SSH authorization keys are managed to maximize security over automated processes as well as sign-on by system administrators, power users, and others who use SSH keys for access. Safeguard for Privileged Passwords (SPP) performs the following.

NOTE:SPP does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by SPP.

  • SPP provisions keys by creating a new key pair associated with a managed account. Any of the following methods can be used.
    • An authorized key is added in the target account on the target host. A managed account can have more than one authorized key, however only one key can be managed by SPP at a time.
    • An SSH key sync group is created for an SSH key pair. The new key is generated for the sync group and configured for each of the synced accounts on the target host. All accounts in the SSH key sync group synchronize the SSH Key so the same key can be used to log into all systems.
    • A legacy SSH identity key is uploaded. The legacy SSH key is entrusted to SPP. When legacy SSH keys are exposed, SPP rotates them after they are checked in. SPP may rotate the keys after they are checked in if the Entitlement Policy > Access Configuration option specifies Change SSH Key after check-in.
  • SPP requests and rotates SSH keys based on the access request policy (key and session) as well as via A2A when A2A is configured to request and retrieve SSH keys. Rotation is profile-based. Each managed account can have a single SSH key.
Supported implementations

SSH implementations supported include:

  • Access requests provide SSH identity keys include OpenSSH, SSH2, and PuTTY format.
  • For management, SPP supports OpenSSH file formats and Tectia
Supported key types and key lengths

SPP supports RSA, Ed25519, ECDSA, and DSA algorithms for SSH identity keys. Supported key lengths follow:

  • RSA: 1024, 2048, 4096, and 8192-bit

    Larger key sizes take longer to generate. In particular, a key size of 8192-bits may take several minutes.

  • DSA: fixed to 1024-bits
  • Ed25519: fixed to 32 bits
  • ECDSA: 256, 384, and 521 bits
Unsupported algorithms and key strings

SPP reads each line when parsing an authorized_keys file and attempts to extract the data. If a line is properly formatted according to the specification, SPP will report it as a discovered identity key. SPP recognizes keys with either the RSA or DSA algorithm. Other valid key types are still discovered by SPP and are identified as the Key Type of Unknown on the Discovered SSH Keys properties grid.

Management

It is the responsibility of the Appliance Administrator to manage the access request and SSH key passphrase management services.

SSH key change, check, and discovery can be toggled on or off. For more information, see Global Services.

Navigate to Asset Management > Profiles > SSH Key Profiles.

Table 31: SSH Key Management settings
Setting Description
Change SSH Key settings You can add, update, schedule, or remove SSH Key Change settings.
Check SSH Key settings You can add, update, schedule, or remove SSH Key Check settings.

Discover SSH Key settings

You can add, update, schedule, or remove SSH Key Discovery jobs.

SSH Key Sync Groups settings

You can add, update, schedule, or remove SSH Key Sync Group settings.

The Asset Administrator or a partition's delegated administrator defines the SSH key sync group for an SSH key pair. The new key is generated for the sync group and configured for each of the synced accounts on the target host. All accounts in the SSH key sync group synchronize so the same key can be used to log into all systems.