Architecture and Configuration for Hardened SSH Keys

The Secure Shell (SSH) protocol is a tool often-used to administer Unix-like computers, transfer files, and forward ports securely and remotely. Security can be quite robust for SSH when implemented correctly, and yet it is also user-friendly for developers familiar with Unix. Asymmetric SSH keys used by the protocol have allowed operations engineers and developers to authenticate to remote machines -- supporting increased automation and orchestration across DevOps environments. While the private keys should be password protected, they are often not. The fast pace of DevOps and the focus on delivery has led to many companies not controlling their authentication credentials or understanding the risk they create. Private key files can become scattered around the environment, presenting a tempting target for threat actor exploitation to pivot across a network or access cloud services. This paper will evaluate a simple solution for protecting private keys by storing them on an external cryptographic device (Yubikey) and automating key management/SSH configuration (Ansible). This potential solution will be compared to local key storage and prevalent ad-hoc key management against conventional SSH attack techniques in the MITRE ATT&CK matrix.