Notifications
Clear all
Topic starter
02/06/2026 6:58 pm
TL;DR: Cyera Research says a crafted SSH certificate can bypass principal restrictions in affected OpenSSH configurations and grant unintended access, including root, with a single connection, after a flaw present for more than 15 years. That turns SSH certificate paths into NHI governance risk, not just a patching issue.
NHIMG editorial — based on content published by Cyera: A 15-Year Gap in SSH Security and What to Do About It
By the numbers:
- Cyera Research says the flaw has been present for over 15 years and was fixed this week.
Questions worth separating out
Q: How should security teams govern SSH certificates in Linux environments?
A: Security teams should treat SSH certificates as privileged non-human identities and govern them with the same discipline used for service accounts and other machine access.
Q: Why do SSH certificates create blast radius risk for NHI governance?
A: SSH certificates can be reused across many servers, so one weak trust path can expose an entire fleet.
Q: What breaks when principal validation is weak in SSH certificate flows?
A: Weak principal validation can turn a restricted certificate into an unintended login path, including privileged access.
Practitioner guidance
- Audit SSH certificate trust paths Identify every server using cert-authority entries in authorized_keys and compare them with systems using TrustedUserCAKeys in sshd_config.
- Validate principal handling at the CA Review certificate issuance policy so attacker-influenced principal content is rejected before issuance.
- Map blast radius from SSH-authenticated identities Document which databases, API tokens, cloud credentials, and secrets are reachable from each SSH certificate-authenticated path.
The governance gap is not the patch itself, but the incomplete view of where machine identities live and what they can reach?
👉 Read Cyera’s technical deep-dive on the OpenSSH certificate flaw →
Explore further
02/06/2026 7:14 pm
SSH certificates are non-human identities, and their governance failures now look like identity failures rather than infrastructure bugs. The article shows that a certificate trust path can turn into unintended root access when principal parsing is inconsistent. That is a governance problem because the identity claim, the issuance policy, and the trust anchor all have to align. Practitioners should model SSH certificates as privileged machine identities with explicit lifecycle control.
A few things that frame the scale:
- 57% of organisations lack a complete inventory of their machine identities, according to The Critical Gaps in Machine Identity Management report.
- 66% report that managing machine identities requires significantly more manual intervention compared to human identity management.
A question worth separating out:
Q: What should teams do first after an OpenSSH certificate flaw is disclosed?
A: First, identify every affected server and isolate the trust paths that use the vulnerable configuration. Then rotate or revoke any certificate authority material that could have issued risky principals, and check which high-value systems were reachable through those paths. Containment should focus on trust scope before broader hardening work begins.
👉 Read our full editorial: OpenSSH certificate auth flaws expose NHI blast radius in Linux fleets
