SSH inventor Tatu Ylönen

Organizations must carefully manage their SSH keys; otherwise, they'll pose a security risk. That warning comes from the National Institute of Standards and Technology, which has published a draft of new guidelines for the cryptographic network protocol known as secure shell, or SSH, which is widely used to create a secure channel for linking two systems over an otherwise insecure network.

The draft NIST interim report 7966, "Security of Automated Access Management Using Secure Shell," is open for public comment until Sept. 26, after which it will be finalized based on feedback received. The report outlines the primary risks associated with managing SSH user keys and offers 118 techniques for mitigating those risks, in part, by actively managing SSH access tokens.

"Management of automated access requires proper provisioning, termination, and monitoring processes, just as interactive access by normal users does," the NIST report says. "However, the security of SSH-based automated access has been largely ignored to date."

But businesses ignore SSH tokens at their own peril. "What a lot of organizations are doing basically is issuing credentials and just completely ignoring them - for years and years those credentials are in use and they're never audited, they're never reviewed, the keys are not rotated - all those practices that we follow for passwords aren't being put in place for SSH," Karen Scarfone, head of Scarfone Cybersecurity and a co-author of the NIST report, tells Information Security Media Group.

What SSH Secures

That's in spite of SSH credentials being used to secure numerous types of services, ranging from file transfers and patch management to disaster recovery and database management. Furthermore, SSH keys often provide privileged-level access to those business-critical systems.

"Secure shell provides the mechanism for system-to-system authentication and encrypts the inter-system communications," says Jonathan Lewis, director of product marketing for Helsinki, Finland-based security vendor SSH Communications Security, in a blog post. "These inter-system connections are often highly privileged - one system gains access to a privileged account on another system. For example, a patch management application may get access to root accounts or a database application access to the Oracle account."

Regulatory Requirements

This isn't the first time NIST has detailed SSH security risks and related compliance requirements. "The report highlights how FISMA and NIST Special Publication 800-53 - mandatory minimum controls for federal agencies - already mandate proper management and control of SSH keys and their provisioning," SSH inventor Tatu Ylönen, who's CEO of SSH Communications Security, tells Information Security Media Group. "As a result, proper secure shell key management is absolutely essential to ensuring compliance with FISMA, SOX, PCI and other industry standards."

Such key management requires out-of-band practices - keeping key management systems separate from systems accessed using SSH keys - as well as tracking who's using which keys, for what purpose, and for how long. "Knowing who within the organization can access what data, and properly terminating access, requires taking secure shell key-based access into account, as the keys can be copied and may remain as backdoors even after a person has left," says Ylönen, who also co-authored the new NIST report.

Missing Steps

But many enterprises are still failing to correctly manage secure shell credentials, says report co-author Scarfone. "A lot of organizations simply aren't aware of good practices for SSH management, so they make a lot of mistakes - they deploy SSH without properly securing it in the first place, and then they don't do any maintenance."