Join Keyfactor at RSA Conference™ 2024    |    May 6 – 9th    | Learn More

  • Home
  • Blog
  • SSH
  • SSH Attack Vector: Dormant & Forgotten Keys

SSH Attack Vector: Dormant & Forgotten Keys


SSH keys are everywhere. However, despite their widespread use and high-privilege access, they’re often overlooked by IT and security teams. Meanwhile, malicious actors seek to exploit unmanaged and unprotected keys to perform SSH attacks and spread through networks undetected.

In this blog, we’ll discuss the underlying problem of SSH key sprawl and how to prevent emerging SSH attacks, such as FritzFrog and Lemon_Duck, by implementing proper key management and security practices.

The Importance of SSH Keys

The SSH protocol is deployed on millions of Linux and Unix servers in nearly every enterprise network. SSH keys are widely used in these environments (rather than passwords) to secure remote access and automated processes between systems and machines.

In short, SSH keys perform a critical role in enterprise security, allowing trusted, encrypted connections to other systems, which can be either on-premise or in the cloud.

Properly managed SSH keys offer convenience and improved security, protecting the business from eavesdropping and traffic interception, while hindering adversaries from gaining unauthorized access and decrypting transmitted data.

Unlike password authentication, protected and effectively managed keys are resistant to SSH brute force attacks and protect against attack vectors used to gain access to remote systems. The level of cyber resilience offered by SSH keys is crucial, especially if we consider the reliance of businesses on technologies such as IoT and multi-cloud platforms, and trends like remote working, which leverage identity as the corporate perimeter.

Because of the importance of SSH keys, organizations employing the SSH protocol must protect their keys to safeguard the trust of their systems.

What is SSH Key Sprawl?

The proliferation of edge-computing, multi-cloud environments, DevOps practices and IoT have led to an explosion of keys in corporate environments. In fact, large enterprises, government agencies, banks and technology vendors often have hundreds of thousands or even millions of automated, scripted, or other non-interactive SSH identities.

However, the sheer number of SSH keys is often unknown and untracked. There are many reasons that contribute to a rather chaotic situation.

First of all, it is far too easy for system administrators to generate SSH keys using command line without any sort of approval or the need to adhere to corporate access management policy. This leads to a proliferation of unmanaged SSH keys used for particular use cases and processes.

Furthermore, without processes in place for deleting keys when employees change roles or depart the organization, their corresponding keys often sit dormant and forgotten on host systems. Lack of visibility into all SSH keys and trust relationships makes key rotation and deletion much more difficult, to the point where security teams simply avoid the process out of fear of disrupting operations.

The end result is that weak SSH key management processes and practices create a situation where more and more keys are being generated, and many are left orphaned and lost in the wilderness of vast enterprise networks. However, the scariest part of the story is that these “forgotten” keys still remain valid, providing privileged or even root access to critical systems and data.

Unknown, untracked, and poorly managed SSH keys present such a serious (but avoided) risk management problem that it’s often referred to as“the elephant in the room.”

Risks of SSH Key Sprawl

Considering the level of privileged access SSH keys enable, it is no wonder that poorly managed keys expose organizations to considerable SSH attack exposure. Despite that, the security of these keys has been largely ignored.

The accounts associated with SSH keys often do not respect least privilege principles and grant more access than required, such as allowing execution of any command (root). In addition, SSH keys for automated access on corporate assets and systems often provide many more entry points onto servers than the interactive user accounts do. A considerable percentage of these keys grant access to administrative or sensitive accounts, such as those storing database files or critical software.

SSH keys are also used to establish trust relationships when communicating with other organizations, external systems, or independent users. Unmanaged SSH keys may turn these trust relationships into policy violations, such as leading from development and test systems into production systems or crossing from a low-impact system to a high-impact one, without requiring any additional authentication.

Most importantly, broken SSH key-based trust relationships can enable an attacker who compromises one system to quickly pivot from one system to another and spread through an organization—individual trust relationships often collectively form webs of trust across an organization’s systems.

SSH Keys Are a Critical Management Problem

The truth is that SSH keys present a real management problem with a high-risk profile.

SSH keys are attractive targets for malicious actors, since they are widely used to secure access to mission critical systems, including servers, routers, firewalls, security appliances, and other devices through accounts with elevated privileges.

These elevated privileges can be attained through a single SSH key, that may have been generated outside the key management process, to allow a malicious actor access to a server.

From there, the elevated privileges can be used to find or create a new key that allows access to another server, permitting criminals to move laterally, perform surveillance and escape with valuable data.

Managing SSH keys is evidently vital to ensure trust in interactive and automated access processes across organizations. However, SSH key management is a difficult task.

Although SSH keys are a key component of robust Identity and Access Management (IAM), in many cases these keys have been completely overlooked. The root cause behind this critical problem is the use of manual methods and processes to manage the ever-increasing number of SSH keys.

This results in a lack of visibility of the keys an enterprise possesses. Having no visibility into what keys they own makes it hard to map those keys to all associated devices and users. The proliferation of IoT devices and non-user entities and services only make things worse.

In addition, lack of visibility leads to vulnerable SSH implementations, since businesses cannot implement sound processes for key rotation and removal either responding to security incidents or for administrative purposes (personnel rotation).

Start With Visibility & Control

Effective and efficient IAM begins with having visibility and control over your identities. Identities are the most important credential in modern enterprise environments. You just cannot afford uncontrolled, untracked and poorly managed identities.

SSH keys are an important and crucial part of your organizational IAM processes and should be guarded against compromise. The best way to do that is by gaining back control of who owns them, where they are located, what their purpose is, and when rotation is required.

Without any control management mechanisms, you will not be able to safeguard the confidentiality and integrity of your assets.

Identity and access management is the foundation of any modern business as it addresses the basic organizational need to be able to reliably identify users and machines, and to be able to control which entities get access to which resources.

Assess the risks of poorly managed SSH keys in your organization and learn how to achieve SSH security practices in this whitepaper.