SSH keys offer a means for site administrators to allow multiple individuals to share one user and all associated permissions while remaining PCI-compliant.
If you require SSH access for multiple users, the use of SSH keys instead of individual logins can bypass many of the headaches involved in user management. When using SSH keys, the administrator sets permissions for one user account, creates multiple key pairs for one user account, and assigns a unique key pair to each individual. Because this method uses unique key pairs instead of traditional login credentials, this maintains PCI DSS compliance despite the shared user account.
The use of multiple SSH keys to grant secure server access to multiple individuals affords three advantages over assigning separate user accounts with traditional login credentials.
Grants access to multiple parties without sharing passwords
Simplifies permission management; all parties log in as the same user and thereby share permissions
Allow for easy access revocation as needed
For example, if you employ a developer and a webmaster, and both individuals require SSH access, you can create one user, set appropriate permissions, and then distribute a unique SSH key pair to each individual. Most importantly, these individuals never share passwords and therefore comply to PCI DSS.
How they work
SSH keys avoid traditional login credentials in favor of a key pair consisting of a private and a public key. Both keys are required for server access. The private key is unique to each user and is stored on that user’s device, where it will never be revealed to the server or to another user. Furthermore, SSH keys are significantly more complex than traditional passwords, making them much more resistant to brute-force attacks.
Using SSH keys, when an individual no longer requires access, you can delete the public key from the server and leave the user intact. This prevents issues that arise when attempting to access files belonging to a user that no longer exists.
ATTENTION: Audit your SSH keys list regularly and delete any not currently in use. Unmanaged keys represent a significant security risk.
Servers store public keys in the /home/<username>/.ssh/authorized_keys directory, but <username> with your username. Removing the key only requires the deletion of this line from the directory.