Self-Service SSH Key Management

Written by Rajat Bhargava on January 11, 2016

Share This Article

SSH, the UNIX-based command interface and protocol for securely getting access to a remote computer, and the associated keys are a critical part of an organization. The trouble, however, is the overhead required in managing SSH keys. Typically, IT admins are in the middle of the key creation, dissemination, and rotation. And those are tasks that IT admins don’t want to be in the middle of, due to the security risk. That’s why self-service SSH key management is an important feature when choosing your identity management platform.

Microsoft® and Google® fall short in managing SSH keys

Legacy directory services, such as Microsoft® Active Directory® and OpenLDAP™, aren’t great at managing SSH keys, nor do they provide the ability for self-service management. Cloud-based directories like Google® Apps Directory also fall short. Google Apps Directory focuses more on user credentials needed for Google services and other web applications, not remote systems. There are, however, some Identity-as-a-Service (IDaaS) platforms that will solve the SSH key management problem for you.

Identity-as-a-Service enables self-service SSH key management

Directory-as-a-Service® is an IDaaS platform that enables self-service SSH key management. Directory-as-a-Service is a cloud-based directory service that securely connects users to the systems, applications, and networks that your users need to access. The advantage of DaaS over legacy directory services like Microsoft AD and OpenLDAP is that the DaaS user management platform is not wedded to one set of devices or protocols. Directory-as-a-Service works with Windows®, Mac®, and Linux® systems. DaaS also works with on-premises LDAP-based applications and cloud-based SAML applications. Additionally, it works well with WiFi networks that leverage RADIUS. In short, DaaS is a cross-platform, multi-protocol solution that, you guessed it, also works well with SSH keys.

IDaaS follows best practices for secure SSH key management

What’s more, JumpCloud® Directory-as-a-Service follows best practices for secure SSH key management. First, SSH keys are never created inside the cloud-based directory service platform. Rather, SSH keys are generated on a user’s platform, one that is presumed to be secure. The private SSH key is then kept in the user’s possession and is used on systems that leverage SSH keys. For example: an SSH key can access Linux Infrastructure-as-a-Service systems that are located at Amazon Web Services® or Google Compute Engine™, among others. However, the trouble arises when placing the public SSH keys on each of those Linux systems, because that step alone can be a huge hassle for IT admins.

JumpCloud makes SSH keys management easy for iT

In an elegant and scalable manner, Directory-as-a-Service makes the management of keys easy for IT. IT admins simply grant access to the device, and the Identity-as-a-Service platform places the user’s keys on the systems. Public keys are uploaded and managed on the system by the end user, rather than the IT admin. As a result, the keys are automatically disseminated across the infrastructure. As keys are rotated or updated, the new keys are placed on all of the applicable systems. This saves IT admins and users tremendous time. And it dramatically increases security.

To learn more about how Directory-as-a-Service helps organizations with self-service SSH key management, drop us a note. We’d be happy to walk you through the benefits of our identity management platform. Or try DaaS yourself. Your first 10 users are free forever.

Rajat Bhargava

Rajat Bhargava is co-founder and CEO of JumpCloud, the first Directory-as-a-Service (DaaS). JumpCloud securely connects and manages employees, their devices and IT applications. An MIT graduate with two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.

Continue Learning with our Newsletter