Automating best practices for SSH credential management

SSH is one of the most successful applications that provides strong cryptographic protections today. It is certainly the first and so far only cryptographic application to become so ubiquitous as to replace its insecure predecessor (telnet).

Despite this success, SSH can be tricky to deploy and not through any fault of the design of the application. Configuring SSH access to a machine that you are accessing via SSH is an inherently tricky task: Any error in the configuration may render the machine unavailable.

Another major weakness in the use of SSH is that following best practices for key management such as using a different authentication key on each client device is tedious at best. Most worrying of all is the fact that much of the advice given on 'how to configure SSH' is written from the perspective of how to get SSH to work rather than how to make an SSH configuration secure.

Most people who use SSH reguilarly have developed a set of scripts to perform routine administrative tasks. But while writing a script is a trivial task, debugging and checking for security vulnerabilities is certainly not.

Transferring configuration and administration tasks to the Mesh provides an approach that is considerably more robust than a shell script is likely to provide and is far more likely to attract the third party review necessary to build confidence in its security.

Managing SSH Configuration using the Mesh.

SSH profiles are created using the meshman tool.

meshman ssh create
Created new profile RB4VC-JZLIN-ZK73B-ZPZXA-CNDO4-ZTK7U

Whenever an SSH profile is created, a separate keypair is created for every device connected to the profile. This mitigates the consequences of a device being lost or stolen. The device key for the compromised device can be removed from the profile without affecting any other device. Investigation of possibly unauthorized logins can be focused on those from the compromised device alone.

Limitation: At present, adding an SSH application profile to a personal profile causes an SSH device entry to be created for every device connected to the profile. Implementation of device groups in the meshman tool would allow this limitation to be lifted.

ToDo In SSH, extend meshman to allow devices to be added and removed from the SSH profile independently of the personal.

Since SSH authentication is bidirectional, an SSH profile is used to manage two separate sets of public keys.

Client Authentication keys
Public keypairs used to authenticate a client to a host. These are the keys whose private components are stored in user local storage and whose public components appear in generate the authorized_keys file.
Host Authentication keys
Public keypairs used to authenticate a host to a client. These are keys whose private components are stored in a system wide storage and whose public components appear in the known_hosts file.

The ssh sync command causes the latest version of the user's SSH application profile to be fetched from the portal and used to update the user's authorized_keys and known_hosts files.

meshman ssh sync

The ssh sync command allows the user to connect from any device connected to their personal profile to any other device connected to their personal profile that supports SSH.

While these capabilities are sufficient for many users, they do not meet the needs of a developer or administrator who needs to access machines that they either cannot connect or do not want to connect to their personal profile.

Host Authentication keys

The ssh known command adds hosts from the user's ssh profile to their known_hosts file on the machine.

ssh known

The ssh add command adds host entries from the machine to the user's SSH profile.

meshman ssh add known_hosts

Client Authentication keys

The ssh auth command updates mesh key entries in the authorized_keys file using information from the specified mesh portal.

For example, if the authorized_keys file has an entry for Alice's Mesh profile (, the corresponding profile is fetched and the corresponding SSH device public keys added:

TBS the initial SSH file
meshman ssh auth
TBS the expanded SSH file

The ssh public command writes the SSH public device key for the current device to a file.

meshman ssh public
Public key of RB4VC-JZLIN-ZK73B-ZPZXA-CNDO4-ZTK7U written to

The ssh private command writes the SSH device private key for the current device to a file in various private key file formats. When using this command to script configuration of SSH clients, the private key SHOULD always be encrypted under a suitably secure password. The keygen command may be used to generate a strong temporary password for this purpose.

ssh private rsa.private /pass=RAZYI-2ZDGE-LCNL5-MSUO6-7SJH6-LSZCJ