Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.0.1 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

Managing SSH key profiles

Use the controls and tabbed pages on the Profiles page to perform the following tasks to manage SSH key profiles:

Adding an SSH key profile

It is the responsibility of the Asset Administrator to add SSH key profiles to Safeguard for Privileged Passwords.

To add an SSH key profile

  1. Navigate to Asset Management > Profiles > SSH Key Profiles.
  2. Click  New Profile from the toolbar.
  3. In the New SSH Key Profiledialog, enter the following information:
    1. Name: Enter a unique name for the partition. Limit: 50 characters.

    2. Description: (Optional) Enter information about this partition. Limit: 255 characters.

  4. Select a partition for the SSH key profile using the Browse button.

  5. On the Check SSH Key tab, select a previously defined check SSH Key setting from the drop-down menu or click Add to add a new check SSH Key setting. For more information, see Check SSH Key settings.

  6. On the Change SSH Key tab, select a previously defined change SSH Key setting from the drop-down menu or click Add to add a new change SSH Key setting. For more information, see Change SSH Key settings.

  7. On the Discover SSH Key tab, select a previously defined discover SSH Key setting from the drop-down menu or click Add to add a new discover SSH Key setting. For more information, see Discover SSH Key settings.

  8. Click OK to save the SSH key profile.

    Once saved you can edit the profile to add SSH key sync groups to your SSH key profile. For more information, see SSH Key Sync Groups settings.

SSH Key Profiles

SSH authorization keys are managed to maximize security over automated processes as well as sign-on by system administrators, power users, and others who use SSH keys for access. Safeguard for Privileged Passwords (SPP) performs the following.

NOTE:Safeguard for Privileged Passwords does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by Safeguard for Privileged Passwords.

  • SPP provisions keys by creating a new key pair associated with a managed account. Any of the following methods can be used.
    • An authorized key is added in the target account on the target host. A managed account can have more than one authorized key, however only one key can be managed by SPP at a time.
    • An SSH key sync group is created for an SSH key pair. The new key is generated for the sync group and configured for each of the synced accounts on the target host. All accounts in the SSH key sync group synchronize the SSH Key so the same key can be used to log into all systems.
    • A legacy SSH identity key is uploaded. The legacy SSH key is entrusted to SPP. When legacy SSH keys are exposed, SPP rotates them after they are checked in. SPP may rotate the keys after they are checked in if the Entitlement Policy > Access Configuration option specifies Change SSH Key after check-in.
  • SPP requests and rotates SSH keys based on the access request policy (key and session) as well as via A2A when A2A is configured to request and retrieve SSH keys. Rotation is profile-based. Each managed account can have a single SSH key.
Supported implementations

SSH implementations supported include:

  • Access requests provide SSH identity keys include OpenSSH, SSH2, and PuTTY format.
  • For management, SPP supports OpenSSH file formats and Tectia
Supported key types and key lengths

SPP supports RSA, Ed25519, ECDSA, and DSA algorithms for SSH identity keys. Supported key lengths follow:

  • RSA: 1024, 2048, 4096, and 8192-bit

    Larger key sizes take longer to generate. In particular, a key size of 8192-bits may take several minutes.

  • DSA: fixed to 1024-bits
  • Ed25519: fixed to 32 bits
  • ECDSA: 256, 384, and 521 bits
Unsupported algorithms and key strings

SPP reads each line when parsing an authorized_keys file and attempts to extract the data. If a line is properly formatted according to the specification, SPP will report it as a discovered identity key. SPP recognizes keys with either the RSA or DSA algorithm. Other valid key types are still discovered by SPP and are identified as the Key Type of Unknown on the Discovered SSH Keys properties grid.

Management

It is the responsibility of the Appliance Administrator to manage the access request and SSH key passphrase management services.

SSH key change, check, and discovery can be toggled on or off. For more information, see Enable or Disable Services.

Navigate to Asset Management > Profiles > SSH Key Profiles.

Table 152: SSH Key Management settings
Setting Description
Change SSH Key settings You can add, update, schedule, or remove SSH Key Change settings.
Check SSH Key settings You can add, update, schedule, or remove SSH Key Check settings.

Discover SSH Key settings

You can add, update, schedule, or remove SSH Key Discovery jobs.

SSH Key Sync Groups settings

You can add, update, schedule, or remove SSH Key Sync Group settings.

The Asset Administrator or a partition's delegated administrator defines the SSH key sync group for an SSH key pair. The new key is generated for the sync group and configured for each of the synced accounts on the target host. All accounts in the SSH key sync group synchronize so the same key can be used to log into all systems.

Check SSH Key settings

Safeguard for Privileged Passwords requests and rotates SSH keys based on the access request policy (SSH key or SSH session requests) as well as via A2A configurations set up to request and retrieve SSH keys. Rotation is profile-based. Each managed account can have a single managed SSH key.

SSH key check can be toggled on or off. For more information, see Enable or Disable Services.

Navigate to Asset Management > Profiles > View SSH Key Profiles > Check SSH Key.

Table 153: Check SSH Key properties
Setting Description

Name

The name of the SSH key

Partition

The partition where the SSH key is managed

Description

Information about the SSH key

Schedule

Designates when the SSH key is checked

Use the following toolbar buttons to manage checking the SSH key.

Table 154: Check SSH Key: Toolbar
Option Description
Add

Add SSH key check settings.

Delete

Permanently remove the selected SSH key.

Edit Modify the selected SSH key.
Refresh

Update the list of SSH keys.

Search

To locate a value in this list, enter the character string to be used to search for a match. For more information, see Search box.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating