Going passwordless in Linux has never been a walk in the park. We’ve previously covered the history and evolution of SSH Authentication, why you should stop using SSH Keys, and how SSH certificates work, but figured it was due time to revisit the topic. Let’s dig in…
“Passwords are a problem” has been a catchphrase amongst the PKI community for years now. We here at Keytos proudly wear our “I HAVE #ZEROTRUST IN PASSWORDS” shirts to nearly every event we attend. With that in mind, it should come as no surprise that Devs have been looking to “go passwordless” for decades. What started as a well-intentioned venture, though, soon turned into an operational nightmare. Using SSH Keys to authenticate was simply not scalable and ultimately led to increased vulnerabilities. In this particular post, we’ll get you up to speed on the issue as it pertains to Linux, which we all know is a royal PITA.
Tatu Ylonen, the inventor of SSH, mentioned that in his experience he has seen between 50-200 keys per server, with 90% of them not being used. Talk about risky business, and I don’t mean the hit Tom Cruise movie.
Do you remember back in 2018 when Cisco got hacked? Here’s the TL;DR: They got hacked by an ex-employee using a key who then deleted a bunch of stuff, and it cost them millions of dollars to fix. Total crap-show. Pardon my French.
Also, remember when Facebook was kind enough to write a whitepaper, giving us a glimpse into their processes, outlining the overall issue, and demonstrating how larger organizations were beginning to solve the problem using certificates? Very nice of them, but not entirely practical for the everyday security professional.
Just like Facebook (…or Meta? Whatever. What’s up with all these rebrands??), we moved from Keys to Certs for a variety of reasons, starting with scalability. Things got bigger. Key management was too manual. Simply put, certificates do more than keys. They contain/capture metadata, can have expiration times, and work with a certificate authority, which exponentially reduces the risk of unauthorized access. Capice? Keep reading for a little more detail.
Certificate authentication relies on a Certificate Authority (CA) to sign SSH keys. The server trusts any SSH key signed by a trusted CA, which simplifies the key management process. The CA key is added to a “trusted_ca_keys.pub” file on the server, and the sshd_config file is modified to recognize the trusted_ca_keys.pub file as the source of truth for SSH CAs. Engineers then request their own certificates from the CA, which signs them with specific properties such as public key, key ID, valid principals, validity period, signature key, and signature.
Only one key (CA key) needs to be added to each server. User’s SSH Keys have an expiration date. The CA can provide Just Enough Access (JEA) to users. Easier to correlate each key with its owner. Reduced exposure to SSH key theft due to key mismanagement. Quicker user onboarding. Protect the CA keys with a Hardware Security Module (HSM), if possible.
Short answer, every single security engineer on planet earth that is looking to secure their Linux environment. SSH Certificates offer a solution to these challenges and are a key component of passwordless authentication in Linux. They can be issued with an expiration date, and Linux endpoints support them natively. By adding a SSH Certificate Authority (CA) to the trusted CA file, all certificates issued by that CA that match the machine requirements will grant access, eliminating the need to add and remove each user to each endpoint. Centralized management reduces operational costs, improves risk management, and enhances security by minimizing the exposure to compromised keys or former employees’ keys.
If you want to use SSH certificates but don’t want the overhead of manually managing your SSH Certificate Authority, EZSSH is a solution built on SSH certificates and secure automation that enhances security, improves user experience, and requires no agent. It completely eliminates the operational challenges associated with old-school SSH keys and certificates by implementing automation. EZSSH manages ephemeral private keys for users, provides easy-to-consume audit logs.
In short, EZSSH enhances the foundations of SSH by utilizing centrally managed SSH certificates, automating SSH key management, and providing a secure, scalable, and user-friendly solution for going passwordless in Linux.