SSHwatch Insights Blog

Automating SSH Key Deployments: Infrastructure as Code for Secure Access Management

In today’s rapidly evolving cybersecurity landscape, SSH remains the backbone of secure remote access to Linux servers and infrastructure. With the dramatic rise in targeted attacks against infrastructure access points—increasing 112% year-over-year according to recent security reports—hardening SSH access has never been more critical. Yet surprisingly, even organizations with mature security programs often neglect the operational aspects of SSH key management.

The 2024 Cloud Security Alliance report found that 74% of security breaches involving SSH involved stolen or mismanaged credentials rather than protocol vulnerabilities. The issue isn’t that SSH itself is insecure—it’s that the operational practices surrounding SSH key management frequently fall short. As infrastructure scales, the challenge compounds exponentially.

Consider the recent high-profile compromise at a major cloud provider: attackers gained persistent access through an abandoned SSH key belonging to a developer who had left the company eight months earlier. The key remained active across production systems simply because the manual deprovisioning process failed. This incident, which resulted in exposure of sensitive customer data and approximately $4.2 million in remediation costs, highlights why automated, consistent SSH key management isn’t just a convenience—it’s a security imperative.

In our previous articles, we’ve explored various aspects of SSH security—from hardening configurations and monitoring for suspicious activity to implementing protective measures like Fail2ban and managing SSH keys. However, as your infrastructure grows, manually deploying and managing SSH keys across dozens, hundreds, or even thousands of servers becomes increasingly error-prone and time-consuming.

This article explores how to effectively automate SSH key deployments using Infrastructure as Code (IaC) principles. By treating SSH access as code, you can ensure consistency, improve security, and dramatically reduce the operational overhead of key management. We’ll present practical approaches that work whether you’re managing ten servers or ten thousand, with solutions that scale alongside your infrastructure.

The Problem with Manual SSH Key Management

As organizations grow from managing a handful of servers to dozens or hundreds, SSH access management quickly becomes a critical security and operational challenge. Many system administrators start with simple approaches—manually copying public keys to servers or sharing a single private key among team members—only to find these methods create significant security vulnerabilities and administrative headaches.

Before diving into automation solutions, let’s understand why manual SSH key management breaks down at scale:

  1. Inconsistent Implementations: Different administrators might follow different procedures for key deployment, leading to security gaps.
  2. Poor User Offboarding: When team members leave, their access often remains active due to forgotten keys.
  3. Limited Audit Trail: It’s difficult to track who has access to which systems without proper documentation.
  4. Configuration Drift: Over time, manual changes to authorized_keys files create inconsistencies across your infrastructure.
  5. Time-Intensive Operations: Adding or revoking access across multiple servers becomes a significant operational burden.

Automation Tools for SSH Key Management

Let’s explore several approaches to automate SSH key deployments, starting with the simplest and progressing to more sophisticated solutions.

1. Ansible for SSH Key Management

Ansible provides straightforward automation for SSH key deployment with minimal setup requirements:

# deploy_ssh_keys.yml
- hosts: all
  become: yes
  tasks:
    - name: Set up authorized keys for users
      authorized_key:
        user: "{{ item.user }}"
        state: present
        key: "{{ item.key }}"
      with_items:
        - { user: 'devops', key: "{{ lookup('file', 'keys/devops.pub') }}" }
        - { user: 'admin', key: "{{ lookup('file', 'keys/admin.pub') }}" }
    
    - name: Remove keys for former team members
      authorized_key:
        user: "{{ item.user }}"
        state: absent
        key: "{{ item.key }}"
      with_items:
        - { user: 'admin', key: "{{ lookup('file', 'keys/former_employee.pub') }}" }

This Ansible playbook handles both adding new keys and removing outdated ones across your entire infrastructure with a single command. Let’s break down what’s happening:

  1. hosts: all targets every server in your inventory
  2. become: yes ensures the playbook runs with elevated privileges
  3. The first task adds public keys for active users:
    • The authorized_key module manages the ~/.ssh/authorized_keys file
    • state: present adds the specified keys
    • The lookup('file', ...) function reads key files from your local control machine
  4. The second task removes keys that should no longer have access:
    • state: absent ensures the specified keys are removed
    • This is critical for proper offboarding of former team members

You can run this playbook with a simple command: ansible-playbook -i inventory.yml deploy_ssh_keys.yml, which will synchronize SSH access across all your servers in minutes instead of hours of manual work.

2. Terraform for SSH Key Management

For teams using cloud providers, Terraform offers excellent integration with instance metadata for SSH key management:

# Define SSH keys as resources
resource "aws_key_pair" "ops_team" {
  key_name   = "ops-team-key"
  public_key = file("${path.module}/keys/ops_team.pub")
}

resource "aws_key_pair" "security_team" {
  key_name   = "security-team-key"
  public_key = file("${path.module}/keys/security_team.pub")
}

# Apply keys to EC2 instances by role
resource "aws_instance" "app_servers" {
  count         = 3
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t3.micro"
  key_name      = aws_key_pair.ops_team.key_name
  
  # Other configuration...
}

resource "aws_instance" "database_servers" {
  count         = 2
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t3.medium"
  key_name      = aws_key_pair.security_team.key_name
  
  # Other configuration...
}

This Terraform configuration demonstrates how to manage SSH keys as infrastructure code for cloud environments. Here’s what the code is doing:

  1. First, we define SSH public keys as AWS resources:
    • Each aws_key_pair resource registers a public key with AWS
    • The file() function loads the public key from your local filesystem
    • These keys become available to use when launching instances
  2. Next, we assign different keys to different server types:
    • Application servers get the operations team’s key
    • Database servers get the security team’s key
    • This creates a logical separation of access by server role

This approach is particularly powerful because your SSH key assignments become part of your infrastructure definition. When you update a key in the code and run terraform apply, AWS will automatically update the metadata associated with new instances.

While this approach works well for initial deployment, you’ll still need additional automation for ongoing key management after instances are running. Typically, this Terraform code would be combined with configuration management tools like Ansible to handle updates to running instances.

3. Using HashiCorp Vault for Dynamic SSH Credentials

For organizations requiring more advanced security controls, HashiCorp Vault offers dynamic SSH credential generation, eliminating the need to distribute and manage static keys:

# Configure Vault SSH secrets engine
resource "vault_ssh_secret_backend_role" "admin_role" {
  name                    = "admin-role"
  allowed_users           = "*"
  key_type                = "ca"
  default_user            = "admin"
  allowed_extensions      = "permit-pty,permit-port-forwarding"
  default_extensions      = { "permit-pty" = "" }
  max_ttl                 = "24h"
}

# Your server configuration must also trust the Vault CA

This Terraform configuration sets up HashiCorp Vault to act as a Certificate Authority (CA) for SSH access. This represents a significant shift in approach—instead of distributing static SSH keys, Vault issues short-lived certificates that automatically expire. Let’s examine how this works:

  1. The vault_ssh_secret_backend_role resource configures a signing role with these parameters:
    • name: The name of the role users will request credentials from
    • allowed_users: The Linux users this role can issue certificates for (here, any user)
    • key_type: Set to “ca” for certificate authority mode
    • default_user: The default Linux user for SSH connections
    • allowed_extensions: SSH certificate extensions that are permitted
    • max_ttl: The maximum lifetime of issued certificates (24 hours)
  2. On your servers, you must configure SSH to trust Vault’s CA: 
    # On each server
vault read -field=public_key ssh/config/ca > /etc/ssh/trusted-user-ca-keys.pem
echo "TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem" >> /etc/ssh/sshd_config
systemctl restart sshd
  3. Users obtain temporary certificates with commands like: 
    vault write ssh/creds/admin_role \
  username=admin \
  ip=10.0.23.45

With this setup, administrators request temporary SSH credentials from Vault rather than managing static keys. When their session is complete, the credentials automatically expire without manual revocation. This approach offers several key advantages:

  • No long-lived SSH keys to manage or potentially leak
  • Centralized audit log of all SSH certificate issuance
  • Automatic expiration without requiring additional automation
  • Integration with Vault’s authentication mechanisms (LDAP, OIDC, etc.)
  • Ability to immediately revoke all outstanding certificates in an emergency

Building a Comprehensive SSH Key Automation Pipeline

While the tools described above provide excellent building blocks, a truly robust SSH key management system requires an end-to-end approach that covers the full lifecycle of SSH access. This is where GitOps principles become invaluable—treating your SSH access configuration as code that flows through a defined pipeline with proper checks, balances, and auditability.

The GitOps approach to SSH key management addresses several critical requirements:

  1. Transparency: All changes to SSH access are visible in commit history
  2. Accountability: Every access change is tied to the individual who requested it
  3. Consistency: The same deployment process is followed every time
  4. Recoverability: You can roll back to previous access states if needed
  5. Automation: Routine tasks are handled without manual intervention

For a complete solution, consider implementing a GitOps-based approach with these components:

  1. Git Repository for Key Management: Store all public keys in a version-controlled repository.
  2. CI/CD Pipeline: Automatically validate and deploy key changes when commits are pushed.
  3. Approval Workflow: Require peer review for key changes via pull requests.
  4. Automated Testing: Verify that key changes comply with your security policies.
  5. Automatic Deployment: Push changes to all servers after approval.

Here’s what a GitHub Actions workflow might look like:

# .github/workflows/deploy-ssh-keys.yml
name: Deploy SSH Keys

on:
  push:
    branches: [ main ]
    paths:
      - 'keys/**'
      - 'users.yml'

jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      
      - name: Validate SSH keys
        run: |
          ./scripts/validate_keys.sh
          
  deploy:
    needs: validate
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      
      - name: Set up Ansible
        run: |
          pip install ansible
          
      - name: Deploy keys
        run: |
          ansible-playbook -i inventory.yml deploy_ssh_keys.yml
          
      - name: Verify deployment
        run: |
          ./scripts/verify_ssh_access.sh

This GitHub Actions workflow automates the deployment of SSH keys whenever changes are pushed to the repository. Let’s examine how this CI/CD pipeline works:

  1. The workflow triggers automatically when:
    • Changes are pushed to the main branch
    • And those changes affect files in the keys/ directory or the users.yml file
  2. The workflow consists of two sequential jobs:
    • Validate: Checks that all SSH keys meet your security requirements
    • Deploy: Pushes the keys to your servers, but only runs if validation passes
  3. The validation job:
    • Runs on a GitHub-hosted Ubuntu runner
    • Executes a custom validation script that would typically check:
      • Key types (rejecting weak algorithms like DSA)
      • Key lengths (enforcing minimum bit lengths)
      • Key formats (ensuring they’re properly formatted)
      • User permissions (verifying users are authorized for the requested access)
  4. The deployment job:
    • Sets up Ansible on the runner
    • Executes the Ansible playbook we saw earlier to deploy keys
    • Runs a verification script to confirm the deployment worked correctly

This workflow creates a complete “keys as code” pipeline where:

  1. Developers submit key changes via pull requests
  2. Code owners review and approve the changes
  3. Automated checks validate security requirements
  4. Deployment happens automatically after approval
  5. Verification ensures the changes took effect

The most important benefit is that SSH key management becomes a standard part of your development workflow rather than an error-prone manual process.

Implementing SSH Key Rotation

Key rotation is a critical security practice that should be automated. Here’s a simple script to help team members rotate their keys:

#!/bin/bash
# rotate_my_key.sh

# Generate new key pair
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_new -C "$(whoami)@$(hostname)-$(date -I)"

# Add new key to Git repository
NEW_KEY=$(cat ~/.ssh/id_ed25519_new.pub)
git -C ~/ssh-keys-repo pull
echo "$NEW_KEY" > ~/ssh-keys-repo/keys/$(whoami).pub
git -C ~/ssh-keys-repo add keys/$(whoami).pub
git -C ~/ssh-keys-repo commit -m "Rotate SSH key for $(whoami)"
git -C ~/ssh-keys-repo push

# Wait for deployment
echo "Waiting for key deployment..."
sleep 300

# Test new key
ssh -i ~/.ssh/id_ed25519_new test-server "echo 'Successfully authenticated with new key'"

# If successful, replace old key
if [ $? -eq 0 ]; then
  mv ~/.ssh/id_ed25519_new ~/.ssh/id_ed25519
  mv ~/.ssh/id_ed25519_new.pub ~/.ssh/id_ed25519.pub
  echo "Key rotation complete!"
else
  echo "Key rotation failed, keeping old key active."
fi

This script automates the process of rotating an individual user’s SSH key. Let’s examine how it works:

  1. First, it generates a new Ed25519 key pair (the current recommended standard):
    • The -t ed25519 flag specifies the cryptographically stronger Ed25519 algorithm
    • The key comment includes the username, hostname, and date for easy identification
    • The key is initially saved with a “_new” suffix to avoid overwriting the existing key
  2. Next, it adds the new public key to your central Git repository:
    • Pulls the latest changes to ensure we’re working with current data
    • Writes the new public key to the appropriate file
    • Commits and pushes the change, which triggers your deployment pipeline
  3. The script then waits for deployment to complete:
    • The sleep 300 pauses for 5 minutes while CI/CD processes run
    • This timing should be adjusted based on your actual deployment time
  4. Finally, it tests the new key and completes the rotation:
    • Attempts to SSH to a test server using only the new key
    • If successful, replaces the old key with the new one
    • If unsuccessful, keeps the old key active to prevent lockout

What makes this approach powerful is that it combines individual key rotation with your centralized GitOps workflow. Each team member can run this script periodically (perhaps triggered by a calendar reminder), ensuring regular key rotation without burdening your operations team.

Best Practices for Automated SSH Key Management

Implementing an automated SSH key management system is only the first step. To maximize security benefits, you need to establish and enforce consistent policies that govern how SSH access is managed throughout your organization. The following best practices will help strengthen your overall SSH security posture:

  1. Enforce Key Standards: Automatically reject weak keys (RSA keys less than 3072 bits, DSA keys, etc.).

Many organizations still use outdated SSH key types or insufficient key lengths because they lack enforcement mechanisms. Your automation should include validation that rejects weak keys before they enter your system. For example, a pre-commit hook or CI validation step should verify that all keys use modern algorithms (Ed25519 or RSA with sufficient bits) and reject any that don’t meet your standards. This preventative control ensures your security baseline doesn’t deteriorate over time as new keys are added.

  1. Implement Least Privilege: Associate different keys with specific access levels rather than giving all keys root access.

SSH access should follow the principle of least privilege, where users receive only the permissions necessary to perform their job functions. In practice, this means creating role-based access groups (e.g., developers, database administrators, security analysts) and assigning appropriate permissions to each. Your automation should enforce these roles, making it impossible to grant excessive privileges without going through proper approval channels. This significantly reduces your attack surface and limits the damage if a key is compromised.

  1. Set Expiration Dates: Include metadata about key expiration to enforce regular rotation.

Unlike passwords, SSH keys often remain unchanged for years—sometimes for the entire tenure of an employee. This creates significant security risk. Your automated system should enforce key expiration by tagging keys with metadata about when they were created and when they must be rotated. As keys approach expiration, automated notifications can alert users to generate new keys. You can implement this as a simple JSON or YAML file in your repository that tracks key metadata, or use more sophisticated solutions like Vault’s built-in TTL mechanism.

  1. Monitor Key Usage: Log and alert on unusual patterns of SSH key usage.

Automated key management should include comprehensive monitoring to detect suspicious activity. Monitoring systems should track when, where, and how SSH keys are used across your infrastructure. Unusual patterns—such as a key being used from an unexpected geographic location, outside normal working hours, or to access servers that aren’t typically part of a user’s workflow—should trigger alerts for investigation. This provides an additional security layer that can help identify compromised keys even with proper access controls in place.

  1. Regular Auditing: Schedule automatic audits of active keys against your employee directory.

Regular auditing ensures that SSH access remains synchronized with your organization’s personnel changes. Automated audit processes should compare the list of active SSH keys against your authoritative employee directory (like LDAP, Active Directory, or your HR system) to identify discrepancies. Keys belonging to former employees or contractors should be automatically flagged for removal. This process should run at least monthly, with results sent to security and IT teams for review and action.

  1. Emergency Revocation: Create a fast-path process to revoke access across all systems in security incidents.

Despite the best preventative controls, security incidents may still occur, requiring immediate revocation of SSH access. Your automation should include an emergency “break glass” procedure that can quickly remove a compromised key from all systems. This process should be fully automated, requiring minimal human intervention to execute, and should complete within minutes rather than hours. Regular testing of this emergency revocation procedure ensures it will work when needed during high-pressure incident response situations.

Real-World Example: Google’s BLESS (Bastion’s Lambda to Extend SSH Security)

Learning from how large technology companies solve SSH management challenges can provide valuable insights for your own implementation. Google’s BLESS (Bastion’s Lambda to Extend SSH Security) architecture represents one of the most sophisticated approaches to SSH access management at scale, handling hundreds of thousands of SSH connections daily while maintaining robust security controls.

For inspiration, consider Google’s BLESS architecture, which implements ephemeral SSH certificates:

  1. Engineers request temporary SSH certificates from a central service.
  2. The service validates their identity using corporate authentication.
  3. Short-lived certificates (valid for hours, not months) are issued.
  4. All SSH access is routed through bastion hosts that enforce additional security policies.
  5. Every access attempt is logged centrally for security monitoring.

The BLESS architecture fundamentally transforms traditional SSH access by eliminating static authorized_keys files entirely. Instead, it relies on Just-In-Time (JIT) access provisioning through short-lived certificates. When an engineer needs server access, they authenticate to the central BLESS service using their corporate identity. The service verifies not only their identity but also their authorization for the specific resources they’re requesting access to.

Upon successful validation, BLESS issues an SSH certificate with an extremely short lifespan—typically between 2-12 hours—signed by a Certificate Authority (CA) that all production servers trust. This certificate grants specific, limited permissions appropriate to the engineer’s role. All connections are forced through hardened bastion hosts that provide additional security controls, including connection proxying, session recording, and real-time security analysis.

What makes this approach particularly powerful is that it combines strong security with excellent usability. Engineers don’t need to manage keys or remember to rotate them, as certificates are generated on-demand and automatically expire. Security teams gain comprehensive visibility into all SSH activity, with centralized logs showing who accessed what, when, and from where. And because certificates are short-lived, compromised credentials have a limited window of vulnerability before becoming useless to attackers.

While implementing the full BLESS architecture requires significant investment, many of its principles can be adapted for smaller environments using tools like HashiCorp Vault’s SSH certificate functionality combined with proper network architecture and monitoring capabilities.

Real-World Implementation Considerations

When implementing automated SSH key management, you’ll need to address several practical considerations:

Handling Emergency Access

Even the best automation requires a break-glass procedure for emergencies. Consider implementing:

  1. A small number of emergency administrator keys stored securely offline
  2. A documented procedure for emergency access that bypasses normal automation
  3. Automatic alerts when emergency access is used
  4. Post-incident review requirements after emergency access

Integration with Identity Providers

For larger organizations, tying SSH access to your central identity provider (like Okta, Azure AD, or Google Workspace) creates a single source of truth for access control:

  1. When employees join, their SSH access is automatically provisioned
  2. When they change teams, their access is adjusted accordingly
  3. When they leave, their access is immediately revoked across all systems
  4. Multi-factor authentication can be enforced for SSH access

Phased Implementation

If you’re transitioning from a manual process, consider this phased approach:

  1. Start with inventory: Document current SSH access across all systems
  2. Implement read-only automation: Create automation that tracks keys but doesn’t modify them yet
  3. Add new servers with automation: Apply your new system to new servers only
  4. Gradually convert existing servers: Migrate one team or server group at a time
  5. Decommission manual processes: Once everything is automated, remove manual access

Conclusion

Automating SSH key deployment transforms what was once a tedious, error-prone process into a consistent, auditable security control. By treating SSH access as code, you gain all the benefits of modern development practices: version control, peer review, automated testing, and consistent deployment.

Remember that automation is not just about efficiency—it’s about security. The more you can eliminate manual intervention in security-critical processes, the less opportunity there is for human error to create vulnerabilities. As your organization grows, the investment in SSH automation will pay increasing dividends, reducing both security risks and operational overhead.

In our next article, we’ll explore advanced SSH security patterns for containerized environments, where traditional SSH access models face new challenges. Until then, start treating your SSH access as code, not as an afterthought.

Secure Your Infrastructure Today!

Sign up now to gain comprehensive insights into your SSH access logs. Start monitoring, alerting, and analyzing your entire infrastructure effortlessly.
Get started for free

Book a demo

Fill in the form below to book a demo without obligation.
Request a demo