SSH Communications released a free tool to help assess SSH security risks in enterprise environments. How does the tool work, and what steps can enterprises take with the results to improve SSH security?
Ask the Expert
Application security and platform security expert Michael Cobb is ready to answer your questions. Submit them now via email! (All questions are anonymous)
The Secure Shell (SSH) cryptographic network protocol is typically used to secure data communications between two computers connecting over an insecure network, such as the Internet. Its use is ubiquitous in IT departments of all sizes for remote command-line login and execution, and for maintaining operating systems and applications. But, like any protocol that uses encryption keys, key management can be a real headache. The proliferation of keys over an extended period of time can adversely impact identity and access management controls, particularly those used in automated application-to-application processes.
Poorly managed deployments of SSH usually lack centralized creation, rotation and removal of keys, and expose organizations to data breaches and compliance failures due to a lack of accountability, transparency and control over who has access to which resources and when. Recently, SSH Communications Security Corp. -- the original developer of the SSH protocol -- surveyed some of its customers and found thousands of lost SSH keys, some providing root access to sensitive data.
To get this situation under control, administrators need a practical, non-intrusive means of determining the extent and seriousness of the problem within their IT infrastructure. Fortunately, SSH Communications Security released a free lightweight scanning and reporting tool that enables administrators and auditors to obtain actionable information on the state of compliance and SSH security.
SSH Risk Assessor (SRA) is designed to be simple to deploy. The tool works by running a script that looks for SSH keys and related users. It then builds a report detailing which keys lack passphrase protection, don't have command or host name restrictions, and/or contain various other vulnerabilities associated with poorly managed keys. Note that all scanned systems must have Perl 5.6 or later installed.
Mediating the problems found in the SSH Communications Security report will greatly reduce the chances of potential insider threats and other attack vectors, as well as satisfy relevant standards and compliance mandates such as the Sarbanes-Oxley Act, Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, National Institute of Standards and Technology and Federal Information Security Management Act.
Once rogue keys have been removed or secured, proper key management processes should be adopted to stop the problem from recurring. Administrators needing detailed advice on key management best practices should read the whitepaper released by SSH Communications Security titled, A Gaping Hole in Your Identity and Access Management Strategy: Secure Shell Access Controls. It covers SSH key management and access control risks, and describes proper mitigation strategies for both.
This was first published in January 2014