As IT security professionals, we know that sharing keys is “not good” for security. From the increased attack surface area, to the lost accountability and auditability, to even the potential penalties for exposing customer data, IT professionals around the world are looking for how to stop SSH Key sharing. While setting up a policy and best practices is a great first step, it is not enough to stop overworked engineers from sharing their SSH key with their fellow engineers. In this article we will guide you through how you can go from zero to hero and improve your Linux security without making any enemies along the way.
While setting up a policy (that, let’s be honest, most people don’t read) will not do much to change user behavior, it will give you a set of principles that users can fall back on and will give your team a north star of where the overall organizational security must go to.
If we’re being truthfiul, SSH was not designed for the scale on which organizations are running nowadays. Don’t just take our word for it. Facebook wrote about how they scale SSH using SSH certificates. This means that you will have to use a tool to manage your SSH access. In here you have multiple options from manually managing your SSH keys using something like puppet or chef, creating your own SSH certificate solution just like Facebook, Uber and Netflix did, or you can use a ssh access management tool that enables SSO with Entra ID to SSH. One of the main things that our CEO says is, “The SSH Access tool not only has to be secure, it has to be easy to use, because if it is easier to just add a rouge SSH Key, that is what the users will do” For this reason we have created EZSSH to be exceptionally easy to configure, and even easier to use, making authentication seamless for the user.
If you take a look at our documentation, you will find step by step guides to do anything with our tools, the reason for this is we have found if you feed your users easy to follow instructions to do the security protocols, they will follow that rather than googling another way to do it. While this will be a bit more work (and it can get tedious to type a bunch of stuff, trust me) on your team when starting, it will pay off with dividends once you see users adopting your secure recommendations faster than ever before.
Basically, if you want users to stop sharing SSH Keys you must give them an easier way to access SSH endpoints, we recommend leveraging your existing identity, setting up a policy with best practices, and setting up easy to follow guides for them to follow your advice instead of some random medium post online. If you still have questions talk to our engineering team and learn about how you can leverage identity best practices to protect your organization.
