SSH Key Management: Best Practices and Tools

Posted on by Lee Painter

Secure Shell (SSH) is a powerful protocol for securing remote connections, and key-based authentication is a cornerstone of SSH security. Properly managing SSH keys is crucial for maintaining a secure infrastructure. This article explores best practices for SSH key management, including the use of OpenSSH certificates, and reviews tools that can automate and enhance the security of your key management process.

1. Generating SSH Keys

The first step in key-based authentication is generating a pair of cryptographic keys. The private key remains on your local machine, while you should place the public key on the Server.

Steps to Generate SSH Keys:

  1. Generate a New SSH Key Pair:
   ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

This command creates a 4096-bit RSA key pair. You can also use other algorithms like ECDSA or Ed25519 for improved security and performance.

   ssh-keygen -t ed25519 -C "your_email@example.com"
  1. Add the Public Key to the Server:
   ssh-copy-id user@remote_server

Alternatively, manually add the public key (~/.ssh/id_rsa.pub or ~/.ssh/id_ed25519.pub) to the Server’s ~/.ssh/authorized_keys file.

2. Protecting Private Keys

You must keep Private keys secure. Unauthorized access to your private key can compromise your entire SSH setup.

Best Practices for Protecting Private Keys:

  1. Use Strong Passphrases:
    When generating your SSH key pair, encrypt your private key using a strong passphrase, adding a further layer of security.
   ssh-keygen -p -f ~/.ssh/id_rsa
  1. Secure Storage:
    Store private keys in secure locations. Avoid storing them on shared or networked file systems. Use filesystem encryption if possible.
  2. Restrict Permissions:
    Ensure that your private key files have the correct permissions.
   chmod 600 ~/.ssh/id_rsa
  1. Use SSH Agents:
    Use SSH agents like ssh-agent or gpg-agent to manage your keys securely and avoid repeatedly entering passphrases.

3. Managing SSH Key Lifecycles

You should rotate SSH keys periodically to minimize the risk of key compromise.

Best Practices for Key Lifecycle Management:

  1. Regular Key Rotation:
    Implement a regular key rotation policy. For example, rotate keys every 6-12 months.
  2. Audit and Remove Old Keys:
    Regularly audit authorized keys on your servers. Remove keys that are no longer needed or associated with former employees.
  3. Automate Key Management:
    Use tools to automate key rotation and management processes, reducing the risk of human error.

4. OpenSSH Certificates for SSH Key Management

OpenSSH certificates allow for more effective key management, centralized control, and simplified key rotation.

Steps to Use OpenSSH Certificates:

  1. Generate a CA (Certificate Authority) Key:
   ssh-keygen -t rsa -b 4096 -f /path/to/ca -C "CA for SSH"
  1. Sign a User Key with the CA Key:
   ssh-keygen -s /path/to/ca -I user_key_id -n username -V +52w user_key.pub

This command signs the user key with the CA key, valid for 52 weeks.

  1. Configure SSH to Trust the CA:
    Add the CA public key to the server’s ~/.ssh/authorized_keys or /etc/ssh/sshd_config:
   TrustedUserCAKeys /path/to/ca.pub
  1. Use the Signed Key for Authentication:
    The client uses the signed key to authenticate, and the Server verifies the certificate against the CA key.

Advantages of Using OpenSSH Certificates:

  • Centralized Management: Simplifies key management by allowing centralized control over user keys.
  • Key Rotation: Easier key rotation and expiration management.
  • Access Control: Improved access control through certificate constraints.

5. Tools for SSH Key Management

Several tools can help manage SSH keys efficiently and securely.

  1. OpenSSH:
    OpenSSH provides powerful tools for key management, including ssh-keygen for key generation, ssh-agent for managing keys, and certificate support.
  2. Vault by HashiCorp:
    Vault can manage SSH keys dynamically, generating one-time-use SSH credentials and centralizing key management.
   vault ssh sign <role-name> ~/.ssh/id_rsa.pub
  1. Key Management Services (KMS):
    Cloud providers like AWS, GCP, and Azure offer KMS solutions that can integrate with SSH to securely manage and store keys.
  2. Centralized Access Management Tools:
    Tools like Teleport and Boundary provide centralized access management, integrating with SSH to enforce policies and manage user access.

6. Monitoring and Auditing SSH Access

Continuous monitoring and auditing of SSH access help identify and respond to potential security incidents.

Best Practices for Monitoring and Auditing:

  1. Enable Logging:
    Ensure that SSH logging is enabled. Monitor logs for unusual activity.
   sudo nano /etc/ssh/sshd_config

Add or modify the following lines:

   LogLevel VERBOSE
  1. Use SIEM Solutions:
    Integrate SSH logs with Security Information and Event Management (SIEM) systems for real-time monitoring and alerting.
  2. Regular Audits:
    Conduct regular audits of SSH access and authorized keys. Review access and remove any unnecessary or outdated keys.

Conclusion

Effective SSH key management is critical for securing your infrastructure. You can significantly enhance your SSH security posture by following best practices for key generation, protection, lifecycle management, and monitoring. Leveraging OpenSSH certificates and tools for automation and centralized management further strengthens your ability to manage SSH keys securely and efficiently.