SSH keys
An SSH key is an access credential to SSH network protocols. These allow you to gain access to an encrypted connection between systems. You can use this connection to manage the remote system.
SSH keys authenticate the connection to ensure secure access to the server using various authentication methods.
The Discovery sensor scans your network (default SSH enabled port 22) for SSH keys configured on your server.
Discover SSH keys
To discover the SSH keys configured on your server, you need to create and run a scan.
In your CertCentral account, select Discovery > Manage Discovery.
On the Manage scans page, select Add scan.
On the Add a scan page, in the Set up a scan section, provide the required information to set up the scan. Then, select Next.
On the Scan setting section, under Settings > Scan options, select Choose what to scan > Enable SSH key discovery.
Select Save and run.
View key scan results
In your CertCentral account, select Discovery > View Results.
On the Results page, in Keys tab, use the Scan name filter to identify the keys associated with the scan.
Select the Name to view the details of the key.
The following information about the discovered keys is available:
Field | Description |
---|---|
Name | “Name” indicates the fingerprint of the key. “SSH key fingerprint” is generated from the public key hashing utilizing different hash algorithms such as SHA, ECDSA, etc. |
Algorithm | Algorithm used for hashing the SSH key and the SSH key's size (or length) in bits. |
Authentication methods | Methods to authenticate SSH keys configured on your server. |
First discovered | Indicates the date when key was first discovered. |
Rotation limit | The time frame defined by the organizations when the key should be replaced with a new key. It is calculated from the date the key was first discovered |
Protocol | Protocols used to set up an encrypted connection between the systems to communicate over the internet. Secure Shell Version 1 (SSH1):
Note: SSH1 protocols have been obsolete for a long time as they do not support future upgrades, are vulnerable, and do not ensure security against threats. If your system still depends on the SSH1 protocol, upgrade to the SSH2 protocol. If the Discovery sensors detect a key with the SSH1 protocol, we will report it as not secure. Secure Shell Version 2 (SSH2):
|
Duplicates | Identifies whether the specific key has duplicates. |
Security level | Signifies the security status of the keys. The key is regarded as unsecured if it:
|
Delete the key
In your CertCentral account, select Discovery > View Results.
On the Results page, in the Keys tab, find the key you want to delete.
Select Delete in the Action column corresponding to the key.
Note
Deleting a key only removes the key from the CertCentral Discovery. The key will remain active, authorized for use, and will be available on the server. Delete the key from the server to prevent scans from detecting and reproducing the key in the discovered data.
Rotate the key
Rotating a key involves removing one encryption key and replacing it with another. It is considered best practice to rotate keys at regular intervals to prevent them from being compromised.
Key rotation limits the amount of encrypted data under a particular key. As a result, past communications remain secure if a key is breached since those communications occurred under a different key.
For security reasons, we recommend maintaining key rotation limits and rotating the keys if they have crossed or close to their rotation limits (1 year) or have duplicates.