desktop client only
SSH authorization keys are managed to maximize security over automated processes as well as sign-on by system administrators, power users, and others who use SSH keys for access. Safeguard for Privileged Passwords (SPP) performs the following.
- SPP provisions keys by creating a new key pair associated with a managed account. Any of the following methods can be used.
- An authorized key is added in the target account on the target host. A managed account can have more than one authorized key.
- An SSH key sync group is created for an SSH key pair. The new key is generated for the sync group and configured for each of the synced accounts on the target host. All accounts in the SSH key sync group synchronize with the new passphrase so the same key can be used to log into all systems.
- A legacy SSH identity key is uploaded. The legacy SSH key is entrusted to SPP. When legacy SSH keys are exposed, SPP rotates them after they are checked in.
- SPP requests and rotates SSH keys based on the access request policy (key and session) as well as via A2A when A2A is configured to request and retrieve SSH keys. Rotation is profile-based. Each managed account can have a single SSH key.
Supported implementations
SSH implementations supported include:
- Access requests provide SSH identity keys include OpenSSH, SSH2, and PuTTY format.
- For management, SPP supports OpenSSH file formats and Tectia
Supported key types and key lengths
SPP supports RSA and DSA algorithms for SSH identity keys. Supported key lengths follow:
- RSA: 1024, 2048, 4096, and 8192-bit
Larger key sizes take longer to generate. In particular, a key size of 8192-bits may take several minutes.
- DSA: fixed to 1024-bits
Unsupported algorithms and key strings
SPP reads each line when parsing an authorized_keys file and attempts to extract the data. If a line is properly formatted according to the specification, SPP will report it as a discovered identity key. SPP recognizes keys with either the RSA or DSA algorithm. Other valid key types are still discovered by SPP and are identified as the Key Type of Unknown on the Discovered SSH Keys properties grid.
If a line is not properly formatted, the data will be skipped and a warning with the number of invalid lines will be included on the Toolbox | Task pane. Further details, including a copy of each invalid line, displays on the Operations tab. For more information, see Viewing task status.
Management
It is the responsibility of the Appliance Administrator to manage the access request and SSH key passphrase management services.
SSH key change, check, and discovery can be toggled on or off. For more information, see Enable or disable access request and services.
Navigate to Administrative Tools | Settings | SSH Key Management.
Table 186: SSH Key Management settings
| Change SSH Key settings |
You can add, update, or remove SSH key change settings. |
| Check SSH Key settings |
You can add, update, or remove SSH key check settings. |
|
Discover SSH Key settings |
You can discover authorized SSH keys in managed accounts. |
| SSH Key Sync Groups settings |
The Asset Administrator or a partition's delegated administrator defines the SSH key sync group for an SSH key pair. The new key is generated for the sync group and configured for each of the synced accounts on the target host. All accounts in the SSH key sync group synchronize so the same key can be used to log into all systems. |
desktop client only
Safeguard for Privileged Passwords requests and rotates SSH keys based on the access request policy (key and session) as well as via A2A configurations set up to request and retrieve SSH keys. Rotation is profile-based. Each managed account can have a single SSH key.
SSH key change can be toggled on or off. For more information, see Enable or disable access request and services.
Navigate to Administrative Tools | Settings | SSH Key Management | Change SSH Key.
Table 187: Change SSH Key properties
|
Name |
The name of the SSH key |
|
Partition |
The partition where the SSH key is managed |
|
Description |
Information about the SSH key |
|
Schedule |
Designates when the SSH key is changed |
Use the following toolbar buttons to manage changing the SSH key.
desktop client only
It is the responsibility of the Asset Administrator or the partition's delegated administrator to configure the rules Safeguard for Privileged Passwords uses to reset SSH key passphrases.
IMPORTANT: Passphrases for accounts associated with an SSH key sync group are managed based on the profile change schedule and processed via the SSH key sync group. If synchronization fails for an individual account in the sync group, the account is retried multiple times and, if failing after that, the sync task halts and is rescheduled. The administrator must correct the cause of the failure for the sync task to continue. For more information, see SSH Key Sync Groups settings.
To add an SSH key reset schedule
- Navigate to Administrative Tools | Settings | SSH Key Management | Change SSH Key.
- Click
Add to open the Change SSH Key Settings dialog.
- Browse to select a partition.
- Enter a Name of up to 50 characters for the rule.
- Enter a Description of up to 255 characters for the rule.
- Enter a Comment.
- Select a Key Length such as 1024, 2048, 4096, or 8192 characters. Larger key sizes take longer to generate. In particular, a key size of 8192-bits may take several minutes.
-
Optionally, select Change SSH Keys Manually.
For more information, see How do I manage accounts on unsupported platforms.
- To change the Change SSH Key schedule, click the link or click the Schedule button. The default is Never.
-
In the Schedule dialog, select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.)
-
Configure the following.
To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.
Enter a frequency for Backup Every. Then, select a the time frame:
- Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
-
Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.
-
Days: The job runs on the frequency of days and the time you enter.
For example, Every 2 Days Starting @ 11:59:00 PM runs the job every other evening just before midnight.
-
Weeks The job runs per the frequency of weeks at the time and on the days you specify.
For example, Every 2 Weeks Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.
-
Months: The job runs on the frequency of months at the time and on the day you specify.
For example, If you select Every 2 Months Starting @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.
-
Select Use Time Windows if you want to enter the Start and End time. You can click 
Add or 
Remove to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.
For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:
Enter Every 10 Minutes and Use Time Windows:
If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.
For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:
For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.
- (UTC) Coordinated Universal Time is the default time zone. Select a new time zone, if desired.
If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.
- Optionally, select Suspend account when checked in (supported platforms): Select this option to automatically suspend managed accounts that are not in use. That is, the account on a managed asset is suspended until a request is made for it through Safeguard for Privileged Passwords, at which time Safeguard for Privileged Passwords restores the account. Once the request is checked in or closed, the account is again suspended.
You can click the supported platforms link to display a list of platforms that support this feature (KB Article 233379).
- Click OK.
desktop client only
Safeguard for Privileged Passwords requests and rotates SSH keys based on the access request policy (key and session) as well as via A2A configurations set up to request and retrieve SSH keys. Rotation is profile-based. Each managed account can have a single SSH key.
SSH key check can be toggled on or off. For more information, see Enable or disable access request and services.
Navigate to Administrative Tools | Settings | SSH Key Management | Check SSH Key.
Table 189: Check SSH Key properties
|
Name |
The name of the SSH key |
|
Partition |
The partition where the SSH key is managed |
|
Description |
Information about the SSH key |
|
Schedule |
Designates when the SSH key is checked |
Use the following toolbar buttons to manage checking the SSH key.
Table 190: Check SSH Key: Toolbar
| Add |
Add SSH key check settings. |
 Delete Selected |
Permanently remove the selected SSH key. |
 Refresh |
Update the list of SSH keys. |
 Edit |
Modify the selected SSH key. |
|
 Copy SSH Key
|
Copy the Check SSH Key Settings template. |
|
 Search
|
To locate a value in this list, enter the character string to be used to search for a match. For more information, see Search box. |
