In a world where 96% of servers run on Linux, SSH stands as the universal access point to these digital assets, many of which house an organization’s most critical data. Despite its ubiquity and importance, the security of SSH has been largely overlooked, with many organizations relying on outdated practices established two decades ago. This oversight has not gone unnoticed by malicious actors. The digital landscape is rife with examples of the catastrophic impact that SSH vulnerabilities can have, from the infamous LinkedIn hack that cascaded into multiple company breaches, to the T-Mobile data breach last year, which led to staggering losses exceeding $350 million in restoration efforts. These incidents serve as stark reminders of the vulnerabilities inherent in traditional SSH key management.
The traditional approach to SSH key management—with its manual processes, lack of lifecycle management, and inadequate tracking—introduces significant risks. Keys can be easily misplaced, stolen, or exploited, granting unauthorized access to critical systems. This method’s vulnerabilities only amplify as organizations grow, underscoring an urgent need for a more secure and scalable solution. Luckily for you, you’ve navigated your way here! In this post, we’re going to briefly talk about the new way of managing SSH through SSH certificates and explore how you can easily get started by creating your 1st SSH CA and then we take a look at EZSSH to make it easier! Let’s dive in…
First thing first, you’re going to begin by selecting the machine that will serve as your Certificate Authority (CA). It is advisable to designate a machine solely for the purpose of being a CA, as this practice enhances the protection of your signing keys. Additionally, for an added layer of security, we recommend safeguarding your CA keys with a Hardware Security Module (HSM), if feasible. This approach not only reinforces the security of your CA, but also ensures the integrity and confidentiality of your digital keys.
Once you have your machine setup, create your CA key:
ssh-keygen -f ca
Enter a strong passphrase to protect your private key. This will create two files, a “ca” file and “ca.pub” file. DO NOT share the “ca” file with anyone. That has your private key used to sign your certificates. Copy the ca.pub to all your servers, EZSSH saves it in a file called: “/etc/ssh/trusted_ca_keys.pub” in the servers. Then run the following line on the server you are setting up to accept certificates from this CA:
echo "TrustedUserCAKeys /etc/ssh/trusted_ca_keys.pub" >> /etc/ssh/sshd_config
This will let any SSH certificate signed by this CA to authenticate to this server. Run the following command to restart the ssh service in the server.
service ssh restart
Now your server is ready to accept SSH Certificates.
Now a user can create an SSH key using:
ssh-keygen
This will create an id_rsa and id_rsa.pub files in your .ssh folder. NEVER SHARE your “id_rsa” file with anyone, this contains your private key.
Copy the “id_rsa.pub” to the CA. On the CA run the following:
ssh-keygen -s ca -I YOURNAME -n root -V +1d -z YOURSERIALNUMBER id_rsa.pub
This will create a certificate signed by your CA. This certificate will have: your name as the “Key ID”, root as the “Valid Principal”, and will be valid for 1 day.
Copy the id_rsa-cert.pub into the users .ssh folder. Now that you have a certificate you will be able to authenticate to your endpoint by running
"ssh root@YOURENDPOINT"
While we were able to create an SSH CA in the previous section, it’s important to note that this process can be quite complex and time-consuming. This is where EZSSH by Keytos comes in. EZSSH is a powerful tool that simplifies the process of setting up an SSH CA, making it easier and more efficient. With EZSSH, you can easily create an SSH CA in just a few simple steps, without the need for any technical expertise.
EZSSH abstracts the creation of an SSH CA by calling them “Access Policies” Each access policy is a CA that can sign SSH Certificates. You can create as many Access Policies as you need, and each one can have different settings. For example, you can create an Access Policy for your developers that requires approval and creates certificates that are valid for 1 day, and another one for your admins that it is auto-approved. While getting a certificate each time you need to access a server might seem like a hassle, EZSSH makes it easy by automating the process.
Wrapping this up, diving into zero-trust SSH and SSH key rotation might seem like a huge deal, especially with all the techy stuff you need to know. But hey, that’s where EZSSH by Keytos comes into play, making things a whole lot easier. It’s like having a buddy who knows all the ins and outs, helping you secure your systems without the headache. Plus, you’ll be ticking off all those compliance checkboxes like PCI DSS without breaking a sweat.
If you’re feeling a bit overwhelmed, no worries! We’ve got loads of resources to help you out. Our zero trust SSH documentation is packed with easy-to-follow guides, and our YouTube channel is full of helpful videos to get you up to speed. If you’d like to schedule some time to chat with one of our SSH Experts, we invite you to do so at your convenience using this link! We’re always happy to chat! It’s all about making security simple and accessible, so you can focus on what you do best. So, why not give our tools a try and see how easy securing your SSH can be? Trust us, it’s worth checking out!
