Controlling access to your hosted Linux® servers via SSH key management for Google Compute Engine™ (GCE) is a critical part of ensuring that your Linux cloud infrastructure is secure. With more IT organizations shifting their data centers to the cloud, they have many options on which service to leverage. GCE is a popular choice – along with Amazon® Web Services (AWS) and Microsoft® Azure®. With these servers hosted in the cloud, it is extremely important to have a sure way of accessing them. This problem of secure access leads the great majority of organizations to use SSH (Secure Shell) keys in order to secure access to their cloud infrastructure.
SSH access is generally viewed as being more secure than a username and password. That’s because a password is generally a combination of words and letters with the occasional symbol thrown in for good measure. They’re usually not longer than 10 or so characters. On the other hand, if a user were to leverage RSA 2048-bit encryption, that code would be similar to a 617-digit password. Brute force attacks? Good luck with a password of that length.
How Do You Generate an SSH Key?
First off, SSH keys come in pairs that users can generate themselves. It’s imperative for security that IT admins never generate an end user’s SSH keys. A private key is something that only the end user should have. Users can create SSH keys on Windows by using an SSH client called PuTTY. Mac® and Linux® users can actually generate their own SSH keys by using the terminal, no additional software required. When a key is generated, the program or terminal spits out both a public and private key. Users keep the private key to themselves on their system while distributing their public key to the servers that they need access to. It’s like a two-way password—the public key needs the private key in order to authenticate a user.
But, this system creates risk as well. When users are creating SSH keys themselves, there is often no oversight, so keys often stop getting used but are not properly disabled (i.e. removed from the target IT resource). In fact, according to SSH.com, an enterprise had 3 million SSH keys, with 90% no longer in use. Of these 90%, some still granted access to live production servers! Therefore, it’s important to have methodology in place that can help to mitigate this kind of risk.
SSH Key Management
Now, imagine you need to manage access to even a modest number of users and servers. The combinations of access rights can become quite difficult for IT admins and DevOps engineers to manage. One user may have access to a particular system, while another does not, but they may both have access to a third system. Now, think about having more than just those two users, and the problem exponentially grows. In the same vein, it quickly becomes apparent that manual SSH key management isn’t going to work.
Thankfully, there is an easy method to manage and automate the distribution and removal of SSH keys and it comes by way of a cloud identity management platform. This platform also serves as the core identity provider for an organization. So, a person’s identity can include not only their username and password, but their SSH keys as well. End users simply upload their public SSH keys, which are then automatically distributed to the servers they need to access, whether that’s only a few or tens of thousands. So, IT admins and DevOps engineers don’t need to be in the middle of this process, but they still have full control with the ability to provision and deprovision access to individual Linux servers or groups of them.
A Cloud Platform for SSH Key Management
This platform is a cloud directory service called JumpCloud® Directory-as-a-Service® and it securely controls SSH key management for GCE servers as well as centralizes user identities so they can access their systems whether they’re Windows®, Mac®, or Linux®, legacy LDAP applications like MySQL™ and Jira®, RADIUS protected networks connections, web applications like G Suite™ and Salesforce®, and many others. Ultimately, it helps to Make Work Happen™. Feel free to drop us a line, or sign up today for a free account that will allow you to manage 10 users free, forever.