Secure Shell (SSH), the cryptographic network protocol used to provide confidentiality of data over unsecured networks such as the Internet, is headed for a makeover to address security and management problems associated with the proliferation of poorly managed SSH keys.
Ylonen, who developed SSH back in 1995, said it may take two years to obtain widespread adoption of the new version of the protocol so backwards compatibility is important. SSH2, the last major version of the protocol, came out in 2006.
SSH is used as a network protocol for secure data communications, remote shell service or command execution and other secure network services between two networked computers that connect through a secure channel over an insecure network.
The IETF document released this month includes recommendations for security policy makers for ensuring that automated access and SSH keys are dealt with in an organization’s security policy. The requirements, the document said, take into account the need to tackle security issues as well as to keep costs at a “reasonable” level.
Among the processes outlined in the document are:
– A process for discovering who has access to what
– Brining existing IT environments under control with respects to automated access and SSH keys
– Moving authorized keys to protected locations
– Removing unused keys or those without valid purposes
– Associating authorized keys with a business process or application
– Introducing restrictions on what can be done with authorized keys
– Process for continuous monitoring and control of keys
Ylonen also said that his company will release next month a free key discovery tool that will enabled users to collect SSH key information throughout their IT environments so that they can assess their risk exposure.
The SSH Risk Advisor will help users identify where SSH is being used and the SSH keys that may have proliferated.