- Public-key authentication in SSH makes use of the user key or certificates to authenticate a connection, with an SSH client having a user key called an "identity key," typically an RSA or DSA private key, with the server requiring the corresponding public key configured as an "authorized key" for a user account. Any user in possession of the identity key is then allowed to log into the server to that user account and perform actions under the privileges configured for the key, NIST points out. The identity key is often stored on a smartcard or in a password-protected file. NIST says many SSH implementations support configuring restrictions for authorized keys to limit what can be done on the server using the key (command restrictions) and from limiting the IP addresses from which the key can be used (source restrictions). NIST says an advantage of public-key authentication is that "it does not create any implicit trust relationships, only expressly-defined trust relationships." Permitted access can be determined by inspecting the destination host, which is important for being able to audit who can access what system and account. Because of the advantages seen with public-key authentication, NIST calls it "the recommended authentication mechanism for automated access with SSH."
The NIST guidance document (NIST 7966 draft) is out for comment until the end of the month, includes a wealth of other security management recommendations related to use of SSH software implementations as well as a "tool selections" guide covering vendors such as Fox Technologies, SSH Communications Security, and Venafi.
Sign up for CIO Asia eNewsletters.