Authorized Key in SSH
An authorized key in SSH is a public key used for granting login access to users. The authentication mechanism is called public key authentication.
Authorized keys are configured separately for each user - usually in the .ssh/authorized_keys
file in the user's home directory. However, the location of the keys can be configured in SSH server configuration files, and is often changed to a root-owned location in more secure environments.
Technically, an authorized key looks like this:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN+Mh3U/3We4VYtV1QmWUFIzFLTUeegl1Ao5/QGtCRGAZn8bxX9KlCrrWISIjSYAwCajIEGSPEZwPNMBoK8XD8Q= ylo@klar
Contents
Authorized keys are Access Credentials Provisioning Authorized Key Provisioning in OpenSSH Beware of the Key Management ProblemAuthorized keys are Access Credentials
Authorized keys configure access credentials and grant access to servers. They must be properly managed as part of identity and access management and are relevant for all compliance standards and cybersecurity-related laws, such as Sarbanes-Oxley for public companies, HIPAA for health care, and FISMA/NIST SP 800-53 for US government agencies.
Universal SSH Key Manager is a popular solution for managing the keys and establishing proper provisioning and termination processes.
Provisioning
Authorized keys are the only kind of credential that users are commonly able to self-provision. It is possible to prevent self-provisioning in SSH, but that requires a configuration change. The operation is often called lock-down, and it is usually one of the first steps in SSH key management.
Each SSH implementation has its own tools for creating and distributing SSH keys. Different implementations also use different formats for the key files.
Typically provisioning an authorized key involves generating a key pair, installing the public key as an authorized key, and using the private key as an identity key.
Various SSH clients have their own key generation tools. PuTTY comes with PuTTYgen.
Authorized Key Provisioning in OpenSSH
With OpenSSH, a key pair can be created using the ssh-keygen tool. The public key can then be copied to a server using the ssh-copy-id tool.
The whole process is very simple and only takes a few minutes. With default configuration, anyone with access to a user account on a server can configure additional SSH keys for it.
Beware of the Key Management Problem
Given that generating and and installing SSH keys is so easy, they can easily proliferate and expose the organization to attack spread and other disks. It is important to pay attention to key management and address it in security policies and audits early on. Even in an organization of only a few dozen people there can be hundreds or thousands of authorized keys. Some larger enterprises have several million keys granting access to their production servers.