Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.7.4 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

Checking, changing, or setting an SSH key

The Asset Administrator can manually check, change, or set an SSH key from the Account Security menu.

To manually check, change, or set an SSH key

  1. Navigate to Administrative Tools | Accounts.
  2. In Accounts, select an account from the object list.
  3. Click  Account Security from the toolbar. You can also right-click the account name then click  Account Security.

    Select one of these option. You can view the progress and results of the Check and Change options in the Toolbox | Tasks pane. For more information, see Viewing task status.

    • Check SSH Key to verify the account SSH key is in sync with the Safeguard for Privileged Passwords database. If the SSH key verification fails, you can change it.
    • Change SSH Key to reset and synchronize the SSH key with the Safeguard for Privileged Passwords database. For service accounts, use this selection and do not use Generate SSH Key to change the SSH key.
    • Set SSH Key to set the SSH key in the Safeguard for Privileged Passwords database. The Set SSH Key option does not change the account SSH key on the asset. The Set SSH Key option provides the following options.
      • Generate: Generate a new SSH key and assign it to the account. The SSH key complies with the SSH key rule that is set in the account's profile.

        CAUTION: Do not generate a new SSH key for a service account because the connection to the asset will be lost. Instead, use Account Security : Change SSH Key.

        After you select Generate, the key is generated and saved in the Safeguard for Privileged Passwords database. The following fields display.

        • Account: The account name
        • Fingerprint: The fingerprint of the SSH key used for authentication
        • Key Comment: Information about the SSH key
        • Type: The SSH authentication key type, such as RSA or DSA. For more information, see SSH Key Management settings.
        • Length: The length of the SSH authentication key. For more information, see SSH Key Management settings.
        • Public Key: The generated key; click  Copy to put it into your copy buffer. You can then log in to your device, using the old SSH key, and change it to the SSH key in your copy buffer.
      • Import: Import a private key file for an SSH key that has been generated outside of Safeguard for Privileged Passwords and assign it to the account. Click Browse to import the key file, enter a Password, then click OK.
        When importing an SSH key that has already been manually configured for an account on an asset, it is recommended that you first verify that the key has been correctly configured before importing the key. For example, you can run an SSH client program to check that the private key can be used to login to the asset: ssh -i <privatekeyfile> -l <accountname> <assetIp>. Refer to the OpenSSH server documentation for the target platform for more details on how to configure an authorized key.
      • Install: If not already configured, install the account's current SSH key on the asset in the correct file for the account.
      • Verify: Check that the account's current SSH key is configured in the correct file for the account on the asset. A warning is displayed if the authorized key file permissions has identifiable issues (such as the permissions are too open and configuration settings issues exist). The verification process can not identify all potential issues, so Verify may run successfully but the key will not work when you try to authenticate.

Viewing SSH key archive

The Asset Administrator can access a previous SSH key for an account for a specific date.

The SSH Key Archive dialog only displays previously assigned SSH keys for the selected asset based on the date specified. This dialog does not display the current SSH key for the asset. The SSH key archive is never purged.

You view an account's SSH key validation and reset history on the Check and Change Log tab.

To access an account's previous SSH key

  1. Navigate to Administrative Tools | Accounts.
  2. In Accounts, right-click an account name and choose SSH Key Archive.

    Or, click SSH Key Archive from the toolbar.

  3. In the SSH Key Archive dialog, select a date. If you select today's date (or a previous date) and no entries are returned, this indicates that the asset is still using the current SSH key.

  4. In the View column, click to display the SSH key that was assigned to the asset at that given date and time.
  5. In the details dialog, click Copy to copy the SSH key to your copy buffer, or click OK to close the dialog.

Account Groups

A Safeguard for Privileged Passwords account group is a set of accounts which you can add to the scope of an access request policy. For more information, see Creating an access request policy.

The Auditor and the Security Policy Administrator have permission to access Account Groups.

The Account Groups view displays the following information about the selected account group.

Use these toolbar buttons to manage account groups.

General tab (account group)

The General tab lists information about the selected Account Group.

Large tiles at the top of the tab display the number of Accounts and Access Request Policies associated with the selected account group.

Table 30: Account Groups General tab: General properties
Property Description

Name

The selected account group's name

Account Rules

For dynamic account groups, a summary of the asset account rules defined

Description

Information about the selected account group

Related Topics

Modifying an account group

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating