5 SSH Best Practices You Can Start Implementing Today


October 28, 2015 | DevOps | joanna mastrocola


As cybersecurity month is coming to a close, it seems only fitting to provide you with some advice on maintaining your enterprise’s security all year long.

One of the hardest things to manage in large, agile enterprises are SSH keys. As your infrastructure grows, so will the amount of SSH keys and privileged accounts that you need to manage and as these numbers hit the thousands, administering and maintaining these roles will be difficult.

A study by the Ponemon Institute found that 51% of organizations aren’t even aware of how many keys and certificates are used by their organization. Not knowing where or how these keys and certificates are being used means that an enterprise is completely vulnerable to attacks. These attacks on trust are very costly since they are so difficult to detect, usually targeting acute areas. Follow our SSH best practices to ensure that security isn’t neglected for the sake of agility.

Here are 5 SSH best practices you can start implementing today:

1) Don’t confuse Authorization with Authentication.  

 Authentication is used to establish identity; authorization is used to determine access levels and permissions.  For more detail check out this blog post.

2) Always Audit

It is critical to keep a constant log of both the failed and successful login attempts of all of your hosts.  A public key pushing system won’t tell you the difference between a stranger claiming to be someone you know and someone you know trying to access information that they aren’t authorized to access.

3) Don’t Share Your Private Key…EVER.

Although Public Keys shouldn’t be treated like secrets, private keys should.  Never distribute your private key to any system or person; if you need to authenticate yourself  just share your public key. Remember: Your public key is safely sharable but your private key is not.

4) Schedule SSH Key Rotation

Key rotation should always be part of your overall security plan. If you work under strict regulatory and compliance laws then this is especially important.  Find a tool that not only easily rotates your keys, but also keeps an audit log of which keys were rotated and when.

5) Centralized Key Management

Each developer should have their own unique login and set of privileges. This way, you can easily create and delete new ssh keys.  Don’t use manual methods to distribute and create ssh keys; this non-automatic system won’t remain secure or scalable as your environment grows.

Want more tips like this? Subscribe to our blog and keep up with the latest information in IT Security.





Keep up-to-date on security best practices, events and webinars.

Share This