New version of SSH in the works

Secure Shell (SSH), the cryptographic network protocol used to provide confidentiality of data over unsecured networks such as the Internet, is headed for a makeover to address security and management problems associated with the proliferation of poorly managed SSH keys.

“Hundreds of thousands, even over a million SSH keys authorizing access have been found from the IT departments of many large organizations,” according to a recently released draft document from the Internet Engineering Task Force (IETF) which was co-authored by Tatu Ylonen, CEO of SSH Communications Security and the inventor of the cryptographic protocol. “This is many times more than they have interactive users. These access-granting credentials have largely been ignored in identity and access management, and present a real risk to information security.”
(Image from

Ylonen, who developed SSH back in 1995, said it may take two years to obtain widespread adoption of the new version of the protocol so backwards compatibility is important. SSH2, the last major version of the protocol, came out in 2006.

SSH is used as a network protocol for secure data communications, remote shell service or command execution and other secure network services between two networked computers that connect through a secure channel over an insecure network.


10 dumbest mistakes of network managers

The IETF document released this month includes recommendations for security policy makers for ensuring that automated access and SSH keys are dealt with in an organization’s security policy. The requirements, the document said, take into account the need to tackle security issues as well as to keep costs at a “reasonable” level.

Among the processes outlined in the document are:

– A process for discovering who has access to what

– Brining existing IT environments under control with respects to automated access and SSH keys

– Moving authorized keys to protected locations

– Removing unused keys or those without valid purposes

– Associating authorized keys with a business process or application

– Introducing restrictions on what can be done with authorized keys

– Process for continuous monitoring and control of keys

Ylonen also said that his company will release next month a free key discovery tool that will enabled users to collect SSH key information throughout their IT environments so that they can assess their risk exposure.

The SSH Risk Advisor will help users identify where SSH is being used and the SSH keys that may have proliferated.

Read the whole story here

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now