SSH 1.x inventor, Tatu Ylonen has been updating the secure shell standard for automated key management. An IETF draft document, “Managing SSH Keys for Automated Access – Current Recommended Practice” is already up for public review. The draft has been co-authored by Murugiah Souppaya from NIST and Greg Kent from SecureIT and will be available until October.
The design for the SSH-3 standard will be compatible with previous versions of the protocol. The new standard is expected to eliminate common audit and compliance problems experienced in current SSH communications. According to Mr. Ylonen, there’s no proper tracking of existing keys in many organizations. Thousands of SSH keys authorizing access have been in IT environments of many large organizations. This a lot more than the number of interactive users in these organizations. These access-granting credentials have largely been ignored in identity and access management, and present a real risk to information security.
The draft document provides guidelines for discovering, remediating and managing SSH keys and authentication details. A process is also provided allowing for moving of issued keys to a protected location, key rotation and removal of unused keys. Poorly managed keys have been the cause of illegitimate access, leaked keys, accidental human errors and unaudited backdoors in many organizations.