How to create and manage short-lived SSH public keys

Author: Ganesh Velrajan

Last Updated: Wed, Jul 30, 2025

In this article, we’ll discuss how to create and manage short-lived SSH keys to overcome the security problems and practical administrative challenges associated with SSH key revocation and rotation in Linux servers.

Typically, SSH certificate based authentication and short-lived SSH user certificates are used as a solution to overcome the security problems and administrative challenges associated with SSH key based authentication.

But, in this article, we will discuss an alternate approach to address the above problems.

Yes, you heard it right.

We will not use SSH certificate based authentication and short-lived SSH certificates to address the problems. Instead, we’ll use short-lived SSH keys to overcome the above problems.

Finally, we will also discuss how BastionXP SSH Key Management Software could be used to manage creation, distribution, rotation and revocation of short-lived SSH keys.

What is SSH Key Management

SSH key management refers to the comprehensive process of generating, storing, distributing, monitoring, rotating, and revoking SSH (Secure Shell) keys throughout their lifecycle within an organization. It’s a critical aspect of cybersecurity, especially for environments that rely heavily on remote access and automated processes, such as cloud infrastructure and DevOps pipelines.

Key Aspects of SSH Key Lifecycle Management:

Generation:

  • Creating strong, unique key pairs (e.g., using ssh-keygen with strong algorithms and key lengths).
  • Using passphrases to protect private keys.

Storage:

  • Securely storing private keys on client machines, preferably with encryption.

  • Centralized repositories for public keys on servers.

  • Avoiding storing keys in plain text or easily accessible locations.

Distribution/Provisioning:

  • Copying public keys to the ~/.ssh/authorized_keys file on remote servers.

  • Automating the provisioning of keys to authorized users and systems.

Access Control:

  • Implementing the principle of least privilege, ensuring users only have access to what they need.

  • Tying keys back to individual users for accountability.

  • Integrating with identity and access management (IAM) systems.

  • Potentially using SSH certificates for more centralized control and temporary access.

Monitoring and Auditing:

  • Tracking all SSH key usage and access attempts.

  • Auditing SSH server logs (in syslog) to detect suspicious activity or unauthorized access.

  • Setting up alerts for anomalies.

Rotation:

  • Periodically generating new SSH key pairs and replacing old ones. This minimizes the window of opportunity for a compromised key to be exploited.

  • Automating key rotation, especially in large environments.

Revocation/Removal:

  • Promptly revoking or deleting keys when they are no longer needed (e.g., when an employee leaves, or a key is suspected of being compromised).

  • Identifying and removing inactive or orphaned keys.

Security Risks Associated with SSH Public Key Based Authentication

Here are some security issues associated with using SSH public private key based authentication for SSH login:

  1. Copy of an SSH key pair left undeleted in emails or local folders or shared online storages, while copying to the host or the user’s machine.

  2. SSH keys don’t have an expiry date or validity period stamped in them. So they can be used perpetually. The technology doesn’t force the admins or users to rotate the keys periodically. As a result, there is no real urge to renew SSH keys periodically. Secondly, rekeying and distributing the keys to servers and user machines at scale requires significant planning and execution. This builds up the inertia against rotating the SSH keys periodically.

  3. Some users use the same SSH key pair to login to multiple host machines, potentially increasing the attack surface for any unwanted user who gains access to such an SSH key.

  4. SSH key rotation is not performed regularly, because it is a laborious process. Most IT admin teams are run with limited human resources and they are already overloaded. Manually rotating server and user SSH keys is a M x N problem, where M is the number of servers and N is the number of users in an organization who have SSH access to these servers using SSH public keys. Rotating SSH keys more frequently and manually is an almost impossible task.

  5. When users leave the organization, SSH keys assigned to them are usually not deleted from the “authorized_keys” file in all the host machines.

Solution:

The solution to all the above security problems is to either use:

  1. short-lived SSH certificates with SSH certificate based authentication, or
  2. short-lived SSH keys with SSH public key based authentication.

In this article, we’ll discuss in detail the solution #2: creating and managing short-lived SSH keys with SSH public key based authentication.

How short-lived SSH Key based authentication works:

As we discussed above, most of the security risks associated with SSH key based authentication are:

  • SSH user keys don’t have an expiry date; they live perpetually,
  • Users use the same SSH key pair for login to multiple servers,
  • SSH keys are not revoked or rotated frequently

Our solution to address the above problems is to use short-lived SSH keys, meaning: create a new pair of SSH keys everytime a user logins to a server. Delete the SSH key pair from the server and the client machine, immediately after the user logins to the server. Thereby, forcing the user to create and use a new pair of SSH key before they could login to the server the next time.

Though the solution looks simple in theory, in practise users cannot be entrusted to create and user a new pair of SSH keys, everytime they login to a server. So, some sort of a software tool to automate this task will come in handy.

That’s where BastionXP SSH Key Management Solution comes in.

What is BastionXP SSH Key Management Solution?

BastionXP SSH Key Management Solution comes with a server and a client software.

The BastionXP server software is the SSH key manager that creates and distributes the key to hosts (servers) and users. The BastionXP server software runs in a dedicated centralized server. It has a web based dashboard for admins and users to login and manage it.

The BastionXP client software will run in the host machines. The client will receive the SSH public key distributed by the SSH key manager and store it in the ~/.ssh/authorized_key file in the login user’s home directory, along with a timestamp that tells when the key will expire.

The BastionXP client running in the host machines, will continuously monitor the SSH keys written into the authorized_key file for each user, and periodically delete those keys that have expired.

Usually, these short-lived SSH keys have a very short lifespan, say two minutes. A user should login to the server within this two minute window, failing which, the user will not be able to login to the server using this SSH key pair. A new SSH key pair needs to be generated and downloaded to the server from the SSH key manager.

Users need to authenticate with the SSH key manager, using OIDC SSO based authentication, before SSH keys can be downloaded to the host machines. BastionXP supports many OIDC SSO providers such as Google G-Suite, Microsoft 365, Okta, Keycloak, GitHub and more. BastionXP also supports Role Based Access Control (RBAC) to manage user access to servers.

Users can push a new pair of SSH key to a host or server, for which they have the access permission based on the RBAC rules, with the click of a single button. Users can also SSH login to the server, using the key, from the BastionXP web portal’s SSH web client. The SSH public key downloaded to the server will be deleted automatically by the BastionXP client in the next two minutes. However, any successfully authenticated and started SSH sessions, using the key, will stay alive until the logged-in user closes the SSH session window or exits from the session.

The user needs to repeat this process for each new SSH login session.

Conclusion

SSH key based authentication has potential security drawbacks due to practical challenges in SSH key lifecycle management.

Short-lived SSH keys eliminate the need for key revocation and rotation in the SSH key lifecycle management process.

BastionXP SSH Key Manager automates the creation and distribution of short-lived SSH keys at scale. BastionXP client software ensures the SSH keys are deleted aggressively and more frequently from the servers.

Try BastionXP SSH Key Management Software in the cloud for free for 30-days without any commitments. No credit card required.

Start Your Free Trial Now

Try BastionXP for free with no commitments. No credit card required.

Get Started For Free