Identify Unencrypted Private SSH Keys on User Machines

SSH key pairs can grant secure passwordless access to critical resources like production servers. They’re a valuable resource for organizations because they’re stronger than traditional credentials, but they must be carefully managed and maintained. Unencrypted private SSH keys on user machines can potentially provide a gateway for bad actors to access organizational data.

However, IT administrators have tools to monitor and manage the SSH keys in their organizations entirely from the cloud. In this post, we’ll explain the risks of unencrypted private SSH keys, and then we’ll cover ways to mitigate those risks.

Risks of SSH Without Password / Passphrase

Typically, users generate key pairs and store the private keys on their machines and the public keys on the remote resources they access, such as servers. Although organizations might have reasons to leave private SSH keys unencrypted, such as automation workflows, we recommend they use a passphrase to encrypt those keys wherever possible. The passphrase provides another layer of authentication to protect the private key. 

A user can create a new SSH key pair directly via their Mac® or Linux® terminal or another method, like PuTTY, for Windows®. When they create the key pair, they’ll be prompted to enter a passphrase, which is used to decrypt the private key stored on their machine. They can opt to skip that step, which will leave the private key vulnerable if the machine is compromised. 

Although full disk encryption is another valuable way to encrypt data on a machine, it’s only effective when the data is at rest and wouldn’t protect an unencrypted private SSH key in every scenario. SSH.com notes, for example, that keys can leak via backups or decommissioned hardware.

Recently, hackers targeted European supercomputers, including the University of Edinburgh’s ARCHER. The university announced that it would reset SSH passwords and, moving forward, users would be required to enter an SSH key with a passphrase and a password to access the supercomputer — which indicates the importance of properly protecting SSH keys. 

Identify SSH Keys for Private Key Encryption

Admins have access to (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Cassa Niedringhaus. Read the original post at: https://jumpcloud.com/blog/identify-unencrypted-private-ssh-keys