Abstract

This document presents current recommended practice for managing SSH user keys for automated access. It provides guidelines for discovering, remediating, and continuously managing SSH user keys and other authentication credentials. Various threats from poorly managed SSH keys are identified, including virus spread, unaudited backdoors, illegitimate access using leaked keys, lack of proper termination of access, use of legitimate access for unintended purposes, and accidental human errors. Hundreds of thousands, even over a million SSH keys authorizing access have been found from the IT environments of many large organizations. This is many times more than they have interactive users. These access-granting credentials have largely been ignored in identity and access management, and present a real risk to information security. A process is presented for discovering who has access to what, bringing an existing IT environment under control with respect to automated access and SSH keys. The process includes moving authorized keys to protected locations, removing unused keys, associating authorized keys with a business process or application and removing keys for which no valid purpose can be found, rotating existing keys, restricting what can be done with each authorized key, and establishing an approval process for new authorized keys. A process is also presented for continuous monitoring and controlled authorized key setup. Finally, recommendations are made for security policy makers for ensuring that automated access and SSH keys are properly addressed in an organization's security policy. Specific requirements are presented that address the security issues while keeping costs reasonable. Guidance is also provided on how to reduce operational cost while addressing the threats and how to use tools to automate the management process.

Authors

Tatu Ylonen (ylo@ssh.com)

Greg Kent (gkent@secureit.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)