SSH has been the standard method for gaining access to and managing Linux systems for the better part of the last 30 years. Yes, SSH makes it simple to manage machines via an interactive command line; however, any developer will attest that identity management in SSH is a royal pain.
A core component of identity lifecycle management is a strong and effective onboarding and offboarding process. Traditional SSH onboarding involves the use of an SSH key – you need to go to every endpoint and add the user key to the authorized_keys file. Why is this such a problem? While this works for a small footprint of 1- 5 endpoints, we have found that this process typically does not follow the best practices, those being (a) it is done by a central security team, (b) said central security team keeps an inventory of who owns each key, and (c) said central security team performs regular audits on each key to ensure they are still needed. In reality, these best practices are followed very rarely and, when they are followed, the costs seem to never stop piling up. The truth of the matter is, even if these best practices are followed to a “T”, you simply cannot avoid operational breakdowns (death, taxes, and operational breakdowns, am I right?).
By the way, did you know that not deleting a key that is not being used only serves as low-hanging fruit for hackers? Tatu Ylonen, the inventor of SSH, has said that he has seen between 50 and 200 keys per server, with a whopping 90% of them being unused. All this does is allow bad actors to discover one of these unused keys and use it to gain access to endpoints, much like what happened to Cisco in 2018.
The long and the short of it? SSH keys present a plethora of problems, and the majority of engineers have not received proper security training on the best practices. How can your organization circumvent the problems of SSH keys? SSH certificates.
The best way to avoid the pitfalls of SSH keys is by switching to SSH certificates! SSH certificates can be issued with an expiration date and Linux endpoints support them right away. From an operational perspective, all you have to do is add the certificate authority to the trusted CA file – after you do that, every certificate issued by that CA that matches the machine requirements will allow you access to that machine, thus eliminating the need of adding and removing every single user to every single endpoint.
EZSSH, our zero-trust endpoint SSH management solution, was built on SSH certificates. The core principles of EZSSH are no agent required, enhanced security levels, and improved user experience. To learn more about how EZSSH can help your organization, schedule a FREE consultation with one of our experts today!
