Secure Shell (SSH) keys are a commonly used method of authentication and provide access to a wide range of critical assets within corporate networks. Just like passwords, these authentication identities need to be subjected to security best practices to prevent any privilege misuse; however, managing SSH keys manually is a daunting process. Usually, enterprise IT teams create and provision SSH keys on the fly to users requesting access to SSH-based servers, without a central mechanism to track their usage. The number of unmanaged SSH keys can quickly get out of hand, and the pool of orphaned SSH keys becomes a vector for unauthorized access.
To gain complete visibility and control over the SSH key landscape, organizations should implement a comprehensive SSH key management program that integrates seamlessly with their privileged access management (PAM) solution to automate the life cycle management of SSH keys associated with privileged assets within the network.
ManageEngine PAM360 facilitates the complete life cycle management of SSH keys from a single, unified console. From discovering SSH servers, enumerating user accounts, and building a central inventory of SSH keys to on-demand key generation and deployment, performing periodic key rotation, and launching remote SSH sessions to target systems, PAM360 enables IT admins monitor, automate, and manage the entire life cycle of SSH keys mapped to mission-critical assets across the IT ecosystem.
PAM360's built-in SSH key discovery tool helps IT admins perform network-based discovery of SSH keys deployed across various servers in the IT infrastructure. The discovery of SSH servers can be performed in bulk, either on demand or automatically at periodic intervals through creation of scheduled tasks. Once discovered, administrators can enumerate user accounts in each resource and import the SSH keys present in them by providing the corresponding user credentials. In addition to the password inventory, PAM360 has a centralized key inventory in which the SSH keys are automatically added post discovery and import.
PAM360 helps IT admins centrally create fresh SSH keypairs and deploy the public keys to SSH servers across the network. This replaces the existing key-user mappings with new trust relationships, establishing a streamlined access control workflow and greater visibility over SSH key usage. Generation and deployment of SSH keys can also be done in bulk to multiple user accounts. Further, PAM360 can generate strong passphrases during the key generation process that serve as an additional layer of security.
Users can launch instant SSH sessions with remote hosts that are tunnelled via PAM360, requiring no direct connectivity between the user device and the target system. This gateway access removes all the hassles associated with direct connection—which demands that users manually supply the private key and passphrase everytime a session is launched—and reinforces tight security.
It's a common practice for enterprises to create SSH key pairs as needed and use the same private key to authenticate multiple systems. This means that if a single keypair is compromised, it could expose sensitive information from all the accounts that particular key was mapped to.
With PAM360, administrators can enforce automated periodic rotation of keypairs deployed to various servers across the network. This best practice helps enterprises comply with industry standards and regulations, as well as bolster data security. A holistic view of the complete history of individual keys including the date of creation, the creator and owner of the key, the rotation history, and so on is presented to the administrator in the form of audit trails, reports, and dashboards.
Apart from discovering and inventorying SSH keys, PAM360 also helps administrators in their key management journey by exhibiting a comprehensive view of key-user relationships across the corporate network. Every key stored in PAM360 is mapped to its respective user account(s) in the remote server, making it easier for administrators to track trust relationships and delete any unwanted or orphaned keys in the network that could be potential launch points for a data breach.
PAM360 provides key management policies that enable IT administrators to wipe out all existing user key mappings across the network by removing the public key information from the authorized_keys file of the remote hosts. Fresh keypairs can then be created from PAM360 and deployed to target servers. These policies facilitate a quick redesign of the entire SSH framework, remediating all existing vulnerabilities and empowering administrators to embark on a clean, completely managed start.