Eliminating SSH Keys is Possible
May 17, 2020
If you’re looking to free your time and stop using SSH Keys by leveraging SSH Certificates automation, there is a way to do that.
SSH Keys provide a secure protocol for authenticating with cloud resources to perform operations or change configurations on a server. Containers and virtual machines on private or public clouds all connect through SSH.
DevOps relies heavily on the use of SSH while mobilizing automation for organizations. Keys are commonly stored on local disks, configuration files, and automation scripts.
They sound like a valuable and straight forward tool, but let’s look at using them in practice.
As a DevOps Engineer at a company that is scaling their cloud infrastructure, you begin to take on a large number of servers and keys. You’re stuck issuing, revoking, and managing keys instead of building automation. Most of the SSH key management is done manually. Often these keys get lost in the shuffle and there’s a good chance that keys that were intended to be “temporary”, stick around on the server, even after a developer leaves the company, or after a script is obsolete. There must be a simpler solution to managing these keys…
SSH Key Management Software
This is a common solution to problems such as ensuring rotation of keys, provisioning new keys, and auditing locations where the key is used. There are a couple of baseline requirement for using SSH Key Management Software:
- Managing an inventory of private keys for all machines each user wants access to
- Managing an inventory of which public keys are allowed for each machine
Great! Now you have your basic capabilities for tracking where every key is pointing to. This software still doesn’t solve your core problem. You’re still manually placing each key into a server. You now know where keys are pointing to, and which keys are deprecated but can’t automate like a DevOps Engineer working with Cloud Architecture.
Keys need to be continuously updated in order to add new users, remove departing users, and remove temporary accounts. Also factoring in the fact that SSH key values need to be rotated at least once a year. Team members often share keys, so a departing team member means that the key can no longer be used. You need to know which machines have the keys and remove them quickly after departure, otherwise, you are opening your organization up to vulnerabilities.
The deck is stacking up to make managing keys, even with software, a burden. Manually placing keys into a machine won’t work for an organization that is scaling its capabilities.
SSH Keys Management and Cloud Architecture?
DevOps Engineers by nature, strive to automate any manual processes. We understand that key-based authentication is no better than passwords when they’re managed like passwords. In a complex Cloud Architecture, machines require temporary scripts and are ephemeral by nature. Dynamically spinning up and destroying environments allows DevOps to have consistent environments and lower cost of operating each machine.
Temporary scripts are required when each pipeline begins to build these ephemeral environments. Creating at the beginning of the pipeline and tearing it down when the build completes. Placing keys in your scripts, or credential management system is an operation burden that slows down the CI/CD process and is a glaring malpractice as these keys can be stolen.
Let’s look beyond just SSH Keys and managing them with Key Management Software alone.
Eliminate the SSH Key
There is a better way to use SSH Keys – eliminating them! SSH Certificates remove the process of distributing and updating keys scattered across your organization.
Bind your public keys to a certificate, and have it signed by an internal CA (Certificate Authority). You eliminate the need to manage SSH Keys like passwords, and transition into automating SSH authentication.
Connecting to an identity provider such as Okta or LDAP transitions your organization from SSH Key Managements to Certificate Management with the authentication scheme you are already using. Issuing SSH Certificates via Single Sign-on (SSO) workflows saves you the operational time of continuously updating keys. SSO removes the need to issue an SSH public and private key pair and instead provides an ephemeral certificate to access your servers via SSH protocol.
There are several benefits to phasing out SSH Keys for SSH Certificates
- Instructions are included to manage policies that allow SSO to enhance security.
- Approvals and distribution of keys are done through automatic processes.
- Certificates use date ranges to automatically expire, ensuring your keys are rotated in a timeframe you define.
- Mistakes, misuse, or theft result in an SSH Certificate automatically expiring.
If your enterprise is operating at scale, SSH Certificates are a necessary part of your organization’s DevOps Workflow. You’re no longer wasting cycles doing key management. Instead, you’re obtaining SSH Certificates on-demand with every job. The security benefits, elimination of key management, and ephemeral authentication make SSH Certificates the right way to do SSH for any organization.
Enough said. Time for action. Schedule a Demo to see how AKEYLESS automates SSH access.
Or you can hit the ground running and Sign Up for a Free Trial.