Everything You Need to Know About SSH Keys

SSH keys are an extremely important measure for organizations to communicate and manage systems securely. However, for this procedure to provide the necessary level of security, it is essential to adopt good practices.

‍

To begin, here are two news stories about breached SSH credentials:

‍

The first case took place in 2019, but it was only identified in 2020, and it involves the website host company GoDaddy. The domain registrar announced it had become the target of a breach that affected the SSH credentials of approximately 28,000 users at the time. A malicious actor could have bypassed its security systems and accessed SSH login data hosted on its servers.

‍

Luckily there were no major issues, but its users were notified. The company had to reset the usernames and passwords that were exposed and block the unauthorized party.

‍

The second case was in 2021 when GitHub received a warning from developer Axosoft about the vulnerability of a dependency on their git GUI client – GitKraken, which was generating weak keys. Therefore, it revoked all keys generated by vulnerable client versions used on GitHub.com.

‍

Other possibly weak keys generated by other clients that could have used the same vulnerable dependency were also revoked. The company still needed to implement safeguards to prevent vulnerable versions of GitKraken from adding weak SSH keys created by older versions.

‍

These two case studies demonstrate that large organizations can manage their SSH protocol improperly and increase risk vulnerability for their systems.

‍

To help, we created this article for you all about SSH keys, and divided the text into the following topics: 

‍

1. SSH Protocol: What is It and Why is It Important?
2. History of SSH
3. Benefits of SSH Key Authentication
4. What Are the SSH Key Types?
5. How SSH Keys are Generated
6. How SSH Keys Access Works
7. How to Strengthen the Security of SSH Keys
8. SSH Key Encryption Categories
9. SSH Key Security Data
10. senhasegura’s SSH Key Management
11. Conclusion

‍

Currently used in servers and data center environments, SSH is a protocol that allows the transmission of data, enabling the encapsulation of applications.

‍

With SSH keys, system administrators and application developers have interactive access to remote systems securely. It is a feature widely used in database updates, backups, automated systems management, and system health monitoring applications.

‍

In practice, SSH keys play a very important role in the functioning of automated digital networks used in data centers and businesses in general.

‍

This solution guarantees encrypted connections with other systems, platforms, and networks that can be distributed in different environments, either remotely or in the cloud.

‍

SSH keys replace isolated security techniques that are useful for encrypting data transfers. However, this use needs to be properly protected, analyzed periodically, documented, and managed systematically. If this process is not taken seriously, the security of the entire environment is at risk. 

‍

The first version of the SSH protocol was created in the 1990s by the researcher Tatu Ylonen at the University of Helsinki. At the time, a Sniffing Attack on the university’s network was discovered, capable of intercepting and recording network traffic and revealing usernames and passwords to malicious actors.

‍

As a result, thousands of credentials were breached. The researcher started looking for ways to make networks more secure and developed the SSH protocol.

‍

Currently, SSH keys are used to log in from one system to another remotely. Also, the security provided by encryption makes it possible to perform functions such as: issuing remote commands and managing network infrastructure and other vital system components remotely. Therefore, this tool is essential nowadays, characterized by the trend of remote work.

‍

Before using SSH keys, it is necessary to install some software. While remote systems must necessarily have software called SSH daemon, the system used to issue commands and manage remote servers requires software known as an SSH client. This is the only way to create an appropriate communication channel using the SSH protocol.

‍

The function of SSH keys is to encrypt traffic between server and client. In practice, this means that if someone decides to spy on this traffic, they will not be able to decrypt the data properly. 

‍

This solution also protects against brute force attacks and attack vectors used to access remote machines. With public-key encryption, there is no need to send passwords over the network, which provides more security.

‍

Another advantage of SSH keys is the possibility of keeping a company in compliance with security regulations, but for this, it is necessary to generate, store, manage, and remove them following certain guidelines that guarantee the necessary protection.

‍

There are a massive amount of SSH keys that can be used at any time by an organization. Therefore, it is recommended to use software to manage them and reduce risks.

‍

SSH keys provide security and cost savings to cloud and other computer-dependent services if managed properly.

‍

This feature has a similar function to that of passwords, since they grant access, controlling who will access the system. To perform this management, it is necessary to adopt security policies, as it must be done with user accounts and passwords. 

‍

We also emphasize that the control of SSH keys provides continuous availability, confidentiality, and integrity to the systems, as long as public-key encryption is used. 

‍

These keys are categorized according to their function: user, host, and session keys.

‍

• User Keys

These are authorized and identity keys used to grant login access to users. Its authentication mechanism is known as public-key authentication. 

‍

These identity keys are used by SSH clients to allow users to authenticate when logging into SSH servers. 

‍

• Host Keys

This type of key is intended to authenticate computers, preventing man-in-the-middle attacks. This authentication is certificate-based and can be very useful for organizations.

‍

These authentication keys must secure all connections, and one of the characteristics of SSH is to remember the host’s key when connecting to it for the first time. 

‍

• Session Keys

Session keys have the function of encrypting most data on a connection. This key is negotiated during connection initialization. It is then used with a symmetric encryption algorithm and an authentication code algorithm that ensures data protection.

‍

SSH keys are generated in pairs that bring together a “public” and a “private” key. Complex algorithms are used in this process so that it’s unlikely to falsify or identify the private key, even if the public key is known. 

‍

Private keys must be kept secret and used only by an authorized user, while public keys can be shared with others. 

‍

To generate SSH keys, one needs to enter information such as passwords. Generally, short phrases are used to generate public and private keys.

‍

To initiate a connection over SSH, negotiation of the protocol, the encryption algorithms, and the session key is performed, in addition to authenticating the server with a host key and the user with a public key or password authentication. After that, information is exchanged, including graphics, files, and terminal data.

‍

Public key authentication guarantees more security than other authentication means like passwords. This type of authentication is widely used for human and machine-to-machine privileged access. 

‍

Improperly managed SSH keys can be used by malicious actors to invade infrastructure undetected. Compromising just one private key can result in hard-to-identify backdoor configurations and data breaches.

‍

Improperly managing SSH keys creates vulnerabilities classified in the NIST Interagency Report 7966 (NISTIR 7966) “Security of Interactive and Automated Access Management Using Secure Shell (SSH)”, prepared by Venafi‘s Paul Turner, along with other authors. 

‍

Deploying SSH can cause vulnerabilities that are leveraged to gain unauthorized access to servers. The same goes for leaked, stolen, derived, and non-terminated SSH user keys.

‍

Backdoors made with authorized user keys to circumvent privileged access can go unnoticed for a long time. In addition, it is possible to use identity keys for purposes other than the original ones.

‍

A major obstacle to the security of systems that use SSH keys is human error, which occurs because of the complexity of managing SSH and the lack of users’ knowledge. Extensive training is usually required.

‍

Some measures are recommended to strengthen the security of the SSH protocol, including recommendations from NIST IR 7966, aimed at auditors, companies, and government organizations. 

‍

Manually rotating SSH keys should not be an option, even in non-complex environments. This is because the practice does not help to identify the user who has the private key that corresponds to a public key.

‍

The ideal, as practiced by organizations that invest in cybersecurity, is to use a technology aimed at SSH key management or automated privileged password management (PPM) that allows one to create unique key pairs for the systems.

‍

That’s because automatic solutions simplify the generation and rotation of SSH keys. Thus, they eliminate their dispersion, providing productivity with security. 

‍

Best practices to ensure the security of SSH keys

‍

• Identify all SSH keys and place them under active management. This is the first step to eliminate SSH key scattering and assess the risks. This is the time to establish which users will have access to various keys and how they will be used.
• Link SSH keys to a single user and not to an account accessed by multiple people. In this way, one can have more assertive supervision and ensure access control. 
• Ensure that each user has access only to the systems they need to carry out their activities, taking into account the principle of least privilege (PoLP). This measure reduces the frequency of SSH key misuse.
• Implement SSH key rotation, requiring users to generate new keys regularly and not authorizing the use of the same passwords in more than one account. This helps protect the organization from attacks by criminals who take advantage of password reuse. But beware: If your organization has many SSH keys, this must be done from an automated solution.
• Do not use encrypted SSH keys: This type of credential can be embedded in code, creating dangerous backdoors for malware and cybercriminal intrusions. Embedded keys associated with simple passwords make them vulnerable to password guessing. For this reason, these keys must be eliminated. 
• All privileged sessions initiated with SSH key authentication or other forms of authentication must be logged and audited. Managing a privileged session can include capturing keystrokes and screens, which allows for live viewing and playback. In addition, real-time control of privileged sessions is recommended to reinforce cybersecurity.

‍

Secure communication through SSH keys relies on encryption. There are four categories of encryption, some of which provide the necessary security:

‍

• DSA: This is encryption considered insecure since it becomes vulnerable in the face of current computer technology. This type of encryption has not been used since Openssh 7. 
• ED25519: This is the most secure encryption option nowadays, as it has a very strong mathematical algorithm.
• ECDSA: The use of this encryption is advised against by the non-regulatory government agency of the US Government Technology Administration (NIST). This encryption is known to have a backdoor installed by the National Security Agency (NSA).
• RSA: This type of encryption is widely used, and its security depends on the number of bits in the key used. For today, 3072 or 4096-bit encryption would be the most suitable. SSH keys with encryption lower than 2048 are considered insecure.

‍

A survey by Venafi pointed out that most companies do not use the SSH protocol properly. Below is the data provided by this survey, in which more than 400 cybersecurity professionals were interviewed:

‍

• 61% of respondents stated that they do not limit the number of administrators who can manage SSH and do not even perform monitoring.
• Only 35% of these institutions prohibit users from configuring authorized keys, which makes systems vulnerable to intrusion.
• 90% of professionals surveyed said they do not have an accurate record of SSH keys, that is, it is impossible to identify if there is any untrusted or even violated key.
• It is recommended that keys be rotated periodically to prevent hackers from accessing them. However, only 23% of respondents said they follow this practice. The number of those who said they rotate occasionally or do not rotate at all corresponds to 40%.
• Port forwarding for SSH makes it possible for attackers to bypass firewalls and reach other parts of a target network, but 51% of information security professionals surveyed said they do nothing to prevent this from happening. 
• 54% of them revealed they do not limit the places where SSH can be used, which makes it possible for attackers to use compromised SSH keys remotely.
• 60% of organizations are not prepared to identify the introduction of new SSH keys into their networks.
• SSH keys never expire. As a result, 46% of companies have never rotated their keys.
• 76% do not have security systems that use SSH keys in the cloud.
• According to the Ponemon Institute, three out of four organizations are vulnerable to root-level attacks.
• Groups of sysadmins share SSH keys, so the lack of accountability by a single person can compromise the security of the entire protocol.
• Typically, servers are well protected, unlike workstations. However, the private key file stays on the workstations and can be breached.
• Major government agencies face security risks related to the actions of their employees, malicious actors, and existential viruses. The same is true for virtually all Fortune 500 organizations and most of the 10,000 companies with more than 10,000 employees that exist worldwide.
• In 2011 and 2012, the use of stolen credentials was the third most recurrent reason for attacks, and in 2013, it became the first vector.

‍

senhasegura offers functionality that makes it possible to securely control the cycle of SSH keys through storage, rotation, and access control to protect these keys. 

‍

Its benefits include blocking unauthorized access to privileged accounts through SSH keys, controlling and tracking their use, and managing trust relationships between keys and systems.

‍

In practice, the solution centralizes the management of SSH keys, automatically rotating their pairs according to your company’s security policies. Below, we summarize its main functions:

‍

• Linux servers scanning and identification of SSH keys
• Organization of relationship of connections between servers
• Reset of keys with manual publishing
• Publication of SSH keys
• SSH keymapping reports
• Reporting and access logs on the usage of these keys

‍

Would you like to watch a demonstration of this service and see the power of senhasegura firsthand? Click here.

‍

Conclusion

By reading this article, you acquired knowledge about SSH keys, as well as their history and their importance for cybersecurity. If our content has been useful to you, please share it with others who may also be interested in the subject.