This document presents current recommended practice for managing SSH
user keys for automated access. It provides guidelines for
discovering, remediating, and continuously managing SSH user keys and
other authentication credentials.
Various threats from poorly managed SSH keys are identified,
including virus spread, unaudited backdoors, illegitimate access
using leaked keys, lack of proper termination of access, use of
legitimate access for unintended purposes, and accidental human
Hundreds of thousands, even over a million SSH keys authorizing
access have been found from the IT environments of many large
organizations. This is many times more than they have interactive
users. These access-granting credentials have largely been ignored
in identity and access management, and present a real risk to
A process is presented for discovering who has access to what,
bringing an existing IT environment under control with respect to
automated access and SSH keys. The process includes moving
authorized keys to protected locations, removing unused keys,
associating authorized keys with a business process or application
and removing keys for which no valid purpose can be found, rotating
existing keys, restricting what can be done with each authorized key,
and establishing an approval process for new authorized keys. A
process is also presented for continuous monitoring and controlled
authorized key setup.
Finally, recommendations are made for security policy makers for
ensuring that automated access and SSH keys are properly addressed in
an organization's security policy.
Specific requirements are presented that address the security issues
while keeping costs reasonable.
Guidance is also provided on how to reduce operational cost while
addressing the threats and how to use tools to automate the