SSH keys

An SSH key is an access credential to SSH network protocols. These allow you to gain access to an encrypted connection between systems. Then, you can use this connection to manage the remote system.

SSH keys authenticate the connection to ensure secure access to the server using various authentication methods.

The Discovery sensor scans your network (default SSH enabled port 22) for SSH keys configured on your server.

Discover SSH keys

To discover the SSH keys configured on your server, you need to create and run a scan.

  1. In your CertCentral account, select Discovery > Manage Discovery.

  2. On the Manage scans page, select Add scan.

  3. On the Add a scan page, in the Set up a scan section, provide the required information to set up the scan. Then, select Next.

  4. On the Scan setting section, under Settings > Scan options, select Choose what to scan > Enable SSH key discovery.

  5. Select Save and run.

View key scan results

  1. Go to Discovery > View Results.

  2. On the Certificates page, select View keys.

  3. On the Keys page, use the Scan name filter to identify the keys associated with the scan.

  4. Select the Name to view the details of the key.

The following information about the discovered keys is available:

Field Description
Name “Name” indicates the fingerprint of the key.

“SSH key fingerprint” is generated from the public key hashing utilizing different hash algorithms such as SHA, ECDSA, etc.
Algorithm Algorithm used for hashing the SSH key and the SSH key's size (or length) in bits.
Authentication methods Methods to authenticate SSH keys configured on your server.
First discovered Indicates the date when key was first discovered.
Rotation limit The time frame defined by the organizations when the key should be replaced with a new key.
It is calculated from the date the key was first discovered
Protocol Protocols used to set up an encrypted connection between the systems to communicate over the internet.

Secure Shell Version 1 (SSH1):
• Provides an encrypted channel for communication.
• Provides robust host-to-host connection and user authentication.

SSH1 protocols have been obsolete for a long time as they do not support future upgrades, are vulnerable, and do not ensure security against threats.

If your system still depends on the SSH1 protocol, it is recommended to upgrade to the SSH2 protocol. If the Discovery sensors detect a key with the SSH1 protocol, we will report it as Not secure.

Secure Shell Version 2 (SSH2):
• Advanced, more efficient, more secure, and portable than SSH1.
• Supports Secure File Transfer Protocol (SFTP).
• Prevents data theft from eavesdropping by encrypting all data.
• Prevents DNS and IP spoofing by cryptographically authenticating the server's identity.
• Prevents man-in-the-middle attacks with stronger server-host authentication.
Duplicates Identifies whether the specific key has duplicates.
Security level Signifies the security status of the keys.

The key is regarded as unsecured if it:
• Has duplicates.
• Reached or is approaching its rotation limit.
• Uses SSH1 protocol to set up the connection.

Delete the key

  1. Go to Discovery > View Results.

  2. On the Certificates page, select View keys.

  3. On the Keys page, find the key you want to delete.

  4. Select Delete in the Action column corresponding to the key.

Deleting a key only removes the key from the CertCentral Discovery. The key will remain active, authorized for use, and will be available on the server. Delete the key from the server to prevent scans from detecting and reproducing the key in the discovered data.

Rotate the key

Rotating a key involves removing one encryption key and replacing it with another. It is considered best practice to rotate keys at regular intervals to prevent them from being compromised.

Key rotation limits the amount of encrypted data under a particular key. As a result, past communications remain secure if a key is breached since those communications occurred under a different key.

For security reasons, we recommend maintaining key rotation limits and rotating the keys if they have crossed or close to their rotation limits (1-year) or have duplicates.