passwords. In fact, within both government and commercial sectors, key-based authentication is widely used for both human and machine-to-machine privileged access. Improperly managed SSH keys can be leveraged by attackers to penetrate the IT infrastructure and move freely across a network without detection. The compromise of just one private key can be leveraged to configure hard-to-notice backdoors, to bypass privileged access control solutions and to perpetrate large-scale attacks and data breaches.
Improper SSH key management can and will create significant vulnerabilities, which have been identified in the NIST Interagency Report 7966 (NISTIR 7966) “Security of Interactive and Automated Access Management Using Secure Shell (SSH)”, coauthored among others by Venafi’s Paul Turner. These vulnerabilities can be categorized as follows:
- The SSH implementation could have vulnerabilities that allow to be exploited in order to gain unauthorized access to communications or systems, which in turn facilitate unauthorized access.
- Stolen, leaked, derived, and unterminated SSH user keys pose a similar problem to compromised user account credentials and may provide unauthorized access to one or more servers.
- Backdoors by authorized user keys created to bypass the privileged access management system which are not audited and, hence, remain unnoticed for long time periods.
- Users may, intentionally or unintentionally, use identity keys for purposes for which they were not intended.
- Malware can be engineered to use SSH keys to spread (pivot) to most servers in an organization after penetrating the first few servers when automated access is allowed.
- One of the greatest ongoing challenges to the security of SSH-based systems is the potential for human error due to the complexity of SSH management and the lack of knowledge many administrators have regarding secure SSH configuration and management.
SSH keys are a critical access management problem
Since SSH is the primary secure access method used for administration and automated processes on mission critical systems, its security is crucial. The privileges granted to users and automated processes via SSH are typically elevated privileges. The security of SSH-based automated access, and even interactive access, has been largely ignored to date. Over the last few years, it has turned out that many large scale organizations, ranging from the banking sector and healthcare organizations to big retailers, have massive numbers of SSH keys in their environment. These keys grant access to resources such as production servers, databases, routers, firewalls, disaster recovery systems, financial data, payment systems, intellectual property, and patient information. Users have been able to create and install keys without oversight and controls. This has led to violations of corporate access policies and dangerous backdoors which in turn facilitate the launch of successful attacks through the otherwise trusted encrypted tunnels.
Information security starts from controlling who is given access to systems and data. If there is no control over access, there is no security, no confidentiality, no integrity, and no guarantees of continued operation.