サポートと今すぐチャット
サポートとのチャット

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

View SSH Key Profile Components (profiles)

When the SSH Key Profiles tab on the Profiles page is selected, a View SSH Key Profile Components link is available. This link displays information on the currently configured SSH Key profile components in use by Safeguard for Privileged Passwords.

To open the View SSH Key Profile Components link on the Profiles page:

  • web client: Navigate to Asset Management > Profiles > SSH Key Profiles and click the View SSH Key Profile Components link.

The View SSH Key Profile Components view contains the following tabs:

  • Check SSH Key: This tab provides information on the currently configured check SSH key schedules. You can use the Refresh button to update the listed schedules.

  • Change SSH Key: This tab provides information on the currently configured change SSH key schedules. You can use the Refresh button to update the listed schedules.

  • Discover SSH Key: This tab provides information on the currently discovered SSH keys. You can use the Refresh button to update the listed keys.

  • SSH Key Sync Groups: This tab provides information on the currently configured SSH key sync groups. From this tab the following options are available:

    • Delete: Remove the selected SSH key sync group.

    • View Details: View details for the selected SSH key sync group.

    • Enable-Disable: Use these buttons to either enable or disable the SSH key sync group.

    • Change Sync Group Password:

    • Refresh: Update the listed SSH key sync groups.

Managing SSH key profiles

Use the controls and tabbed pages on the Profiles page to perform the following tasks to manage SSH key profiles:

Adding an SSH key profile

It is the responsibility of the Asset Administrator to add SSH key profiles to Safeguard for Privileged Passwords.

To add an SSH key profile

  1. Navigate to Asset Management > Profiles > SSH Key Profiles.
  2. Click  New Profile from the toolbar.
  3. In the New SSH Key Profiledialog, enter the following information:
    1. Name: Enter a unique name for the partition. Limit: 50 characters.

    2. Description: (Optional) Enter information about this partition. Limit: 255 characters.

  4. Select a partition for the SSH key profile using the Browse button.

  5. On the Check SSH Key tab, select a previously defined check SSH Key setting from the drop-down menu or click Add to add a new check SSH Key setting. For more information, see Check SSH Key settings.

  6. On the Change SSH Key tab, select a previously defined change SSH Key setting from the drop-down menu or click Add to add a new change SSH Key setting. For more information, see Change SSH Key settings.

  7. On the Discover SSH Key tab, select a previously defined discover SSH Key setting from the drop-down menu or click Add to add a new discover SSH Key setting. For more information, see Discover SSH Key settings.

  8. Click OK to save the SSH key profile.

    Once saved you can edit the profile to add SSH key sync groups to your SSH key profile. For more information, see SSH Key Sync Groups settings.

SSH Key Profiles

SSH authorization keys are managed to maximize security over automated processes as well as sign-on by system administrators, power users, and others who use SSH keys for access. Safeguard for Privileged Passwords (SPP) performs the following.

NOTE:Safeguard for Privileged Passwords does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by Safeguard for Privileged Passwords.

  • SPP provisions keys by creating a new key pair associated with a managed account. Any of the following methods can be used.
    • An authorized key is added in the target account on the target host. A managed account can have more than one authorized key, however only one key can be managed by SPP at a time.
    • An SSH key sync group is created for an SSH key pair. The new key is generated for the sync group and configured for each of the synced accounts on the target host. All accounts in the SSH key sync group synchronize the SSH Key so the same key can be used to log into all systems.
    • A legacy SSH identity key is uploaded. The legacy SSH key is entrusted to SPP. When legacy SSH keys are exposed, SPP rotates them after they are checked in. SPP may rotate the keys after they are checked in if the Entitlement Policy > Access Configuration option specifies Change SSH Key after check-in.
  • SPP requests and rotates SSH keys based on the access request policy (key and session) as well as via A2A when A2A is configured to request and retrieve SSH keys. Rotation is profile-based. Each managed account can have a single SSH key.
Supported implementations

SSH implementations supported include:

  • Access requests provide SSH identity keys include OpenSSH, SSH2, and PuTTY format.
  • For management, SPP supports OpenSSH file formats and Tectia
Supported key types and key lengths

SPP supports RSA, Ed25519, ECDSA, and DSA algorithms for SSH identity keys. Supported key lengths follow:

  • RSA: 1024, 2048, 4096, and 8192-bit

    Larger key sizes take longer to generate. In particular, a key size of 8192-bits may take several minutes.

  • DSA: fixed to 1024-bits
  • Ed25519: fixed to 32 bits
  • ECDSA: 256, 384, and 521 bits
Unsupported algorithms and key strings

SPP reads each line when parsing an authorized_keys file and attempts to extract the data. If a line is properly formatted according to the specification, SPP will report it as a discovered identity key. SPP recognizes keys with either the RSA or DSA algorithm. Other valid key types are still discovered by SPP and are identified as the Key Type of Unknown on the Discovered SSH Keys properties grid.

Management

It is the responsibility of the Appliance Administrator to manage the access request and SSH key passphrase management services.

SSH key change, check, and discovery can be toggled on or off. For more information, see Global Services.

Navigate to Asset Management > Profiles > SSH Key Profiles.

Table 162: SSH Key Management settings
Setting Description
Change SSH Key settings You can add, update, schedule, or remove SSH Key Change settings.
Check SSH Key settings You can add, update, schedule, or remove SSH Key Check settings.

Discover SSH Key settings

You can add, update, schedule, or remove SSH Key Discovery jobs.

SSH Key Sync Groups settings

You can add, update, schedule, or remove SSH Key Sync Group settings.

The Asset Administrator or a partition's delegated administrator defines the SSH key sync group for an SSH key pair. The new key is generated for the sync group and configured for each of the synced accounts on the target host. All accounts in the SSH key sync group synchronize so the same key can be used to log into all systems.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択