SSH key management is one of the most important tasks for IT admins and DevOps engineers alike. SSH keys, after all, are a pivotal facet of almost any virtual identity. The challenge for IT organizations is, though, how to manage SSH keys effectively. This blog post is a primer in SSH key management best practices.
What are SSH Keys?
We should probably step back and articulate briefly what SSH keys are. SSH keys are a computer generated pair of passcodes that enable user authentication to securely communicate on a network. The pair consists of a private key and a public key. When combined, the two keys uniquely confirm that they belong together and, by extension, authorize that the person or thing using the private key should be trusted. The thought process is that public keys can be disseminated across an IT infrastructure and then, using a private key, users or systems will connect to the resource to authenticate themselves. Without the private key, the public key is effectively useless.
The challenge facing IT admins quickly becomes how to manage the distribution of SSH keys. Since they are used for accessing resources or connecting machines, each key has a sensitive nature as to who can leverage it. Additionally, some keys are time-sensitive, meaning that after a period of time (days to years, depending on the SSH key) the key becomes obsolete, and also a potential source of compromise. The result is that public keys need to be automatically distributed and removed as needed. This can be painful when there are a large number of users and systems.
Three SSH Key Management Best Practices Tips
Due to the critical nature of SSH keys, proper SSH key management is imperative. The Ponemon Institute determined that 75% of 2000 companies surveyed were vulnerable to root level attacks due to poorly managed SSH keys. In a study of a certain Fortune 500 company, SSH.com found that the organization had a repository of over 3 million SSH key pairs that enabled access to live servers and production environments. Out of those 3 million plus, however, 90% of the key pairs were unused, with 10% of the 90 granting root level development access. Clearly, SSH key management is paramount to maintaining identity security on a corporate level.
Let’s explore several best practices for managing your SSH keys. We will specifically look at three areas of focus: creating SSH keys, key management policies (KMP), and managing SSH keys from the cloud.
1. Creating SSH Keys
When creating SSH keys, it is critical to develop a general process for key creation. By meting out steps for employees to follow every time they need an SSH key, IT admins can ensure that their SSH keys are properly managed from the get-go. Most fundamental to this process is determining if a public key already exists for authorizing a user on a certain channel or network.
If the SSH resource already exists, creating a new one will only further expand your SSH key database, creating more potential vectors for attackers. Additionally, by having individuals make their own keys via a preset standard, IT admins are spared the load of creating hundreds of keys for their users. Keys always need to be created on a system or through a system that is highly secure.
2. Key Management Policies (KMP)
While it is essential to ensure that keys are created properly to best manage them, having a backbone key management policy (KMP) is fundamental to SSH key management best practices. Generally, your KMP should include instructions regarding key generation, but we feel that the key creation process is important enough to warrant its own specific policies (see #1 above).
A KMP document should clearly lay out the responsibilities involved in managing SSH keys, as well as guidelines and standards about how each key should be governed. A decisive factor in a KMP is determining a process for SSH key end-of-life (EoL). Specifically, when an employee is offboarded, steps must be taken to decommission any private keys linked to that person’s identity. Also, if the user had any proprietary public keys, those must be deactivated as well. For more on KMPs, check out NIST’s guide on the matter.
3. Cloud-based SSH Key Management
Outsourcing SSH key management to a third-party cloud solution is a great way to keep SSH key management consistent. Of course, the private key will always be kept by the end user (or on their machine for system to system access), but the public keys can be easily distributed through a modern cloud identity and access management system. With cloud IAM, public keys are automatically distributed to the IT resources that a user has access to, and removed if their access is removed or the user departs the organization.
By leveraging cloud IAM for SSH key management, IT admins can achieve this level of control and automation. Ultimately, cloud IAM SSH key management enables IT admins to enforce their KMP guidelines without the heavy lifting of actually managing keys manually. This level of functionality is available through JumpCloud® Directory-as-a-Service®.
SSH Key Management with JumpCloud®
JumpCloud Directory-as-a-Service is a full cloud-based directory suite. By creating user identities that can be leveraged across all of an employee’s resources, JumpCloud Makes Work Happen™ with a True Single Sign-On™ experience for users and admins alike. In regards to SSH keys, engineers can securely manage SSH keys in the Directory-as-a-Service platform without IT’s help. Once generated, engineers will keep the private key securely on their system while they upload their public key to the JumpCloud user portal. Once the public key is added to the user portal, it’s automatically distributed across all of the infrastructure an engineer needs to authenticate to via SSH. Since SSH keys are tied to user identities, it becomes easy for IT admins to remotely deprovision SSH key access as necessary with the JumpCloud console.
To learn more about how managing SSH keys with JumpCloud is a best practice, check out our case study of Tamr, who uses JumpCloud to authenticate access to over 300 remote servers with SSH keys. You can also contact us with questions, or sign up for JumpCloud to see the product at work yourself. Signing up is completely free, and so are your first ten users to get you started.