Protecting/Securing
After the SSH Keys in your organization have been discovered, they can be stored securely in the Digital Vault. This way, the SSH Key secret is secure and is protected by control and access restrictions. Specifically, the private SSH Key is stored in the Digital Vault where you have full control over who can access it, you can enforce access workflows and rotate the keys automatically, view full audit, and benefit from multiple other Vault features.
SSH Keys can be provisioned in the Password Vault manually through the Password Vault Web Access or automatically with the Accounts Feed onboarding wizard, the AccountUploader utility or the AddAccount web service. For more information about each method, refer to the relevant section below.
During the onboarding process, you are required to specify the address of the target machine and the privileged user on the target machine who owns the public key. You also specify the content of the corresponding private SSH key.
Provision SSH Keys
This section describes the various ways of provisioning SSH Keys.
Provision SSH Keys in the PVWA
You can provision SSH keys in the PVWA in either of the following ways:
-
Browse and select an existing private SSH key
-
Paste the content of an existing private SSH key. This method is useful when keys are stored on remote machines and cannot be onboarded directly.
After the private SSH keys have been onboarded to the Vault, the best practice is to delete the local private SSH key so that it cannot be used by unauthorized users and without an auditing trail in uncontrolled workflows.
You can provision SSH Keys in the PVWA by adding an SSH Keys account. For details, see Add an account in V10 Interface. When you create the account, associate it with a platform that includes the SSH Key plugin. For details, see SSH Keys.
-
Click ACCOUNTS to display the Accounts page.
-
Click Add Key; the Add Key page appears.
This button will only be displayed if you have the Add accounts, Update password value, and Update password properties authorization in at least one Safe.
-
From the Safe drop-down list, select the Safe where the SSH keys will be stored.
-
From the Device drop-down list, select Operating System.
-
From the Platform Name drop-down list, select the platform that will manage the SSH keys. The default platform that is included out-of-the-box is Unix via SSH Keys.
The required properties for this platform and the options for adding an SSH Key are displayed.
-
In Required Properties, specify the following information:
| ■ | Address – The address of the target machine where the public key is stored. |
| ■ | User Name – The name of the user who is authorized to log onto the target machine. |
-
In Optional Properties, specify the following information:
■ Comment - Free text that is stored in the comment section of the public key during change and reconcile processes. There are no character limitations, but the length of the comment is limited to 4096 characters.
-
In SSH Key, specify the following information:
- Upload an existing SSH key file:
| i. | Select Select Key File, then click Browse; the Choose File to Upload window appears. |
| ii. | Navigate to the private SSH key file to upload, then click Open; the name of the private SSH key file appears in the key file field. |
| iii. | Click Save: the selected private SSH key file will be onboarded to the Vault. |
- Paste the content of an existing private SSH key:
| i. | Select Paste Key, then paste the content of an existing key into the key content area. |
| ii. | Click Save: the SSH key file is created in the Vault with the specified key content. |
-
To generate the name of the SSH key automatically, select Auto-generated. For more information about naming keys automatically, see Identify Accounts and Files.
-
To specify the name of the SSH key, enter the name in the Custom field.
-
Click Save; the new SSH key is added and is displayed in the Key Details page.
You can also display the Key Details page by clicking the Key in the list of accounts and keys displayed in the Accounts page.
Provision SSH Keys from the Accounts Feed
The Accounts Feed discovers SSH keys in your environment and classifies them so that you know whether it is privileged or not. Additional information also helps you understand the type of SSH key that has been discovered and helps you to assess the risks associated with each account. In addition, the discovery finds SSH key trusts and details of each trust, including the address where the privileged account is used, and a list of the following additional properties:
-
OriginalKeySize
-
OriginalKeyEncryption
-
OriginalPublicSSHKeyPath
-
OriginalSSHKeyFingerprint
-
OriginalSSHKeyComment
-
OriginalKeyAge
SSH keys that already exist in the Vault will not be rediscovered. This refers to SSH keys that were added in the PVWA, onboarded using the Accounts Feed, or provisioned using the AddAccount web service.
SSH keys that were discovered by the CPM Scanner and are displayed in the Pending Accounts list may have changed since they were initially discovered. In order to make sure that the Pending Accounts list reflects the current status, you can perform a new discovery process with the CPM Scanner in which the same SSH keys are rediscovered and their details are updated.
Provision SSH Keys in the Password Vault using the AccountUploader Utility
The AccountUploader utility enables you to create accounts with SSH keys. This utility is included as part of the PSM for SSH installation package.
Copy the following files to a directory on your local unix machine from where you will run the utility:
-
AccountUploader
-
icudt42l.dat
The AccountUploader utility is supported on Linux and has the following usage:
|
Parameters:
| Parameter | Description |
|---|---|
| VaultFile | The full or relative path of the vault.ini file of the Vault where the account will be added. |
| CredFile |
The full or relative path of the credentials file that will be used to connect to the vault. For details on creating the credentials file, see CreateCredFile utility. |
| SafeName | The name of the Safe where the account will be added. |
| KeyFile | The full or relative path of the SSH private key file that will be attached to the account. The SSH Key can be either in OpenSSH format or putty format (ppk). |
| DeviceType | The type of device on which the account will be used. |
| PolicyId | The ID of the platform that the account will associated with. Make sure that the specified policy supports connections with SSH keys. By default, the Unix SSH Keys platform supports these connections. |
| Address | The IP address or DNS of the target machine where the account will be used. |
| UserName | The user who will be used to connect to the target machine. |
| SubnetMask | The subnet mask for this account, if this is a subnet account. This parameter is optional. |
| ObjectName | The name by which the account will be saved in the Vault. This parameter is optional. |
Provision SSH Keys in the Password Vault using the AddAccount REST Web Service
You can provision an SSH Key in the Password Vault using the AddAccount REST web service, by pasting the content of the private SSH Key in the Password field of the web service. For more information,
Edit SSH Keys
You can edit SSH Keys in the PVWA Accounts page by selecting them and then editing their properties, similar to the way you edit privileged accounts.
You can edit an SSH Key account. For details, see Edit an account.
You can edit a single SSH Key or multiple SSH Keys and accounts. For details, see Edit Account Properties.
Retrieve a private SSH Key
Depending on your permissions, you can download a private SSH Key and use it to connect to a target machine.
|
Each SSH Key has a format, which must match the application that you use to connect to the target machine. For example, to connect using Putty, the private SSH Key must be in Putty format. |
-
In the PVWA, in the Accounts View page, locate the account from the list, and then click Retrieve.
-
In the Retrieve private key dialog box, if required, enter a reason, and then click Retrieve.
A KeyFileName.pem file is downloaded to your computer.
Click Retrieve in the Key Details page or the Accounts List to download the Private SSH Key to the local machine and use it to connect to the target machine.
Delete SSH Keys
Delete an SSH Key that is no longer used or that needs to be revoked.
You can delete multiple SSH keys in a single action.
When SSH keys are deleted:
Copies of deleted SSH keys are not deleted. These copies must be deleted manually from the Vault and from the target machine.
All links to a deleted account are removed. These links cannot be restored if you undelete accounts.
To delete Private SSH Keys from the Vault and Public SSH Keys from target machines:
Select the SSH keys to delete:
- In the Accounts List:
- Display the SSH keys to delete, then from the More actions menu, select Delete
or,
- In the SSH Key Details page:
- Display the SSH Key Details page of a single SSH key to delete, then on the menu bar, click Delete.
To delete an SSH key that is defined with multiple target machines, search for all the accounts that are defined in the group, then select all of them. When you click Delete, the system will delete each and every one of them from the Vault and/or from the target server, according to the option you selected. For more information, refer to Manage the same SSH key on multiple targets.
On the menu bar, click Delete; the following message appears:
Click OK to continue deleting the private and public SSH keys,
or,
Click Cancel to leave the SSH keys as they are.
If you clicked OK, the following window prompts you for details about the SSH keys to delete:
This option will delete private SSH keys from the Vault and corresponding public SSH key from the target machine.
Select Delete both the private SSH keys from the Vault and the public SSH keys from the target machine, then click OK; a notification appears in the SSH Key Details page indicating that the CPM will delete the corresponding public key on the target machine.
While this notification is displayed, you can cancel the delete action.
In addition, the SSH Key status indicates that the key is marked for deletion.
Only after the CPM has deleted the public SSH key on the target machine, it will delete the corresponding private SSH key from the Vault.
After deleting an SSH key you can undelete it using the Vault’s Version feature. This ‘undelete’ will recover the private SSH key stored in the Vault but, because of security concerns, it won’t recover the corresponding public SSH key on the target machine.
To delete Private SSH Keys only from the Vault:
The corresponding public SSH key on remote machines will not be deleted.
Select the private SSH keys to delete:
- In the Accounts List:
- Display the Private SSH keys to delete, then from the More actions menu, select Delete,
or,
- In the SSH Key Details page:
- Display the SSH Key Details page of a single SSH key to delete, then on the menu bar, click Delete.
The following message appears:
Click OK to delete the private SSH key.
If you clicked OK, the following window prompts you for details about the SSH key to delete:
This option will delete private SSH keys from the Vault without affecting the corresponding public key on remote machines. Any local copies defined for this SSH Key are not deleted automatically and must be manually deleted from the Vault and remote machines.
Select Delete only the private SSH keys, then click OK; the private SSH key is now deleted from the Vault.
You can undelete SSH keys during the Safe retention period.
