Managing SSH Keys and Key Groups

  1. Overview
  2. Import the discovered keys to Password Manager Pro
  3. Create new keys and deploy them
  4. Associate existing keys with users and vice-versa. View key-user relationship
  5. Perform key management operations (edit, rotate, dissociate, delete) and launch direct terminal connections
  6. Organize SSH  key groups for bulk management
  7. Miscellaneous Operations

1. Overview

Password Manager Pro allows you to manage the entire life-cycle of SSH keys. The process actually starts with the Password Manager Pro  discovery of the SSH resources in the network and follows the flow as detailed below:

Steps indicated above just illustrate the flow of events in Password Manager Pro. It is not necessary that you should follow them in the same order as explained above.

2. Import the Discovered Keys to Password Manager Pro

Password Manager Pro requires SSH user credentials for SSH key management. If the credentials are in place, you can import the SSH keys already discovered. To import the key files from the discovered SSH resource:

  1. Navigate to the SSH keys >> SSH keys tab in the GUI.
  2. The SSH keys are listed with their details. Select the keys you want to import.
  3. Click the Import button.

The imported keys can be viewed from the SSH keys >> SSH keys tab.

Note: If the keys are protected with a passphrase, even though the import operation will execute successfully, while associating with user accounts, you need to enter the passphrase to use the key.

2.1 Import Keys from Systems

In addition to the automated discovery of key files from the SSH servers, you can also specify the location, and import the keys present in any system. To import the key files from the system:

  1. Navigate to the SSH keys >> SSH keys tab in the GUI.
  2. Click the Import Keys icon available in the top-right corner of the window, above the table.
  3. Click the Browse button and select the key file within the system.
  4. Enter the name and passphrase of the key.
  5. Enter a Key Comment for your reference.
  6. Click the Add button to include the key in the repository.

Note: If the key is protected with a passphrase, then the same has to be entered to successfully import the key.

To edit a Key Comment in the already imported keys, follow the below steps:

  1. Navigate to the SSH Keys >> SSH keys tab.
  2. Select the required key from the repository.
  3. Click the More drop-down from the top menu, choose Edit Comment and enter the required comment.
  4. Select the checkbox Update comment in associated servers to apply the updated key comment in the associated end servers as well. This option eliminates the need to update the key comments manually in the authorized_keys file in the end servers.

Note: Key Comment can be edited for only one key at a time.

3. Create New Keys and Deploy Them

Password Manager Pro also allows you to create new key pairs and deploy them on target systems. The create and deploy feature of Password Manager Pro can be used for one click generation and deployment of keys. Unique key pairs are generated for each user account and the corresponding keys are deployed automatically in user accounts of the target servers.

The SSH key pair can be generated using RSA / DSA algorithms as per the details below:

RSA – 1024, 2048, or 4096 bit keys

DSA – 1024 bit keys.

To create keys:

  1. Navigate to SSH keys >> SSH keys >> Create.
  2. In the Create SSH Key window, enter the details of the key, and select the Key Type and Length.
  3. Click Create Key to generate the key pair.

You will get confirmation that the new key has been created. All the keys that are created are automatically added to the centralized repository of Password Manager Pro. You can view these keys from the SSH Keys >> SSH Keys tab in the user interface. Password Manager Pro allows you to search SSH Keys using Key Name, Key Type, Key Length, Finger Print, Created By, Age and additional fields.

3.1 Viewing Key Passphrase

Administrators can view the passphrases of keys by clicking on the show passphrase icon () provided at the right end of the keys.

To create and associate keys with all the user accounts in a discovered resource:

  1. Navigate to the Resources >> Passwords.
  2. Select the required account and select Key Actions >> Create and Deploy to deploy the keys in all its enumerated user accounts.
  3. Enter the Key Comment and select the Key Type, and Key Length.
  4. Select the checkbox to Elevate to "root" user.

    Note: For security reasons root user login might be disabled for servers/machines. Enabling this option elevates a user login from a non-root user to a root user and allows you to associate keys to all other users in the server. Users have to provide root user and any non-root user credentials to Password Manager Pro to elevate to a root user.

  5. Click Deploy to create key pairs and deploy them simultaneously in all the user accounts of the resource, for which credential is available.

4. Associate Created or Existing Keys with Users and Vice-versa

After importing / creating keys, you can associate the keys with SSH users.

Note:  If root user or administrator credential has been provided for a resource, keys can be associated with all enumerated user accounts of the resource.If there are no keys available in the Password Manager Pro database, then you will be prompted to create a key during association. Create a key pair and return to these steps.

4.1 Associating the Created or Imported Keys with User Accounts of a Single Resource

  1. Navigate to Resources >> Passwords 
  2. Select the user accounts for association.
  3. Click the Associate button under Key Actions. 
  4. Select a key and again click Associate.

4.2 Associate a Particular SSH Key to User Accounts

  1. Navigate to SSH keys >> SSH Keys tab.
  2. Select a key from the list displayed.
  3. Click the Associate button.
  4. In the Public Key Association window, select the user accounts to be associated.
  5. Select the checkbox to Elevate to "root" user.

    Note: For security reasons root user login might be disabled for servers/machines. Enabling this option elevates a user login from a non-root user to a root user and allows you to associate keys to all other users in the server. Users have to provide root user and any non-root user credentials to Password Manager Pro to elevate to a root user.

  6. Click Associate.

Now you have successfully associated a particular SSH key to user accounts.

5. Perform Key Management Operations (Edit, Rotate, Dissociate, Delete) and Launch Direct Terminal Connections.

5.1 Rotate SSH Keys

You can configure Password Manager Pro to automatically rotate the SSH keys at periodic intervals. With a single click, all the deployed keys can be replaced. The keys can be rotated based on a schedule, or anytime based on your need.

5.2 Manual Key Rotation

To rotate the keys manually:

  1. Navigate to SSH keys >> SSH Keys tab.
  2. Select the keys to be rotated.
  3. Click the Rotate option.

A confirmation message will be displayed and you will be redirected to the Key Rotation audit page where the status of rotation is updated.

Note: Only the keys which have already been associated with user accounts of resources can be rotated.

5.3 Scheduled Key Rotation

To schedule the rotation of keys:

  1. Navigate to Admin >> SSH/SSL >> Schedule
  2. Click the Add Schedule button.
  3. In the Add Schedule window, enter a name for the schedule and select the type of schedule as Key rotation from the drop-down list.
  4. Select the keys to be rotated.
  5. Select the time and date for rotation. Enter the email addresses of the users to be notified.
  6. Click Save.

The result of the schedule execution will get updated in the Schedule audit and the result of the rotation of the keys will get updated in the Key Rotation audit.

5.4 Dissociate Keys from SSH Users

When a SSH user leaves the organization or is provided temporary privileged access, you can dissociate the keys associated with the user to and discontinue access. Until you dissociate all the SSH keys, you cannot delete the user account nor the resource.

To select the keys and dissociate it from the users accounts:

  1. Navigate to the SSH keys >> SSH Keys tab.
  2. Select a single key which has to be dissociated.
  3. Click the Dissociate button from the More drop-down list.
  4. If the key is associated with a single user account, select this checkbox to Dissociate key locally if remote dissociation fails and click Ok in the confirmation dialog box to dissociate the key.
  5. If the key is associated with multiple user accounts, select the user accounts from which the key has to be dissociated, select this checkbox to Dissociate key locally if remote dissociation fails and and click the Dissociate button in the Dissociate Users window.

5.4.1 Dissociating Keys from Select User Accounts

  1. Navigate to the Resources >> Passwords tab.
  2. Select a user account for which you wish to dissociate keys and click Dissociate from the Key Actions option
  3. If the user account is associated with a single key, select Ok in the pop-up window.
  4. If more than one key is associated with the selected user, select the keys which have to be dissociated and click the Dissociate button in the Dissociate Keys window.

Note: When you select and delete the user accounts enumerated in Password Manager Pro, the SSH keys associated with them are automatically dissociated.

5.5 Push Keys to Remote User Accounts

In addition to deployment, Password Manager Pro allows you to push a private key or a public key or both onto its associated users.

To push a key file to remote user accounts,

  1. Click on the Push Key to User icon () at the right extreme of the selected key.
  2. Select whichever key needs to be pushed (private, public or both), provide the appropriate key names, select the required associated users and click Push.
  3. The key file(s) is/are pushed to the selected users.

This feature is also available as a part of Key Rotation schedule. After the scheduled key rotation is performed and fresh key pairs are created and deployed, you can automatically push either the private key or both the private and public keys onto its selected associated users by enabling the 'push key to user' option instead of pushing the key files manually after every scheduled rotation.

Add commands and restrict host per key

You can add commands to specific user accounts, thereby providing an additional layer of restriction enabling them to only execute the commands on establishing connection with the host. Also you can predefine appropriate key to user relationship by specifying the IP address of the user in the appropriate format (as specified below).

To add command to a public key,

  1. Navigate to Resources >> Passwords 
  2. Select the user account for which you want to add command and click on Add Command from the Key Actions option.
  3. An Add Command dialog box opens up, where you can add commands to be executed in the following format. i.e.,(command="usr/local/bin/").

To restrict hosts for a key, click on Add Command and provide the name or IP addresses of the hosts in the following format. i.e.,(from="host1/ip1,host2/ip2")

5.6 Edit Authorized_keys File

You can fetch authorized_keys files from various user accounts, edit the key content and push them to respective user accounts from Password Manager Pro.

To do this,

  1. Navigate to Resources >> Passwords tab
  2. Select the required user account and click on Edit Authorized Keys from the Key Actions option
  3. A window opens displaying the list of public keys in the authorized_keys file of the respective user. The keys that are managed using Password Manager Pro are highlighted.
  4. You can now edit the contents of the keys displayed, and deploy them back to the respective user accounts by clicking the Push button.

5.7 Delete Keys

When you try to delete the SSH keys from Password Manager Pro repository, they are first dissociated automatically from their user accounts. Key deletion fails for the SSH keys that are not dissociated from all their user accounts.

To delete the SSH Keys:

  1. Navigate to the SSH keys >> SSH Keys tab.
  2. Select the keys to be deleted.
  3. Click the Delete button from the More drop-down list.
  4. Click OK in the confirmation window.

6. Organize SSH Keygroups for Bulk Management

Password Manager Pro gives the provision to create groups of resources for easy organization and to carry out operations in bulk. You can assign, delete, or modify the group similar to working with a single resource.

The list of items available in a group is enumerated in their respective tabs. You can drill down to the individual items by clicking the name of a group.

6.1 SSH Key Group Management: Create Key Groups

To create a group of SSH keys:

  1. Navigate to SSH keys >> Keys Group.
  2. Click the Add group button. You will be redirected to the Add key group window.
  3. Enter the name of the group. Take care while choosing the name since it cannot be edited later.
  4. You can choose the resources to be added in a group in 2 ways:
    • By Specific key – Select the keys to be added to the group, individually.
    • By Criteria – This serves as dynamic key grouping. You will specify the exact criteria based on which you want to create the group. Here, you have many options to choose from - you can search for specific keys based on its name, type, length, or creator, and filter the search in a fine-grained manner based on the criteria such as "contains", "does not contain", "equals" "not equal", "starts with" and "ends with". Click the Matching Keys button at the bottom-right corner of the window to see the corresponding keys.
    • Note: If you select the By Criteria option, the conditions specified are applicable to keys that are discovered later too. If any of the those keys match the criteria, they will be automatically included into the new group.

  5. Click Save.

In addition, you can directly select individual keys from the SSH keys >> SSH Keys tab and click the Create Group button for faster group creation.

6.2 Edit Key Groups

To make changes to an existing key group:

  1. Navigate to SSH keys >> Keys Group.
  2. Click the Edit icon present in the right corner of the table view.
  3. You can change the key selection type and edit the keys available in a group or add, modify, or delete the filters applicable to a group.

Once you make changes to the group and save, a message will be displayed confirming the update of the changes.

Note: The name of the group cannot be modified. However, you can add or modify the description and the list of keys available in it.

6.3 Rotate Keys of a Key Group

To rotate all the keys of a key group:

  1. Navigate to SSH keys >> Keys Group
  2. Select the key groups and click the Rotate button.

You will be redirected to the Key rotation audit window where the status of key rotation is updated.

6.4 Delete Key Groups

To delete a key group:

  1. Navigate to SSH keys >> Keys Group
  2. Select the key groups and click the Delete.

A pop-up window will appear to make sure that the selected groups are to be deleted. Click OK to delete the groups.

7. Miscellaneous Operations

7.1 Customize User Home Directory

You can customize the home directories of the users, i.e, the location where the public key is to be deployed. To do this:

Navigate to Resources >> Passwords

  1. Click the Edit User Path from the Key Actions dropdown.
  2. Enter the modified path and click Save.

7.2 Export SSH Keys

To export key files by selecting them from the resources with which they are associated :

  1. Navigate to the Resources >> Passwords tab in the GUI
  2. Click the name of the resource in which the key is deployed and click the Export button.

To export the key files selecting each key:

  1. Navigate to the SSH keys >> SSH Keys tab.
  2. Click the Export SSH key icon available in the right corner of the table view corresponding to the required key.
  3. Select the destination folder and file name and click save.

Note: Even while exporting, the passphrases used to protect the keys are still in effect. That is, if the keys are to be used elsewhere, the passphrases have to be provided.

7.3 SSH Key Audits

Audits are generated when SSH keys are associated or rotated using Password Manager Pro. These reports are available in the SSH keys tab.

  1. Key Association Audit – View the result of the spontaneous, and scheduled, key association operations executed using Password Manager Pro
  2. Key Rotation Audit – View the status of the spontaneous, and scheduled, key rotation operations executed using Password Manager Pro.

7.4 View SSH Key History

Using Password Manager Pro you can view the history of each SSH key, from the moment it was created or imported, and the subsequent rotations along with time-stamps.

To view the history of any key:

  1. Navigate to the SSH keys >> SSH Keys tab.
  2. Select a single key and click Key History.

7.5 Export Discovered Keys Report

A report of the discovered keys can be exported as PDF, or to an email id. To export the report:

  1. Navigate to the SSH keys >> Discovered keys tab in the GUI.
  2. Select a single key.
  3. Click the Export button. You can export the report to the system as PDF file, or to desired email addresses.
    • PDF – Export and save the report of the discovered keys as a PDF in the system.
    • Email – Specify the email addresses to which the report of the discovered SSH keys is to be exported.