SSH Key Rotation Best Practices

Sure, SSH keys are better than passwords, but they come with their own set of risks. At the core of these risks is that accumulating multiple keys over time is common and can easily lead to loss, theft or misuse. Managing SSH keys is a hassle, and mishandling or exposing them can result in compromised security, as demonstrated by the case of Github's SSH private key exposure in a public repository just last year.

‍

Even when they are properly set up, documented and managed, SSH keys are not inherently harmless. Consider SSH keys used to access or debug remote test environments. These are often targeted for cryptojacking and proxyjacking, with swarms of dedicated bad actors actively seeking to exploit vulnerabilities. 

‍

So, what can companies do to protect SSH targets? Let's dive in.

‍

Adopt SSH key rotation best practices

‍

Any company using SSH keys should consider the following best practices for managing them.

‍

1. Rotate keys: Companies should establish a regular schedule for rotating SSH keys to limit the exposure time if a key is compromised. This can be done on a quarterly or yearly basis, depending on the organization's security requirements.
2. Grant unique keys for each user: Each user should have a unique SSH key. Sharing or reusing keys increases the risk of unauthorized access if one key is compromised.
3. Use strong key lengths and algorithms: Generate SSH keys with strong cryptographic algorithms, such as RSA with a  key length of at least 2048 bits, ECDSA with key lengths of 384 or 512 bit keys, or Ed25519. Avoid using short keys or weaker encryption algorithms like DSA.
4. Properly store and protect keys: Store private keys securely in an encrypted format and restrict access to authorized personnel only. Implement measures such as access controls, strong passwords and two-factor authentication to protect SSH key repositories.
5. Audit and monitor key usage: Perform regular audits to identify unused or outdated SSH keys. Monitor key usage and access logs to detect any suspicious activity or unauthorized access attempts.
6. Quickly revoke keys: When an employee leaves the company or no longer requires access, promptly revoke their SSH key permissions and remove their corresponding public key from authorized key lists.
7. Update and patch software: Keep SSH software up to date with the latest security patches and updates. Regularly update the sshd configuration and ensure that only secure ciphers, MACs and key exchange algorithms are allowed and that they are patched against SSH vulnerabilities like the Terrapin attack.

‍

The above best practices are the bare minimum companies should do to safeguard targets that are accessed with SSH keys. For more robust protection (with less manual effort), companies can adopt a managed service or use an open source solution to improve SSH security.

‍

Protect SSH keys and targets with a managed service

‍

BastionZero’s managed service provides zero trust access to any infrastructure target — including SSH — without manual key management. Unlike other SSH key management platforms, BastionZero’s core protocol only grants users access to a target if they get cleared by two authorities: BastionZero and an SSO or identity provider. Even if one of the two is breached, fraudulent users can’t gain access. 

‍

BastionZero runs side-by-side with a company’s existing SSH system and assumes responsibility of SSH key management. Setup is straightforward, including auto-integration with most SSO providers and auto-discovery of existing SSH targets in any data center or cloud. Administrators simply deploy the BastionZero agent, install the Desktop App or Command Line Interface (ZLI) and create an access policy to control user permissions. Administrators can track activity by username, grant and revoke keys at any time and provide just-in-time access to targets. 

‍

From the users’ perspective, not much changes. While they will need to install the ZLI or the BastionZero Desktop App, they can otherwise use SSH keys the same way they always have. Behind the scenes, BastionZero’s access policy enables precise control over what targets each user can access — even if there are thousands — eliminating the risk of unauthorized lateral movement.

‍

Check out the docs to learn more.

‍

Use open source to SSH without SSH keys

‍

For companies who are looking for a simple — and free — solution for secure SSH access, BastionZero, Docker and The Linux Foundation created an open source project called OpenPubkey. The project’s first use case, OpenPubkey SSH, is a community tool that lets users log in with their Google SSO and connect to an SSH server on their network after a quick, one-time setup — all without SSH keys.

‍

It does this by binding OpenID Connect (OIDC) identities to public keys. OPK SSH builds on top of OpenPubkey's functionality by packaging the bound OIDC identity and public key (called a PK Token) into an SSH certificate. This frees users from the headache of setting up SSH access to hosts, VMs and containers that require distributing SSH keys, remembering to revoke and rotate them, or worrying that credentials may inadvertently be exposed or lost.

‍

Check out the docs to learn more.

‍

Protect SSH targets

‍

Whether companies manage their own SSH keys, use a managed service or ditch keys altogether, they should be mindful of protecting SSH targets. This is critical for protecting sensitive information, preventing unauthorized access and activity, complying with regulations and maintaining the availability and integrity of systems and services.

‍

For more SSH best practices, check out this blog.