The modern “trusted enterprise” is synonymous with a near-universal technology called Secure Shell (SSH). Rather than logging into a server with a traditional username and password, which are hard to remember and subject to loss, theft, or compromise, server administrators typically authenticate to their target machines using a trusted SSH key. The key substitutes user credentials, effectively allowing the administrator to log into the system through the key.
What is SSH? The SSH Protocol
Secure Shell (SSH), also called the SSH Protocol, embodies a cryptographic network protocol, vital for secure remote access across an unsecured network. Primarily favored by system administrators, SSH facilitates encrypted data communications and robust authentication between two devices, thereby offering a safe and reliable connection over an open network like the internet. As an evolution over unprotected login protocols (e.g., telnet, rlogin) and insecure file transfer methods (e.g., FTP), SSH extends secure connectivity that is both centered around the cryptographic network protocol and the accompanying utilities that put this protocol into action. Notably, an SSH server typically utilizes the standard Transmission Control Protocol (TCP) port 22, establishing a solid base for secure network communication.
Ubiquitous usage, combined with relative low-profile visibility and poor management controls, makes SSH an enticing target for exploitation. Once compromised, SSH keys can be used by cyber criminals to gain privileged access to servers and perform nefarious activities, while remaining undetected.
Where does SSH come from?
The first version of SSH appeared in 1995 and was designed by Tatu Ylönen, who was, at the time, a researcher at Helsinki University of Technology. Over time various flaws have been found in SSH-1, and that version is now considered to be deprecated and not safe to use.
SSH-2, the current version of secure shell protocols, was adopted as a Standards Track specification by the Internet Engineering Task Force (IETF) in 2006 (RFC 4251, 4252, 4253, 4254). SSH-2 is not compatible with SSH-1 and uses a Diffie-Hellman key exchange and a stronger integrity check to improve security.
What is SSH used for?
The protocol is used in corporate networks for providing secure access for users and automated processes, facilitating interactive and automated file transfers, issuing remote commands, and managing network infrastructure and other mission-critical system components. SSH is also important in cloud computing to solve connectivity problems, avoiding the security issues of exposing a cloud-based virtual machine directly on the Internet.
There are various SSH implementations, such as Tectia SSH client & server for Windows, Unix and Linux, PuTTY client for Windows and Linux, WinSCP client for Windows, CyberDuck client for Mac and OpenSSH server for Unix, Linux.
How does the SSH Protocol work?
The protocol works in the client-server model, which means that the connection is established by the SSH client connecting to the SSH server. The SSH client drives the connection setup process and uses public key cryptography to verify the identity of the SSH server. After the setup phase the SSH protocol uses strong symmetric encryption and hashing algorithms to ensure the privacy and integrity of the data that is exchanged between the client and server.
Discover how unprotected SSH keys leave your most sensitive systems and data vulnerable through this video and articles
How are SSH keys authenticated?
The figure below presents a simplified setup flow of a secure shell connection.
There are several options that can be used for user authentication. The most common ones are passwords and public key authentication. The public key authentication method is primarily used for automation and sometimes by system administrators for single sign-on. The idea is to have a cryptographic key pair, a public key, and a private key, and configure the public key on a server to authorize access and grant access to the server to anyone who has a copy of the private key. The keys used for authentication are called SSH keys. SSH keys can be used to automate access to servers. They are commonly used in scripts, backup systems, configuration management tools, and by developers and sysadmins. They also provide single sign-on, allowing the user to move between his/her accounts without having to type a password every time. This works even across organizational boundaries and is highly convenient.
However, poorly managed SSH keys can become a major risk in larger organizations. Large organizations, like the banking sector, retailers and healthcare have more SSH keys than they imagine and managing SSH keys has become very important. Enterprises using SSH should consider finding ways to manage host keys stored on their client systems. Ensuring proper policies, processes, and audits also for SSH usage is critical for proper identity and access management.
Is SSH encrypted and secure?
The SSH protocol is believed to be secure against cryptographic attacks on the network, provided keys and credentials are properly managed. Because of the importance of SSH keys, there is a strong interest from intelligence organizations and other attackers towards SSH credentials. They are a primary way for hackers to spread within the target organization. Such was the case of the alleged CIA hacking tools BothanSpy and Gyrfalcon that were targeting various SSH implementations with the objective of stealing SSH keys and pass-phrases.
Discovered SSH vulnerabilities highlight the importance of SSH keys security. SSH keys protect against man-in-the-attacks, but they need to be properly managed. Organizations need to implement SSH security policies or solutions which cater for restricted SSH access configurations, and periodical changes or whenever a compromise is suspected.