Everything You Need to Know About SSH Keys
SSH keys are part of a protocol that guarantees the protection of IT systems during data transfer between servers and computers and are used by organizations that need to communicate with systems and manage them securely.
However, most companies manage their SSH keys improperly, which puts their security at risk. For this reason, we prepared this article, in which we cover the importance of the SSH protocol, its history, benefits, how it works, and much more. Read it until the end and understand better about this subject.
The use of SSH keys is an extremely important measure for organizations that need to communicate and manage systems securely. Nevertheless, for this procedure to really provide the necessary security, it is essential to adopt good practices.
We start our text by sharing two news stories about breached SSH credentials. The first case took place in 2019, but it was only identified in 2020, and it involves the website host company GoDaddy.
The domain registrar announced it had become the target of a breach that affected the SSH credentials of approximately 28,000 users at the time. A malicious actor would have bypassed its security systems and accessed SSH login data hosted on its servers.
There were no major issues, but its users have been notified about it. In addition, the company reset the usernames and passwords that were exposed and blocked the unauthorized party.
In 2021, GitHub received a warning from developer Axosoft about the vulnerability of a dependency on their git GUI client – GitKraken, which was generating weak keys. Therefore, it revoked all keys generated by vulnerable versions of the client used on GitHub.com.
Other possibly weak keys generated by other clients that could have used the same vulnerable dependency were also revoked. The company still needed to implement safeguards to prevent vulnerable versions of GitKraken from adding weak SSH keys created by older versions.
These two facts demonstrate that large organizations have managed the SSH protocol improperly, creating vulnerability for their systems.
Therefore, we prepared a special content, in which we show you everything you need to know about SSH keys. To facilitate your understanding, we divided our text into the following topics:
- SSH Protocol: What is It and Why is It Important?
- Learn About the History of SSH
- Learn About the Benefits of SSH Key Authentication
- What Are the SSH Key Types?
- Learn How an SSH Key is Generated
- How SSH Key Access Works
- How to Strengthen the Security of SSH Keys
- SSH Key Encryption Categories
- Data Related to the Security of SSH Keys
- Management of SSH Keys by senhasegura
Follow the whole content!
1. SSH Protocol: What is It and Why is It Important?
Currently used in servers and datacenter environments, SSH consists of a protocol that allows the transmission of data, enabling the encapsulation of applications.
With SSH keys, system administrators and application developers have interactive access to remote systems securely. It is a feature widely used in database updates, backups, automated systems management, and system health monitoring applications.
In practice, SSH keys play a very important role in the functioning of automated digital networks used in data centers and businesses in general.
This solution guarantees encrypted connections with other systems, platforms, and networks that can be distributed in different environments, remote or in the cloud.
SSH keys replace isolated security techniques that are useful for encrypting data transfers. However, this use needs to be properly protected, analyzed periodically, documented, and managed systematically. If this process is not taken seriously, the security of the entire environment is at risk.
2. Learn About the History of SSH
The first version of the SSH protocol was created in the 1990s by the researcher Tatu Ylonen at the University of Helsinki. At the time, a sniffing attack on the university’s network was discovered, capable of intercepting and recording network traffic and revealing usernames and their passwords to malicious actors.
As a result, thousands of credentials were breached. For this reason, the researcher started looking for ways to make networks more secure, developing the SSH protocol.
Currently, SSH keys are used to log in from one system to another remotely. Also, the security provided by encryption makes it possible to perform functions such as: issuing remote commands and managing network infrastructure and other vital system components remotely. Therefore, this tool is essential nowadays, characterized by the trend of remote work.
Before using SSH keys, it is necessary to install some software: while remote systems must necessarily have software called SSH daemon, the system used to issue commands and manage remote servers requires software known as an SSH client. This is the only way to create an appropriate communication channel using the SSH protocol.
3. Learn About the Benefits of SSH Key Authentication
SSH keys have the function of encrypting traffic between server and client. In practice, this means that if someone decides to spy on this traffic, they will not be able to decrypt the data properly.
This solution also provides protection against brute force attacks and attack vectors used to access remote machines. With public-key encryption, there is no need to send passwords over the network, which provides more security.
Another advantage of SSH keys is the possibility of keeping a company in compliance with security regulations, but for this, it is necessary to generate, store, manage, and remove them following certain guidelines that guarantee the necessary protection.
There is a massive amount of SSH keys that can be used at any time by an organization. Therefore, it is recommended to use software to manage them and reduce risks.
4. What Are the SSH Key Types?
SSH keys provide security and cost savings to cloud and other computer-dependent services if managed properly.
This feature has a similar function to that of passwords, since they grant access, controlling who will access the system. To perform this management, it is necessary to adopt security policies, as it must be done with user accounts and passwords.
We also emphasize it is the control of SSH keys that provides continuous availability, confidentiality, and integrity to the systems, as long as public-key encryption is used.
These keys are categorized according to their function as: user keys, host keys, and session keys. Check it out:
- User Keys
Here, we are talking about authorized and identity keys, used to grant login access to users. Its authentication mechanism is known as public-key authentication.
These identity keys are used by SSH clients to allow users to authenticate when logging into SSH servers.
- Host Keys
This type of key is intended to authenticate computers, preventing man-in-the-middle attacks. This authentication is certificate-based and can be very useful for organizations.
These authentication keys must secure all connections, and one of the characteristics of SSH is to remember the host’s key when connecting to it for the first time.
- Session Keys
Session keys have the function of encrypting most data on a connection. This key is negotiated during connection initialization. It is then used with symmetric encryption algorithm and an authentication code algorithm that ensure data protection.
5. Learn How an SSH Key is Generated
They are generated in pairs that bring together a “public” and a “private” SSH key. In this process, complex algorithms are used, so that it is unlikely to falsify or identify the private key, even if the public key is known.
Thus, one must keep the private key secret, being used only by an authorized user. Public keys can be shared with others.
To generate SSH keys, one needs to enter information such as passwords. Generally, short phrases are used to generate public and private keys.
Are you enjoying this post? Join our Newsletter!
Newsletter Blog EN
6. How SSH Key Access Works
To initiate a connection over SSH, negotiation of the protocol, the encryption algorithms, and the session key is performed, in addition to authenticating the server with a host key and the user with a public key or password authentication. After that, information is exchanged, including graphics, files, and terminal data.
Public key authentication guarantees more security than other authentication means, such as passwords. Additionally, this type of authentication is widely used for human and machine-to-machine privileged access.
Improperly managed SSH keys can be used by malicious actors to invade infrastructure undetected. Also, the compromise of just one private key can result in hard-to-identify backdoor configurations and data breaches.
Improperly managing SSH keys creates vulnerabilities already classified in the NIST Interagency Report 7966 (NISTIR 7966) “Security of Interactive and Automated Access Management Using Secure Shell (SSH)”, prepared by Venafi‘s Paul Turner, along with other authors.
Deploying SSH can cause vulnerabilities that are leveraged to gain unauthorized access to servers. The same goes for leaked, stolen, derived, and non-terminated SSH user keys.
Backdoors made with the keys of authorized users in order to circumvent privileged access can go unnoticed for a long time. In addition, it is possible to use identity keys for purposes other than the original ones.
A major obstacle to the security of systems that use SSH keys is human error, which occurs because of the complexity of managing SSH and the lack of users’ knowledge.
7. How to Strengthen the Security of SSH Keys
Some measures are recommended to strengthen the security of the SSH protocol, including recommendations from NIST IR 7966, aimed at auditors, companies, and government organizations.
Manually rotating SSH keys should not be an option, even in non-complex environments. This is because the practice does not help to identify the user who has the private key that corresponds to a public key.
The ideal, as practiced by organizations that invest in cybersecurity, is to use a technology aimed at SSH key management or automated privileged password management (PPM) that allows one to create unique key pairs for the systems.
That’s because automatic solutions simplify the generation and rotation of SSH keys. Thus, they eliminate their dispersion, providing productivity with security. To ensure the security of SSH keys, we recommend the following practices:
- All SSH keys must be identified and placed under active management: This is the first step to eliminate SSH key scattering and assess the risks. This is the time to establish which users will have access to various keys and how they will be used.
- It is essential to link SSH keys to a single user and not to an account accessed by multiple people. In this way, one can have more assertive supervision and ensure access control.
- It is also essential to take into account the principle of least privilege (PoLP), ensuring that each user has access only to the systems they need to carry out their activities. This measure reduces the frequency of SSH key misuse.
- Another important measure is the implementation of SSH key rotation, requiring users to generate new keys regularly and not authorizing the use of the same passwords in more than one account. This helps protect the organization from attacks by criminals who take advantage of password reuse. But beware: If your organization has many SSH keys, this must be done from an automated solution.
- Do not use encrypted SSH keys: This type of credential can be embedded in code, creating dangerous backdoors for malware and cybercriminal intrusions. Embedded keys associated with simple passwords make them vulnerable to password guessing. For this reason, these keys must be eliminated.
- To ensure cybersecurity, all privileged sessions initiated with SSH key authentication or other forms of authentication must be logged and audited. Managing a privileged session can include capturing keystrokes and screens, which allows for live viewing and playback. In addition, real-time control of privileged sessions is recommended to reinforce cybersecurity.
8. SSH Key Encryption Categories
Secure communication through SSH keys relies on encryption. There are four categories of encryption, but not all of them provide the necessary security. Below, we show more details about these options:
- DSA: This is encryption considered insecure, since it becomes vulnerable in the face of current computer technology. This type of encryption has not been used since Openssh 7.
- ED25519: This is the most secure encryption option nowadays, as it has a very strong mathematical algorithm.
- ECDSA: The use of this encryption is advised against by the non-regulatory government agency of the US Government Technology Administration (NIST). This encryption is known to have a backdoor installed by the National Security Agency (NSA).
- RSA: This type of encryption is widely used, and its security depends on the number of bits in the key used. For today, 3072 or 4096-bit encryption would be the most suitable. SSH keys with encryption lower than 2048 are considered insecure.
9. Data Related to the Security of SSH Keys
A survey by Venafi pointed out that most companies do not use the SSH protocol properly. Below is the data provided by this survey, in which more than 400 cybersecurity professionals were interviewed:
- 61% of respondents stated that they do not limit the number of administrators who can manage SSH and do not even perform monitoring.
- Only 35% of these institutions prohibit users from configuring authorized keys, which makes systems vulnerable to intrusion.
- 90% of professionals surveyed said they do not have an accurate record of SSH keys, that is, it is impossible to identify if there is any untrusted or even violated key.
- It is recommended that keys be rotated periodically to prevent hackers from accessing them. However, only 23% of respondents said they follow this practice. The number of those who said they rotate occasionally or do not rotate at all corresponds to 40%.
- Port forwarding for SSH makes it possible to allow attackers to bypass firewalls and reach other parts of a target network, but 51% of information security professionals surveyed said they do nothing to prevent this from happening.
- 54% of them revealed they do not limit the places where SSH can be used, which makes it possible for attackers to use compromised SSH keys remotely.
- 60% of organizations are not prepared to identify the introduction of new SSH keys into their networks.
- SSH keys never expire. As a result, 46% of companies have never rotated their keys.
- 76% do not have security systems that use SSH keys in the cloud.
- According to the Ponemon Institute, three out of four organizations are vulnerable to root-level attacks.
- Groups of sysadmins share SSH keys, so the lack of accountability by a single person can compromise the security of the entire protocol.
- Typically, servers are well protected, unlike workstations. However, the private key file stays on the workstations and can be breached.
- Apparently, major government agencies face security risks related to the actions of their employees, malicious actors, and existential viruses. The same is true for virtually all Fortune 500 organizations, and most of the 10,000 companies with more than 10,000 employees that exist worldwide.
- In 2011 and 2012, the use of stolen credentials was the third most recurrent reason for attacks, and in 2013, it became the first vector.
10. Management of SSH Keys by senhasegura
senhasegura offers functionality that makes it possible to securely control the cycle of SSH keys through storage, rotation, and access control to protect these keys.
Its benefits include blocking unauthorized access to privileged accounts through SSH keys, controlling and tracking their use, and managing trust relationships between keys and systems.
In practice, the solution centralizes the management of SSH keys, automatically rotating their pairs according to your company’s security policies. Below, we summarize its main functions:
- Linux servers scanning and identification of SSH keys;
- Organization of relationship of connections between servers;
- Reset of keys with manual publishing;
- Publication of SSH keys;
- SSH keymapping reports;
- Reporting and access logs on the usage of these keys.
Do you want to request a demonstration of this service and discover the advantages of being a senhasegura client? Click here.
By reading this article, you acquired knowledge about SSH keys, as well as learned more about their history, and understood their importance for cybersecurity. If our content has been useful to you, please share it with others who may also be interested in the subject.
ALSO READ IN SENHASEGURA’S BLOG