Securing SSH keys with Venafi TPP: Best Practices


This document contains a living list of some best practices to secure SSH keys with the help of Venafi Trust Protection Platform.


More Info:

Section General Recommendation Action in TPP
Cryptographic Properties  Always use industry recommendations for key length and algorithms used. NIST recommends at least 2048 bit key length for RSA/DSA algorithms (note that DSA 2048 keys are not supported in some servers).

Ensure that Key size and Algorithm settings in TPP accord to your company standards and are at least as strong as industry standards.

If weak keys are found (Key Smaller than Required, Noncompliant Algorithm violations), rotate corresponding keysets so that all keys are compliant to standards.

SSH Dashboard and reports can be used to monitor existence of weak keys in inventory.

SSHv1 protocol SSHv1 protocol is vulnerable and should not be used except old devices that do not support newer version of protocol (in such case, plan to replace those devices with newer ones should be established). SSHv1 should be disabled on all devices and all keys used by this protocol removed.

Keep Allow SSH1 setting in TPP to No (default setting). Review all keys marked with Vulnerable Protocol, and remove them or create a replacement keyset with keys supported by SSHv2.

SSH Dashboard and reports can be used to monitor existence of RSA1 keys in inventory.

Orphan Keys Orphan keys are authorized (less frequently, private) keys without corresponding counterpart. Those keys are potential backdoors to SSH systems. 

Review all orphan keys, starting with root orphan keys. 

Remove all keys unless they exist for valid reason - in that case add external key to suppress warning in TPP and add indication of existing private key outside of TPP database.

SSH Dashboard and reports can be used to monitor orphan keys.

Root Access Review your system to see if root SSH access needed for any systems. Minimize amount of systems with root SSH access enabled.

If systems needing root SSH access are encountered, place them in separate policy(ies) with Allow Root Access set to Yes. Disallow root access for all other SSH devices.

SSH Dashboard and reports can be used to monitor existence of authorized root keys.

Rotation  Rotate your keys regularly. The best practice is to rotate all user keys every 90 days.  Turn on automatic rotation for SSH policy (rotate keys every 90 days).
Authorized Key Restictions  Protect authorized keys from non-authorized usage or source. Where possible, add SSH forced command and whitelist of client IP addresses to connect from.

 Ensure that Source Restrictions (preferrable, "Allow" ones) and forced command are set on SSH policy where possible.

Use Edit key options functionality to set source restrictions and forced command on keys that are missing those.

SSH Dashboard and reports can be used to see keys having noncompliant source restrictions or forced command.

Authorized Keys Storage Store your authorized keys centrally, in root-owned directories and files, to prevent users from adding and changing keys. 

Define central location and set additional custom search path in Aperture where %u represents user name, for example "/etc/ssh_keys/%u". Note that top-level directory (/etc/ssh_keys) will not be created by TPP, it needs to be created externally.

Set "Public Key Permissions" policy setting to root-owned. Keys will then be created in files owned by root, thus unmodifiable by users.

TPP Rest API (WebSDK) can be used to automatically migrate keys from user home directories to central location.


Agentless Credential Use sudo credential for scanning devices with Venafi TPP. Add sudo restrictions to the user.

When creating credential for agentless connection, ensure Use Sudo is set to yes.

On remote device, edit /etc/sudoers file to add restrictions for sudo user to only use certain commands. You can see full list of commands used by TPP here.

Key Usage Logging Monitor how SSH keys are being used. For all suspicious activity, investigate whether access is authorized.

 Enable key usage collection in TPP: create Key Usage work object for an agent group.

It is recommended to have agent installed on central syslog machine and have that agent send logs from all SSH servers to TPP.

Information on how to configure central syslog to send key usage information to agent is available here.

SSH Dashboard and reports can be used to see anomalies in key usage.

Software Versions

Keep SSH server and client software up to date.

Entitlements Review

Establish periodic (e.g. quaterly) review of SSH entitlements in your orhanization.

Create Custom Report(s) for SSH keyset data with desired characteristics that runs on periodic basis. 

Configure the report to be send to reviewers for further processing.


Was this article helpful?
1 out of 1 found this helpful