This topic describes how to manage users' public SSH keys for Vault authentication.
Users can connect to target systems through PSM for SSH by authenticating to the Vault with a private SSH key. A corresponding public SSH key must be assigned to the Vault user to allow authentication.
Users can be assigned one or more public SSH keys.If one of these keys matches the private SSH key provided by the user during authentication, the connection through PSM for SSH will be approved and the user will be able to access their target system.
The Vault administrator can manage the users’ public SSH key in the Vault. Managing public SSH keys for external LDAP users is also available through the LDAP directory, which requires additional configuration.
To manage users public SSH keys in the Vault, using dedicated web services, refer to Public SSH authentication.
Configure management of LDAP user’s public SSH keys
By default, LDAP users’ public SSH keys are managed in the Vault. The following procedure describes how to define that management of the public SSH keys is in the LDAP directory.
To manage users’ public SSH keys in the LDAP directory for LDAP users only, use your LDAP management tools. To enable management of public SSH keys through LDAP, first perform the following procedures:
In PVWA, click ADMINISTRATION, and in the System Configuration page, click Options. The Web Access Options page appears.
Navigate to Privileged Session Management > General Settings > Server Settings.
In the Server Settings branch, select SSH Proxy Settings. The SSH Proxy Settings properties are displayed.
In LDAPUserSSHKeysManagement, select LDAP. The value LDAP indicates that LDAP users’ public SSH keys will be managed in LDAP directly, and not in the Vault.
The default value for LDAPUserSSHKeysManagement is Vault. The value Vault indicates that LDAP users’ public SSH keys are managed in the Vault using dedicated web services as with regular Vault users.
Click Apply to save and stay in the same page, or
Click OK to save and return to the System Configuration page.
If your LDAP users’ public SSH keys are managed in a different attribute in your LDAP directory, you can configure the name of the attribute to match the name of the attribute used in your LDAP directory. To do this, use the procedure Customize how public SSH keys are defined in the LDAP directory.
When LDAP users’ public SSH keys are managed in the LDAP directory, PSM for SSH assumes by default that each key is managed in the attribute sshPublicKey which is in the users’ details entry in the LDAP directory. If keys are managed in a different attribute in your LDAP directory, you can configure the name of the attribute. Use the following procedure to configure the name of the attribute to match the name of the attribute used in your LDAP directory.
In PVWA, click ADMINISTRATION. The System Configuration page opens.
Navigate to LDAP Integration > LDAP > Profiles, and select the profile for which you need to change the attribute.
In the Properties area, scroll down to UserSSHPublicKey, and click the value sshPublicKey value, and change it to match the name of the attribute used in your LDAP directory.