Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.5.2 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Adding an SSH key profile

It is the responsibility of the Asset Administrator to add SSH key profiles to Safeguard for Privileged Passwords.

To add an SSH key profile

  1. Navigate to Asset Management > Profiles > SSH Key Profiles.
  2. Click  New Profile from the toolbar.
  3. In the New SSH Key Profiledialog, enter the following information:
    1. Name: Enter a unique name for the partition. Limit: 50 characters.

    2. Description: (Optional) Enter information about this partition. Limit: 255 characters.

  4. Select a partition for the SSH key profile using the Browse button.

  5. On the Check SSH Key tab, select a previously defined check SSH Key setting from the drop-down menu or click Add to add a new check SSH Key setting. For more information, see Check SSH Key settings.

  6. On the Change SSH Key tab, select a previously defined change SSH Key setting from the drop-down menu or click Add to add a new change SSH Key setting. For more information, see Change SSH Key settings.

  7. On the Discover SSH Key tab, select a previously defined discover SSH Key setting from the drop-down menu or click Add to add a new discover SSH Key setting. For more information, see Discover SSH Key settings.

  8. Click OK to save the SSH key profile.

    Once saved you can edit the profile to add SSH key sync groups to your SSH key profile. For more information, see SSH Key Sync Groups settings.

SSH Key Profiles

SSH authorization keys are managed to maximize security over automated processes as well as sign-on by system administrators, power users, and others who use SSH keys for access. Safeguard for Privileged Passwords (SPP) performs the following.

NOTE:Safeguard for Privileged Passwords does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by Safeguard for Privileged Passwords.

  • SPP provisions keys by creating a new key pair associated with a managed account. Any of the following methods can be used.
    • An authorized key is added in the target account on the target host. A managed account can have more than one authorized key, however only one key can be managed by SPP at a time.
    • An SSH key sync group is created for an SSH key pair. The new key is generated for the sync group and configured for each of the synced accounts on the target host. All accounts in the SSH key sync group synchronize the SSH Key so the same key can be used to log into all systems.
    • A legacy SSH identity key is uploaded. The legacy SSH key is entrusted to SPP. When legacy SSH keys are exposed, SPP rotates them after they are checked in. SPP may rotate the keys after they are checked in if the Entitlement Policy > Access Configuration option specifies Change SSH Key after check-in.
  • SPP requests and rotates SSH keys based on the access request policy (key and session) as well as via A2A when A2A is configured to request and retrieve SSH keys. Rotation is profile-based. Each managed account can have a single SSH key.
Supported implementations

SSH implementations supported include:

  • Access requests provide SSH identity keys include OpenSSH, SSH2, and PuTTY format.
  • For management, SPP supports OpenSSH file formats and Tectia
Supported key types and key lengths

SPP supports RSA, Ed25519, ECDSA, and DSA algorithms for SSH identity keys. Supported key lengths follow:

  • RSA: 1024, 2048, 4096, and 8192-bit

    Larger key sizes take longer to generate. In particular, a key size of 8192-bits may take several minutes.

  • DSA: fixed to 1024-bits
  • Ed25519: fixed to 32 bits
  • ECDSA: 256, 384, and 521 bits
Unsupported algorithms and key strings

SPP reads each line when parsing an authorized_keys file and attempts to extract the data. If a line is properly formatted according to the specification, SPP will report it as a discovered identity key. SPP recognizes keys with either the RSA or DSA algorithm. Other valid key types are still discovered by SPP and are identified as the Key Type of Unknown on the Discovered SSH Keys properties grid.

Management

It is the responsibility of the Appliance Administrator to manage the access request and SSH key passphrase management services.

SSH key change, check, and discovery can be toggled on or off. For more information, see Global Services.

Navigate to Asset Management > Profiles > SSH Key Profiles.

Table 166: SSH Key Management settings
Setting Description
Change SSH Key settings You can add, update, schedule, or remove SSH Key Change settings.
Check SSH Key settings You can add, update, schedule, or remove SSH Key Check settings.

Discover SSH Key settings

You can add, update, schedule, or remove SSH Key Discovery jobs.

SSH Key Sync Groups settings

You can add, update, schedule, or remove SSH Key Sync Group settings.

The Asset Administrator or a partition's delegated administrator defines the SSH key sync group for an SSH key pair. The new key is generated for the sync group and configured for each of the synced accounts on the target host. All accounts in the SSH key sync group synchronize so the same key can be used to log into all systems.

Check SSH Key settings

Safeguard for Privileged Passwords requests and rotates SSH keys based on the access request policy (SSH key or SSH session requests) as well as via A2A configurations set up to request and retrieve SSH keys. Rotation is profile-based. Each managed account can have a single managed SSH key.

SSH key check can be toggled on or off. For more information, see Global Services.

Navigate to Asset Management > Profiles > View SSH Key Profiles > Check SSH Key.

Table 167: Check SSH Key properties
Setting Description

Name

The name of the SSH key

Partition

The partition where the SSH key is managed

Description

Information about the SSH key

Schedule

Designates when the SSH key is checked

Use the following toolbar buttons to manage checking the SSH key.

Table 168: Check SSH Key: Toolbar
Option Description
Add

Add SSH key check settings.

Delete

Permanently remove the selected SSH key.

Edit Modify the selected SSH key.
Refresh

Update the list of SSH keys.

Search

To locate a value in this list, enter the character string to be used to search for a match. For more information, see Search box..

Adding SSH key check settings

It is the responsibility of the Asset Administrator or the partition's delegated administrator to define the rules Safeguard for Privileged Passwords uses to verify SSH keys.

Navigate to Asset Management > Profiles > View SSH Key Profiles > Check SSH Key.

To add an SSH key validation schedule

  1. Click Add to open the Check SSH Key Settings dialog.
  2. Enter a Name of up to 50 characters for the rule.
  3. Enter a Description of up to 255 characters for the rule.
  4. Browse to select a partition.
  5. Optionally, complete either of these settings:

    • Reset SSH Key on Mismatch: Select this option to automatically reset an SSH key passphrase when Safeguard for Privileged Passwords detects the SSH key passphrase in the appliance database differs from the SSH key passphrase on the asset.
    • Notify Delegated Owners on Mismatch: Select this option to trigger a notification when Safeguard for Privileged Passwords detects an SSH key passphrase mismatch.

      NOTE: To send event notifications to a user, you must configure Safeguard for Privileged Passwords to send alerts. For more information, see Configuring alerts.. Set up an email template for the Check Mismatch event type for passwords and SSH key passphrases.

  6. To change the Check SSH Key schedule, open the Schedule tab. The default is Never.
  7. In the Schedule dialog, select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.)

    • Configure the following.

      To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.

      Enter a frequency for Run Every. Then, select a time frame:

      • Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
      • Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.

      • Days: The job runs on the frequency of days and the time you enter.

        For example, Every 2 Days Starting @ 11:59:00 PM runs the job every other evening just before midnight.

      • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

        For example, Every 2 Weeks Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.

      • Months: The job runs on the frequency of months at the time and on the day you specify.

        For example, If you select Every 2 Months Starting @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.

    • Select Use Time Windows if you want to enter the Start and End time. You can click Add or Remove to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

      For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:

      Enter Every 10 Minutes and Use Time Windows:

      • Start 10:00:00 PM and End 11:59:00 PM
      • Start 12:00:00 AM and End 2:00:00 AM

        An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error as the end time must be after the start time.

      If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

      For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:

      For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 8:00:00 PM and Repeat 2.

    • (UTC) Coordinated Universal Time is the default time zone. Select a new time zone, if desired.

    If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.

  8. Click OK.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating