Configure SSH-based features
This topic describes how to configure FIPS-compliant mode and SSH key fingerprints for SSH-based plugins.
Overview
You can configure SSH-based CPM plugins to work in FIPS-compliant mode or you can temporarily change SSH key fingerprint settings for the following plugin types:
- TPC-based plugins,
- Private SSH Keys, for more information, see Private SSH Key
- SSH Keys, for more information, see SSH Keys
- Password files (configuration files), for more information, see Configuration files
- RSA authentication manager, for more information, see RSA Authentication Manager
Disable support for legacy modes
-
In the bin folder on the CPM server, create a file called ExpectConfiguration.ini with the following content:
RunInFIPSCompliantMode=Yes
Enable SHA-1 compatibility only for legacy systems for backward compatibility.
Configure SSH library
-
In the bin folder on the CPM server, create a file called ExpectConfiguration.ini with the following content, or add to an existing ExpectConfiguration.ini file the following content:
SshLibrary=Rebex
-
The Rebex configuration supports RHEL 8.4 and Fedora 35 with the default crypto policies.
-
The default crypto policies on a Cisco target must be changed in order to work with the Rebex configuration:
-
Change the diffie-hellman-group1-sha1 key exchange algorithm to a supported algorithm. See Supported SSH algorithms for Rebex for more information.
-
The RSA key must be at least a 1024-bit key.
-
SSH Fingerprints
When connecting over SSH, as a security measure, the target's fingerprint is stored for future logins. This fingerprint identifies the target machine as a valid target. While running an action, if a different fingerprint is detected, the connection will fail.
If the different fingerprint is valid, and you want to successfully connect to the target without getting an error, you can temporarily override the stored fingerprint. This updates the stored fingerprint to the new target's fingerprint.
Enable or disable a platform to override a fingerprint
- In the Privilege Cloud Portal, select Adminstration > Platform Management.
- Edit the Platform settings: Select the platform, click
on the right side of the screen, and select Edit. - Under Automatic Password Management > Additional Policy Settings, right-click Parameters, and select Add Parameter.
-
Add the following parameter:
Parameter
Description
StoreKeyinCache A security feature that stores the target's fingerprint in the cache. If the target changes, the fingerprint returned from the target will not match the fingerprint stored in the cache and the plugin connection fails.
Default value: Yes (if implemented by the TPC or the plugin)
Mandatory: No
- Click OK.
Temporarily override a target's fingerprint
While running an action, if a different fingerprint is detected, the connection will fail. If you want to successfully connect to a target without getting an error, you can temporarily override the stored fingerprint. This updates the stored fingerprint to the new target's fingerprint.
To temporarily override a target's fingerprint:
-
In the account properties, set the following parameter to Yes.
Parameter
Description
OverrideOnInvalidKeyInCache Overrides the fingerprint validation and successfully connects to the target. The fingerprint stored in cache is updated with the new target's fingerprint.
Default value: No
Mandatory: No
- Run Reconcile.
- Return the account back to a secure state. In the account properties, set OverrideOnInvalidKeyInCache to No.
