2

Is it possible to prevent the sharing of SSH private keys over email (Outlook, in particular), both within and outside of the organisation?

Alex Bramford
  • 21
  • 1
  • 2
    Make sure that the private key is physically bound to some hardware and cannot be copied, i.e. use a smart card. Details on how this can be achieved in detail can be easily found by using a search engine. – Steffen Ullrich Oct 27 '17 at 21:41

3 Answers3

5

TL;DR: use smart cards.

To prevent distributing the key to other persons you need to prevent that the user has read access to the key in the first place. The key is used in SSH for authentication. The authentication process involves cryptographic operations (signing) which need to have read access to the key. In order to protect the users key against reading by the user these cryptographic operations need to be separated from the user in a way that the user can solely initiate the operations and can get the result back. This separation can be done for example by using a user process running with different permissions or even a process which runs on a separate hardware.

A special case of separate hardware are smart cards which are essentially tiny computers running a minimal operating system with some protected storage of cryptographic keys. A user can authenticate against these smart cards by a PIN and then use the card for example to sign some data using the keys stored on the smart card. This is sufficient for authentication which essentially means to prove that the user is the one owning the private key to a specific public key.

Smart cards are designed to be tamper resistant and unclonable which means it should be practically impossible to extract the key or to create another smart card with the same key. This is true even when faced with design bugs like the recently detected one with Infinion chips where errors in the operating system on the card led to the generation of weak private keys (keys created outside the card and only stored on the card were not affected). But note that smart cards only protect against cloning and reading and not fully protect against sharing the key: several users might still share the same smart card and PIN, but they would all need to have physical access to this single card which makes sharing harder.

Several SSH implementations have support for authentication with smart cards. Details can be easily be found by using a search engine, e.g. search for openssh smartcard or similar.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

Short answer, no, its not possible. The user needs permission to read the key to use it, and if they can read the key they can copy it.

It is possible to restrict access to the key, e.g. if it resides on a unix box, then don't give the user permission to read the key, but allow them to run ssh via sudo. Or use a locked down mswindows jump box with remote app capability to run an ssh client (but make sure the ssh client can't export the keys).

There's little mileage in trying to detect/contain the email once the key is in the control of the user.

symcbean
  • 18,278
  • 39
  • 73
  • *"The user needs permission to read the key to use it, and if they can read the key they can copy it."* - This is not true. The user only needs ways to do specific cryptographic operations with the key. This means that some software needs to have read access to the key but not necessarily the user itself. Specifically in the case of a smart card the key is protected against reading and thus copying by the user even though the user is still able to authenticate with the key. – Steffen Ullrich Oct 28 '17 at 05:56
1

Smart Cards are one way to go. Another way would be to use ephemeral short-lived certificates instead of static keys for authentication. There are numerous open source implementations around using a certificate authority for SSH instead of static keys.

One such system is called Cashier, currently maintained by an SRE from Intercom. Another that handles host and end-user certificates is called Teleport.

Abraham Ingersoll
  • 66
  • 3