SSH Keys

This topic describes the SSH Keys plugin.

Support

Target devices

The CPM supports remote account management for SSH Keys on the following target devices:

  • Solaris Intel 11.2, 11.3

  • Solaris SPARC 11.2, 11.3

  • RHEL 7.1, 7.4, 7.6, 8.x*, 9.x*

    • Debian 11.6*

    • Ubuntu 18.04, 22.04*

    • Fedora 38*

  • Oracle Enterprise Linux 6, 7

  • IBM AIX 7.1, 7.3

  • HP-UX 11.x

  • CentOS 7

  • SUSE Linux 12, 15

  • OpenSUSE 15.4

  • Amazon Linux 2

  • VMWare ESXi 6.5, 6.7, 7.0

  • FreeBSD 13

    • *The target device version is only supported when the SSH library is configured to work with the Rebex library. For more information, see Disable support for legacy modes.

Accounts

The CPM supports account management for the following accounts:

Unix \ Linux accounts

Platforms

In the Privilege Cloud Portal Platform Management page, make sure that the following target account platform is displayed:

  • Unix via SSH Keys

Connection Methods

This plugin uses the following connection methods to the remote machine:

  • SSH
  • SFTP

Actions

The following table lists the supported SSH key management actions for this platform:

Action

Verify
Supported ü
Permissions
  • Permission 600 to the SSH Key file.
  • Permission 700 to the folder that contains the SSH Key file.

Action

Change
Supported ü
Permissions
  • Permission 600 to the SSH Key file.
  • Permission 700 to the folder that contains the SSH Key file.

Action

Reconcile
Supported ü
Permissions

When UseSudoOnReconcile is set to No, the reconcile account must use a root user or a power user with root permissions. When UseSudoOnReconcile is set to Yes, the reconcile account must be in the sudoers list.

If the reconcile account user authenticates to the target server with a password, on the target machine, in sshd_config, set the PasswordAuthentication parameter to yes.

Action

Delete
Supported ü
Permissions
  • Permission 600 to the SSH Key file.
  • Permission 700 to the folder that contains the SSH Key file.

Reconcile Accounts

Action

Reconcile
Supported ü
Required ü
Platform
  • Unix via SSH
  • Unix via SSH Keys

    If a logon account is used for the reconcile account, or UseSudoOnReconcile is set to Yes, the Unix via SSH Keys platform is not supported.
Permissions

When UseSudoOnReconcile is set to No, the reconcile account must use a root user or a power user with root permissions. When UseSudoOnReconcile is set to Yes, the reconcile account must be in the sudoers list.

If the reconcile account user authenticates to the target server with a password, on the target machine, in sshd_config, set the PasswordAuthentication parameter to yes.

Logon Accounts

Action

Logon and reconcile
Supported ü

The logon account of the reconcile account, not of the target account, is used.
Required û
Platform
  • Unix via SSH
  • Unix via Telnet
Permissions

SU command must be enabled.

A logon account can only be associated to a reconcile account at the account level, not at the platform level.

Connection Components

The PSM-SSH and PSM-WinSCPPSM connectors are used with accounts managed by this plugin.

Configuration

Prerequisites

  • Target machine must support login using SSH Keys.
  • When using sudo command, the target machine must support sudo access.
  • This plugin requires .NET Framework 4.8. If you are using an older version of the CPM, .NET Framework 4.8 must be installed on the CPM machine as well.

Platform Parameters

Port
Description The port number of the target device.
Acceptable Values Positive numeric value between 1 and 65535.
Default Value 22

PublicSSHKeyPath
Description

The path where the file containing the public SSH key is located.

Note: Make sure the that the Authorized Keys File defined on the target machine matches the path.
Acceptable Value

~ will be replaced with the home folder.

%username% will be replaced with the username.
Default Value ~/.ssh/authorized_keys

BackupFile
Description Whether the existing file will be backed up before changing the key.
Acceptable Value

False, Off or Disable - To indicate that the file should not be backed up.

Otherwise, the file will backed up.
Default Value True

CommandExecutionTimeout
Description Number of seconds to wait for each command execution.
Acceptable Value Positive numeric value between 1 and 1000.
Default Value 30

ConnectionTimeout
Description Number of seconds to wait for the connection to the target device.
Acceptable Value Positive numeric value between 1 and 1000.
Default Value 30

UseSudoOnReconcile

Description

Whether to use the sudo command on Reconcile.

Acceptable Value Yes, No
Default Value

No

StandardPrompt
Description A regex used to identify the standard prompt.
Acceptable Value A valid regex.
Default Value .*\$ ?$|.*\# ?$|.*\> ?$|.*\% ?$|.*\] ?$

PopulateIfNotExist
Description Whether the file and containing folders are created on Reconcile if they do not exist.
Acceptable Value Yes, No
Default Value No

Account Parameters

Required

Address
Description The IP address or host name of the target device where the file is located.
Acceptable Values IPv4, IPv6 or hostname.
Default Value  

Username
Description The name of the user on the target device who this password belongs to.
Acceptable Value String
Default Value  

Optional

Port
Description The port number of the target device.
Acceptable Values Positive numeric value between 1 and 65535.
Default Value Port defined in the platform.

Comment
Description The text to be entered in the comment section of the SSH key file.
Acceptable Value String
Default Value  

PublicSSHKeyPath
Description

The path where the file containing the public SSH key is located.

Note:

  • Make sure the that the Authorized Keys File defined on the target machine matches the path.
  • If the account has been on-boarded, the path used will be the path where the file was located when discovered.
Acceptable Value

~ will be replaced with the home folder.

%username% will be replaced with the username.
Default Value PublicSSHKeyPath defined in the platform.

CommandExecutionTimeout
Description Number of seconds to wait for each command execution.
Acceptable Value Positive numeric value between 1 and 1000.
Default Value CommandExecutionTimeout defined in the platform.

ConnectionTimeout
Description Number of seconds to wait for the connection to the target device.
Acceptable Value Positive numeric value between 1 and 1000.
Default Value ConnectionTimeout defined in the platform.

UseSudoOnReconcile

Description

Indication whether to use the sudo command on Reconcile.

 

UseSudoOnReconcile can be defined in both the Target account and the Reconcile account. In case both are defined, the value from the Reconcile account is used.
Acceptable Value Yes, No
Default Value

UseSudoOnReconcile defined in the platform.

StandardPrompt
Description A regex used to identify the standard prompt.
Acceptable Value A valid regex.
Default Value StandardPrompt defined in the platform.

PopulateIfNotExist
Description Whether the file and containing folders are created on Reconcile if they do not exist.
Acceptable Value Yes, No
Default Value PopulateIfNotExist defined in the platform.