Keep private keys on the operator endpoint, limit forwarding to approved workflows, and pair it with strong bastion restrictions and detailed session logging. The goal is not simply to move the key, but to prevent uncontrolled reuse of the delegated access path across internal systems.
Why This Matters for Security Teams
ssh key are still one of the fastest ways to reach high-value systems, which is exactly why they become dangerous when copied, forwarded, or reused beyond their intended session. The practical risk is not only theft, but uncontrolled delegation: once a private key leaves the operator endpoint, it can be replayed across jump hosts, scripts, and privileged workflows. NHI Management Group’s Ultimate Guide to NHIs shows how often long-lived credentials and weak visibility turn routine administration into persistent exposure.
This is also why key exposure cannot be solved by access approval alone. Security teams need to preserve admin usability while shrinking the blast radius of any one key, especially in environments where bastions, CI/CD runners, or platform automation all need privileged reach. The OWASP Non-Human Identity Top 10 treats long-lived secret misuse as a core control failure, not a niche hygiene issue. In practice, many security teams discover SSH key sprawl only after lateral movement or audit gaps have already exposed the reuse path.
How It Works in Practice
The safest pattern is to keep the private key on the operator endpoint and let it authenticate only through tightly approved workflows. That means the key is not copied into shared jump boxes, not embedded in automation unless absolutely necessary, and not forwarded into uncontrolled shells. Instead, the workflow should be constrained by bastion policy, host allowlists, and session-level logging so administrators retain reach without gaining unconstrained reusability.
For most organisations, the operational model looks like this:
- Use short-lived access paths where possible, rather than static SSH keys that remain valid for months.
- Restrict SSH agent forwarding to specific, documented workflows with clear approval boundaries.
- Require a bastion or session gateway that records command activity and session metadata.
- Limit which endpoints may initiate privileged sessions, especially for production and regulated systems.
- Rotate or retire keys when a device, user, or workflow changes, not only on an annual calendar.
This approach aligns with the broader NHI guidance in the Ultimate Guide to NHIs — Key Challenges and Risks, where credential persistence and weak offboarding are recurring failure modes. It also fits the Guide to the Secret Sprawl Challenge, because SSH keys often behave like any other secret: the moment they are duplicated into configs, automation, or chat-based handoffs, control quality drops sharply. Current guidance suggests pairing this model with continuous identity and session review, not treating bastion access as a one-time trust decision. These controls tend to break down when administrators need ad hoc break-glass access across fragmented Linux estates because policy exceptions accumulate faster than reviews.
Common Variations and Edge Cases
Tighter SSH controls often increase operational overhead, so organisations have to balance administrator speed against containment. That tradeoff becomes sharper in legacy estates, vendor-managed systems, and air-gapped environments where modern brokers or ephemeral certificates may not be available.
There is no universal standard for this yet, but best practice is evolving toward reducing dependence on reusable keys wherever possible. In high-trust operations, some teams retain keys for compatibility while layering bastion enforcement, hardware-backed endpoint protection, and mandatory session recording. Others move toward short-lived certificates or brokered access to reduce the chance that a copied key remains useful. The key point is that “more access” should not mean “more reusable access.”
NHIMG’s research on the 52 NHI Breaches Analysis and the reported prevalence of secret leakage in the Ultimate Guide to NHIs both reinforce a simple point: exposure usually grows through convenience paths, not through deliberate policy failure. Where agentic automation or scripted admin tools reuse forwarded credentials across multiple systems, the risk becomes harder to contain because the same access path can be chained far beyond the original session.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | SSH key reuse and exposure are core non-human identity secret risks. |
| NIST CSF 2.0 | PR.AC-1 | Access control should limit who can initiate and reuse privileged SSH sessions. |
| NIST Zero Trust (SP 800-207) | Bastion-based SSH restrictions align with zero trust session containment. |
Minimise reusable SSH keys and enforce rotation, storage, and revocation controls.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
