Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

11:40 PM
Connect Directly

Bad SSH Key Management Leaves Databases At Risk

Not enough oversight of keys leaves SSH clients open to abuse

A "gaping hole" in the way enterprises govern the use of one of IT's least sexy but most used access control and encryption protocols is leaving many sensitive database servers and other network devices at serious risk.

Secure Shell (SSH) -- a Swiss army knife in the arsenal of many an IT department -- is best known for aiding in the creation of encrypted tunnels to secure remote access and file transfers, but has gradually gained even more acceptance as a way to secure machine-to-machine connections to help enterprises move large amounts of valuable and sensitive data.

But experts say that enterprises do such a poor job of managing the public/private key pairs upon which the protocol depends that they're putting many of their most sensitive data assets at risk, including database servers that use SSH to connect with applications that tap into them.

According to Charles Kolodgy, an analyst for IDC, at most enterprises the internal means by which organizations manage their SSH keys are "often clumsy and decentralized." What's more, when organizations do take steps to secure use of keys by central access by only a few privileged administrators, they often don't monitor those privileged insiders for policy violations, creation of rogue keys, or other suspicious behavior that could put the security of SSH communications in jeopardy.

That's a scary thought, considering how much trust is put into SSH as an authenticator.

[Why do data breach costs continue to grow? See Negligence, Glitches Push Up Cost Of Breaches Worldwide.]

"An interesting unintended consequence of SSH is that an SSH connection can be used to bypass access control mechanisms such as password-based systems," Kolodgy recently wrote. "If a system account -- operating systems, middleware, databases, and applications for running processes -- has a key association, a user can make a connection to the system account, circumventing the standard password-based authentication. This access is made possible because the SSH key association provides acceptable authentication."

This potential IAM end-around leaves databases particularly vulnerable, says Jason Thompson, director of global marketing for SSH Communications Security.

"Let's say you're dealing with a large database environment and you've got an SSH client on that particular database server, and there's a key someone has access to, they could potentially get in there and pull all that information out of the database," he says. "They're going to be able to do it in an encrypted fashion, and they're going to look like an authorized user."

According to Thompson, this type of vulnerability stemming from poor governance of the key management process is exacerbated by the fact that SSH is so heavily used in machine-to-machine traffic. He says it is a common misperception that SSH is primarily driven by "interactive human usage," but the truth is that user traffic makes up less than 20% of SSH traffic in the enterprise. The rest is driven by automated machine-to-machine transactions.

"What that means is that even though it is machine-to-machine traffic that the keys are being utilized for, an individual could hijack that encrypted network and gain access to that dedicated machine-to-machine traffic," he says. "If they got into a large environment with a key with very high level of privilege, they're going to have pretty much unfettered access to a large swath of the environment."

The bottom line is that organizations have to do a better job managing keys and monitoring how they're used.

"Organizations categorically do not have a management system in place that continuously monitors and manages SSH keys within their networks," said Jeff Hudson, CEO of Venafi. "Those networks often have thousands of systems utilizing SSH for elevated and privileged access. This improper management of trust technologies has created a gaping hole that is the target of advanced persistent threats."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mark Stanislav
Mark Stanislav,
User Rank: Apprentice
6/12/2013 | 3:00:01 PM
re: Bad SSH Key Management Leaves Databases At Risk
This is a fantastic article! Anyone who's been a systems administrator in the *nix world has dealt with this tango of convenience and insecurity for a long-time. More so, developers have definitely gotten into the mix (just look at GitHub's SSH key management feature) over the past few years in large numbers.

Managing keys is definitely a problem since many groups don't centrally handle them in the same manner they may user accounts. A really powerful way to both secure the authentication process and help prevent users who no longer should have privilege is through using "SSH Key Callback" for two-factor authentication.

For a full overview of how that's achieved, check out a blog post we did over at Duo Security a couple years ago: https://blog.duosecurity.com/2...

The ability to enforce two-factor authentication at a granular level (per key, if you want) allows for helping to manage the sometimes unruly nature of SSH keys centrally. For instance, if your employee leaves you can simply disable their ability to authenticate through a central administration console. Even if they were to login with a valid SSH key your team forgot to remove for authorized_keys, it would reject them at the second factor authentication.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.
PUBLISHED: 2020-08-10
An exploitable code execution vulnerability exists in the file system checking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs file can cause a logic flaw and out-of-bounds heap operations, resulting in code execution. An attacker can provide a malicious file to trigger this vulnerabilit...
PUBLISHED: 2020-08-10
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
PUBLISHED: 2020-08-10
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory.
PUBLISHED: 2020-08-10
A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system.