Five SSH Facts

By Tatu Ylonen

01 March 2017

Print Issue: March 2017

Tatu Ylonen is the inventor of Secure Shell (SSH), a software package that enables secure system administration and file transfers over insecure networks. He is the CEO and founder of SSH Communications Security, and author of the Internet Engineering Task Force standards on SSH protocol.

1. Creation. After discovering a password sniffer had been used on his Finnish university’s network, Ylonen created SSH in 1995 to allow him to securely login remotely to his company over the Internet. SSH is used to manage networks, encrypted file transfers, and secure machine-to-machine automation. SSH is now used by almost every data center in the world and more than half of the world’s Web servers are managed using SSH.

2. Keys. SSH works by giving users cryptographic keys, which function like usernames and passwords. These SSH keys grant access to systems and are typically used by system administrators. They also enable automation, which allows cloud services to function. A systems administrator can create a new SSH key in less than a minute, and many organizations have keys that were created once and never used again. For instance, a recent audit of a major financial institution’s systems found that of the thousands of SSH keys that had access to its data, 90 percent were not being actively used.

3. Risk. Hackers can use compromised SSH keys to gain access to servers, spreading an attack throughout the server infrastructure from one data center to another. If a Fortune 500 company’s information systems—including servers and disaster recovery data centers—went down, the organization would not function. In the worst-case scenario, the servers would be severely damaged.

4. Management. In protecting physical spaces, security experts decide who has access to what parts of the facility and then put in place systems and processes to grant and revoke that access. The same approach needs to be taken to SSH key management; security starts by controlling who is given access to corporate data and systems. Security should go through the company’s systems and find out what SSH keys are still valid, revoke those that are no longer needed, and create a process for issuing and revoking new keys.

5. Regulation. The U.S. National Institute of Standards and Technology (NIST) published a paper by Ylonen and others on SSH key management in 2015. Since then, the PCI Security Standards Council has addressed SSH key management in its newest regulations and NIST has done the same for federal agencies. Ylonen predicts that in five years, key management will become a major focus for almost all industry verticals.