A draft version of the updated SSH dubbed “Managing SSH Keys for Automated Access – Current Recommended Practice” has been put up for public review by the IETF. The new version of the SSH focuses, which focuses on key management, has been authored by Ylonen along with Murugiah Souppaya – a computer scientist at NIST and Greg Kent of SecureIT. The original version of SSH was released back in 1995 which was superseded by SSH-2 back in 2006.
The draft of the update was pushed out in April and will be available until October for review. The protocol “provides guidelines for discovering, remediating, and continuously managing SSH user keys and other authentication credentials.”
There have been quite a few instances whereby poorly managed keys have led to spread of viruses, key leaks, unauthorized access through the use of these leaked keys, unaudited backdoors among others. The team behind the draft notes that organizations use thousands and even over a million keys for automated access within their setup and despite of this key management has been highly ignored.
The updated SSH intends to provide “guidelines for discovering, remediating, and continuously managing SSH user keys and other authentication credentials.” It presents a process that would allow for moving of already issued keys to protected location, removal of unused keys, key rotation, providing rights of what can be done with the keys and establishing an approval process for issue of new keys.