Manage SSH Keys

This topic describes how to manage SSH Keys.

Technical specifications

The following table lists the technical specifications that are relevant to SSH Key management:

Technical Specification

Supported values

SSH server on target machine

OpenSSH

Private Key format

OpenSSH (PEM), Putty, Tectia

Key length

1024, 2048, 4096, 8192 bits

Note: When generating a key of 8192 bits, adjust the platform timeout to 15 minutes due to the time it will take to generate a key this long.

Key encryption

RSA, DSA

Public Key file

The path of the public key on the target machine. The default value is ~/.ssh/authorized_keys.

Note: If this path does not exist, the SSH Key Manager creates it automatically with the following permissions:

  • .ssh folder – 700
  • authorized_keys file – 600

Rotate SSH keys

The SSH Key Manager generates new random SSH Key pair and updates the public SSH Key on target machines. The new private SSH key is then stored in the Digital Vault where it benefits from all accessibility and security features of the Digital Vault. The SSH Key Manager updates SSH Key content with no human intervention, according to the organizational Policy.

You can configure the SSH Key Manager to rotate SSH keys according to any of the following criteria:

Criteria

Description

Provisioning

After the SSH keys have been provisioned in the Vault.

Single use

After a single use.

Expiration period

After a predefined period of time.

Specific days

On specific days of the week.

Manually

SSH key change processes can also be initiated manually.

Verify that keys are synchronized

The SSH Key Manager can verify whether or not a private SSH key stored in the Digital Vault is synchronized with the corresponding public SSH key on remote machines. If the keys are not synchronized, they cannot be used. Therefore, whenever this happens, the SSH Key Manager can automatically reconcile the SSH Key pair and resynchronize the private SSH Key stored in the Vault with all public SSH Keys on the target servers. For details, see Reconcile SSH keys. In addition, you can configure the SSH Key Manager to send a notification to predefined users, whenever an unsychrnonized SSH Key is detected, so that they can identify the unsynchronized SSH keys and regain control over the target machine.

You can configure the SSH Key Manager  to verify SSH key content according to any of the following criteria:

Criteria Description
Expiration period After a predefined period of time.
Specific days On specific days of the week.
Specific timeframe During a predefined timeframe.
Manually SSH key verification processes can be initiated manually.

Reconcile SSH keys

The private SSH Keys stored in the Vault must be synchronized with corresponding public SSH Keys on remote devices to ensure that they are constantly available. Therefore, the CPM runs a verification process to check that the private and public SSH Key pairs are synchronized. If the verification process discovers pairs of SSH Keys that are not synchronized, it can reset the SSH Key pairs and reconcile them. This ensures that the private and public SSH Keys are resynchronized automatically, without any manual intervention.

The CPM uses a reconcile account to carry out the reconciliation operation. This account requires permission to update the public SSH Key of the target account, and can use either a password or SSH Key to authenticate to the target server.

 
  • The reconcile account must use a root user or a power user with root permissions.
  • If the reconcile account user authenticates to the target server with a password, on the target machine, in sshd_config, set the PasswordAuthentication parameter to yes.

You can configure the SSH Key Manager to reconcile SSH keys according to either of the following criteria:

Criteria Description

Automatically

As soon as the CPM detects an SSH Key pair that is not synchronized, as part of either the verification or rotation process, it will automatically reconcile the SSH Key.

Manually SSH key change processes can be initiated manually.

Manage the same SSH key on multiple targets

A single SSH Key can be used to access multiple target systems. The same public key is distributed to each target system where a privileged account can be authenticated using the same SSH Key.

Each privileged account for each target system must be created in the Vault, and then, to ensure the use of the same SSH Key, these SSH Key accounts are grouped together. In order to identify SSH Keys that are part of the same group in the Pending accounts list, you can add the Fingerprint property to the pending accounts list columns and sort by the fingerprint. Every account that has the same fingerprint belongs to the same group.

When you create an SSH Key group, first create the group manager platform, then create or onboard the group members and link them to the group. Users who are members of the Vault Admins group can manage SSH Key group platforms.

Create platforms for multiple targets

SSH Key groups require two types of platforms. Create and define them as described below.

To create a group manager platform:

This platform defines how the SSH Keys in each group will be managed. For details, see Group.

  1. In the PVWA, click the Administration button, and then click Platform Management.

  2. Click the Groups tab.

  3. On the Groups tab, select Sample SSH Key Group Platform, click the ellipsis button, and then click Duplicate.

  4. On the Duplicate Platform dialog box, enter a logical name and a description, and then click Create.

    The new platform is added to the list of platforms.

  5. Select the platform from the list, and then click Edit.

  6. On the edit page, expand the properties in the left pane, and edit the following required properties under Generate Key:

    Property

    Description

    PrivateKeyFormat

    The format of the private SSH key. Optional values are OpenSSH, Putty and Tectia. The default value is OpenSSH.

     

    The supported key format is OpenSSH (PEM).

    KeySize

    The size in bits of the generated key. Optional values are 1024, 2048, 4096 and 8192. The default value is 2048.

    KeyEncryption

    The type of encryption used to generate the SSH key. Optional values are RSA and DSA. The default value is RSA.

    KeyGenerationTimeout

    The number of seconds that the SSH Key Manager will wait for the key generaton process to finish. The default value is 90 seconds.

    PublicSSHKeyPath

    The path of the public key on the target machine. The default value is ~/.ssh/authorized_keys.

    PopulateKeyIfNotExist

    Determines whether or not the public SSH key file is created automatically during reconcile processes if it doesn't exist on the target machine. This is not relevant for SSH keys that were provisioned as a result of a discovery process.

    For details on all properties, see Platform properties.

  1. Activate the platform, as described in Activate and deactivate a platform.

To create target platforms for group members:

This platform defines how each SSH Key account in the group will be managed on the target platform.

Group member accounts can be associated with any platform that determines where they will be used, in the same way as any other SSH Key.

  1. Define the platform that will be applied to each group member. For details, see The SSH Keys Platform.

  2. Add a new SSH Key as described in Protecting/Securing, and associate it with the platform that defines its use.

     

    All members of account groups must be stored in the same safe.

To create a group manager platform:

This platform defines how the SSH Keys in each group will be managed.

  1. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  2. Select Sample SSH Key Group Platform, then click Duplicate; the Duplicate Platform window appears.

  3. Type the name and a description of the new group platform, then click Save & Close to create the new platform.

  4. Select the new group platform, and then click Edit; the configuration page for the selected platform appears.

  5. Define the parameters that will determine how the SSH Key Manager will manage members of the group.

    The required properties are described in the following table. For a complete list of parameters that can be set in platforms for account groups, see Group manager platform properties.

    Property

    Indicates …

    Generate Key:

    PrivateKeyFormat

    The format of the private SSH key. Optional values are OpenSSH, Putty and Tectia. The default value is OpenSSH.

     

    The supported key format is OpenSSH (PEM).

    KeySize

    The size in bits of the generated key. Optional values are 1024, 2048, 4096 and 8192. The default value is 2048.

    KeyEncryption

    The type of encryption used to generate the SSH key. Optional values are RSA and DSA. The default value is RSA.

    KeyGenerationTimeout

    The number of seconds that the SSH Key Manager will wait for the key generaton process to finish. The default value is 90 seconds.

    PublicSSHKeyPath

    The path of the public key on the target machine. The default value is ~/.ssh/authorized_keys.

    PopulateKeyIfNotExist

    Determines whether or not the public SSH key file is created automatically during reconcile processes if it doesn't exist on the target machine. This is not relevant for SSH keys that were provisioned as a result of a discovery process.

    General Properties:

    Status

    Indicates whether the platform is active or inactive.

  1. Click Apply to save the new configurations and apply them immediately,

or,

Click Save to save the new configurations and apply them after the period of time specified in the RefreshPeriod parameter.

The Platform Management page appears again.

  1. In the list of Target Account Platforms, select the platform that you configured for SSH Keys Group management.

  2. In the Platform Preview pane, click the Status Edit icon, then select Active.

  1. Click the Save icon to save the new platform status. The status is also updated in the list of Target Account Platforms.

To create target platforms for group members:

This platform defines how each SSH Key account in the group will be managed on the target platform.

Group member accounts can be associated with any platform that determines where they will be used, in the same way as any other SSH Key.

  1. Define the platform that will be applied to each group member. For more information about adding and customizing platforms, refer to The SSH Keys Platform.

  2. Add a new SSH Key as described in Protecting/Securing, and associate it with the platform that defines its use.

     

    All members of account groups must be stored in the same Safe

Define Account Groups

After the group manager platform and individual platforms have been created, define SSH Key groups. For details, see Add an account in V10 Interface.