Manage SSH Keys
This topic describes how to manage SSH Keys.
Technical specifications
The following table lists the technical specifications that are relevant to SSH Key management:
Technical Specification |
Supported values |
---|---|
SSH server on target machine |
OpenSSH |
Private Key format |
OpenSSH (PEM), Putty, Tectia |
Key length |
1024, 2048, 4096, 8192 bits Note: When generating a key of 8192 bits, adjust the platform timeout to 15 minutes due to the time it will take to generate a key this long. |
Key encryption |
RSA, DSA |
Public Key file |
The path of the public key on the target machine. The default value is ~/.ssh/authorized_keys. Note: If this path does not exist, the SSH Key Manager creates it automatically with the following permissions:
|
Rotate SSH keys
The SSH Key Manager generates new random SSH Key pair and updates the public SSH Key on target machines. The new private SSH key is then stored in the Digital Vault where it benefits from all accessibility and security features of the Digital Vault. The SSH Key Manager updates SSH Key content with no human intervention, according to the organizational Policy.
You can configure the SSH Key Manager to rotate SSH keys according to any of the following criteria:
Criteria |
Description |
---|---|
Provisioning |
After the SSH keys have been provisioned in the Vault. |
Single use |
After a single use. |
Expiration period |
After a predefined period of time. |
Specific days |
On specific days of the week. |
Manually |
SSH key change processes can also be initiated manually. |
Verify that keys are synchronized
The SSH Key Manager can verify whether or not a private SSH key stored in the Digital Vault is synchronized with the corresponding public SSH key on remote machines. If the keys are not synchronized, they cannot be used. Therefore, whenever this happens, the SSH Key Manager can automatically reconcile the SSH Key pair and resynchronize the private SSH Key stored in the Vault with all public SSH Keys on the target servers. For details, see Reconcile SSH keys. In addition, you can configure the SSH Key Manager to send a notification to predefined users, whenever an unsychrnonized SSH Key is detected, so that they can identify the unsynchronized SSH keys and regain control over the target machine.
You can configure the SSH Key Manager to verify SSH key content according to any of the following criteria:
Criteria | Description |
---|---|
Expiration period | After a predefined period of time. |
Specific days | On specific days of the week. |
Specific timeframe | During a predefined timeframe. |
Manually | SSH key verification processes can be initiated manually. |
Reconcile SSH keys
The private SSH Keys stored in the Vault must be synchronized with corresponding public SSH Keys on remote devices to ensure that they are constantly available. Therefore, the CPM runs a verification process to check that the private and public SSH Key pairs are synchronized. If the verification process discovers pairs of SSH Keys that are not synchronized, it can reset the SSH Key pairs and reconcile them. This ensures that the private and public SSH Keys are resynchronized automatically, without any manual intervention.
The CPM uses a reconcile account to carry out the reconciliation operation. This account requires permission to update the public SSH Key of the target account, and can use either a password or SSH Key to authenticate to the target server.
|
You can configure the SSH Key Manager to reconcile SSH keys according to either of the following criteria:
Criteria | Description |
---|---|
Automatically |
As soon as the CPM detects an SSH Key pair that is not synchronized, as part of either the verification or rotation process, it will automatically reconcile the SSH Key. |
Manually | SSH key change processes can be initiated manually. |
Manage the same SSH key on multiple targets
A single SSH Key can be used to access multiple target systems. The same public key is distributed to each target system where a privileged account can be authenticated using the same SSH Key.
Each privileged account for each target system must be created in the Vault, and then, to ensure the use of the same SSH Key, these SSH Key accounts are grouped together. In order to identify SSH Keys that are part of the same group in the Pending accounts list, you can add the Fingerprint property to the pending accounts list columns and sort by the fingerprint. Every account that has the same fingerprint belongs to the same group.
When you create an SSH Key group, first create the group manager platform, then create or onboard the group members and link them to the group. Users who are members of the Vault Admins group can manage SSH Key group platforms.
Create platforms for multiple targets
SSH Key groups require two types of platforms. Create and define them as described below.
To create a group manager platform:
This platform defines how the SSH Keys in each group will be managed. For details, see Group.
- In the PVWA, click the Administration
button, and then click Platform Management.
-
Click the Groups tab.
- On the Groups tab, select Sample SSH Key Group Platform, click the ellipsis button, and then click Duplicate.
-
On the Duplicate Platform dialog box, enter a logical name and a description, and then click Create.
The new platform is added to the list of platforms.
-
Select the platform from the list, and then click Edit.
-
On the edit page, expand the properties in the left pane, and edit the following required properties under Generate Key:
Property
Description
PrivateKeyFormat
The format of the private SSH key. Optional values are OpenSSH, Putty and Tectia. The default value is OpenSSH.
The supported key format is OpenSSH (PEM).
KeySize
The size in bits of the generated key. Optional values are 1024, 2048, 4096 and 8192. The default value is 2048.
KeyEncryption
The type of encryption used to generate the SSH key. Optional values are RSA and DSA. The default value is RSA.
KeyGenerationTimeout
The number of seconds that the SSH Key Manager will wait for the key generaton process to finish. The default value is 90 seconds.
PublicSSHKeyPath
The path of the public key on the target machine. The default value is ~/.ssh/authorized_keys.
PopulateKeyIfNotExist
Determines whether or not the public SSH key file is created automatically during reconcile processes if it doesn't exist on the target machine. This is not relevant for SSH keys that were provisioned as a result of a discovery process.
For details on all properties, see Platform properties.
-
Activate the platform, as described in Activate and deactivate a platform.
To create target platforms for group members:
This platform defines how each SSH Key account in the group will be managed on the target platform.
Group member accounts can be associated with any platform that determines where they will be used, in the same way as any other SSH Key.
-
Define the platform that will be applied to each group member. For details, see The SSH Keys Platform.
-
Add a new SSH Key as described in Protecting/Securing, and associate it with the platform that defines its use.
All members of account groups must be stored in the same safe.
To create a group manager platform:
This platform defines how the SSH Keys in each group will be managed.
-
Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.
-
Select Sample SSH Key Group Platform, then click Duplicate; the Duplicate Platform window appears.
-
Type the name and a description of the new group platform, then click Save & Close to create the new platform.
-
Select the new group platform, and then click Edit; the configuration page for the selected platform appears.
-
Define the parameters that will determine how the SSH Key Manager will manage members of the group.
The required properties are described in the following table. For a complete list of parameters that can be set in platforms for account groups, see Group manager platform properties.
Property
Indicates …
Generate Key:
PrivateKeyFormat
The format of the private SSH key. Optional values are OpenSSH, Putty and Tectia. The default value is OpenSSH.
The supported key format is OpenSSH (PEM).
KeySize
The size in bits of the generated key. Optional values are 1024, 2048, 4096 and 8192. The default value is 2048.
KeyEncryption
The type of encryption used to generate the SSH key. Optional values are RSA and DSA. The default value is RSA.
KeyGenerationTimeout
The number of seconds that the SSH Key Manager will wait for the key generaton process to finish. The default value is 90 seconds.
PublicSSHKeyPath
The path of the public key on the target machine. The default value is ~/.ssh/authorized_keys.
PopulateKeyIfNotExist
Determines whether or not the public SSH key file is created automatically during reconcile processes if it doesn't exist on the target machine. This is not relevant for SSH keys that were provisioned as a result of a discovery process.
General Properties:
Status
Indicates whether the platform is active or inactive.
-
Click Apply to save the new configurations and apply them immediately,
or,
Click Save to save the new configurations and apply them after the period of time specified in the RefreshPeriod parameter.
The Platform Management page appears again.
-
In the list of Target Account Platforms, select the platform that you configured for SSH Keys Group management.
-
In the Platform Preview pane, click the Status Edit icon, then select Active.
-
Click the Save icon to save the new platform status. The status is also updated in the list of Target Account Platforms.
To create target platforms for group members:
This platform defines how each SSH Key account in the group will be managed on the target platform.
Group member accounts can be associated with any platform that determines where they will be used, in the same way as any other SSH Key.
-
Define the platform that will be applied to each group member. For more information about adding and customizing platforms, refer to The SSH Keys Platform.
-
Add a new SSH Key as described in Protecting/Securing, and associate it with the platform that defines its use.
All members of account groups must be stored in the same Safe
Define Account Groups
After the group manager platform and individual platforms have been created, define SSH Key groups. For details, see Add an account in V10 Interface.