Skip Links

SSH key mismanagement and how to solve it

By Tatu Ylönen, CEO and founder of SSH Communications Security, special to Network World
March 01, 2013 03:41 PM ET
Tatu Ylönen
Tatu Ylönen

Network World - In 1995, when I was a university student in Helsinki, I developed a security protocol to protect data-in-transit as it moved throughout our network. I named it the "secure shell," or SSH for short. Today, SSH is used by organizations of all types and sizes as a secure method to move data from machine to machine and provide remote administrator access. From the perspective of an attacker or malicious insider, SSH is an artery that carries vital organizational data.

[RELATED: Tatu Ylonen, father of SSH, says security is 'getting worse']

However, most organizations do not have control over how their SSH keys are created or managed, leaving them vulnerable to attack and at risk of costly fines for regulatory noncompliance. To remediate this issue, every organization should audit their SSH key management systems.

SSH: A Primer

SSH works by creating a cryptographic key pair - one for the server, and one for the user - and securing the data that passes between those two points. Unfortunately, most organizations have no process for managing, removing, and changing access-granting "keys" once they are created and deployed. As a result, thousands of keys are distributed at will throughout the network environment, typically without any way to find or remove them, creating untraceable access paths to sensitive data. Mismanagement of SSH keys, therefore, presents a significant security vulnerability.

The scope of the problem is as pervasive as it is shadowy. Our experience in working with major enterprises has shown that most organizations have on average eight to over 100 SSH keys configured granting access to each Unix/Linux server. Some keys even grant high-level administrative access.

"High-risk" insiders can use these poorly-managed SSH keys to create permanent backdoors to production servers, bypassing all normal privileged access management and session auditing systems. These insiders include anyone who has ever had access to a server, including former system administrators, consultants, and anyone with access to backups or decommissioned hardware.

This problem has flown under the radar because it is deeply technical and obscure, residing in the domain of system administrators. Each system administrator typically only sees a small corner of the IT environment, and therefore does not have a full picture. Administrators and their managers are often so busy that while they may recognize that there is a problem, they simply have not had time to analyze its scope, or its implications.

Unmanaged SSH Keys - An Attack Vector for Viruses

The chances of such a breach occurring are growing by the day. News reports on network breaches are commonplace as attacks become more widespread and sophisticated. Implementing SSH keys as an attack vector in a virus is quite easy, requiring only a few hundred lines of code. Once inside an organization, a virus can use improperly-managed SSH keys to spread from server to server.

In fact, the mesh of key-based access is so dense that it is highly likely that an attack can spread to nearly all servers in an organization, especially if the virus also utilizes other attack vectors to escalate privileges to "root" (high-level administrator) after penetrating a server. With so many keys, odds are the virus will infect nearly all servers in a manner of seconds to minutes, including disaster recovery and backup systems that are typically also managed using such keys.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News