Keyfactor SSHClosed The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. Management is designed to allow organizations to inventory and manage secure shell (SSH) keys across the enterprise. The solution consists of two elements; the SSH functionality on the Keyfactor Command Management Portal and the Keyfactor Bash OrchestratorClosed The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise..

The Keyfactor Bash OrchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. runs on Linux servers and can be operated in two possible modes:

  • The orchestrator is used in inventory only mode to perform discovery of SSH public keys and associated Linux user accounts across multiple configured targets.

    Figure 291: SSH Key Discovery Flow

  • When operated in inventory and publish policy mode, the orchestrator can be used to add SSH public keys and Linux user accounts on targets and remove rogue keys that appear without authorization.

    Figure 292: SSH User Key Management Flow

As you work with SSH keys in Keyfactor Command, you will need to understand the difference between users, service accounts, and logons:

Typically, you would initially configure your servers in inventory only mode and scan the servers for any existing authorized_keys files containing SSH public keys. This is the discovery phase. Once the discovery phase is complete for a server or server group, you would then switch it to inventory and publish policy mode.

When a server is in inventory and publish policy mode, any new keys that appear in its authorized_keys files in a manner other than by distribution from Keyfactor Command are automatically deleted. This allows administrators to closely control who has access to the servers via SSH. Any keys and authorized_keys files that were in place before the switch to managed mode are synchronized to Keyfactor Command (see Unmanaged SSH Keys) but not removed from the Linux server. The administrator can choose to remove them through Keyfactor CommandSSH management once the switch to inventory and publish policy mode is made, if desired. Any keys placed on the Linux server via Keyfactor Command once the servers are in inventory and publish policy mode are considered managed keys and do not appear on the Unmanaged Keys page.

As SSH servers are scanned for SSH keys during the initial discovery phase, the Linux user accounts associated with these keys are synchronized to Keyfactor Command. These user accounts—logons—can be viewed on the Logons tab under Server Manager. Once each server is switched to inventory and publish policy mode, these logons can be managed and additional logons can be added to the Linux servers via Keyfactor CommandSSH management.

Example:  A large organization has dozens of Linux servers that have historically been accessed using SSH public key authentication. They don't know who has access to which servers using this method or what public keys are out on the servers. To get the keys under control, they first do discovery:
  1. Install the Keyfactor Bash Orchestrator on one Linux server in the environment.
  2. Copy the script, containing the public key of the orchestrator service account, from the orchestrator to the first ten Linux targets they want to bring under control.
  3. On each of the control targets, run the script. This creates a local user account and installs the orchestrator's SSH public key to allow the orchestrator to use SSH to remote into the control target to run inventory and publish policy.
  4. In the Keyfactor Command Management Portal, approve the new orchestrator (see Approving or Disapproving Orchestrators).
  5. In the Management Portal, create at least one server group, setting a scanning schedule of every hour (Interval = 1 hour) for the initial discovery phase and leaving the Enforce Publish Policy box unchecked (see Adding Server Groups).

    Figure 293: Add SSH Server Group for Discovery

  6. In the Management Portal, add one server record for the orchestrator and one for each control target (a total of 11 records added), making them members of the group created in the previous step and selecting the Inventory Only radio button on the Basic tab (see Adding SSH Servers).

    Figure 294: Add SSH Server for Discovery

  7. After allowing the discovery scans to run, review the logons (see Logons) and the keys discovered (see Unmanaged SSH Keys) to see what keys are out on the servers and who they belong to.

Now having a handle on what keys are on these ten target servers plus the orchestrator itself, they are now ready to bring these servers under management. To bring the servers under management, they:

  1. In the Management Portal, edit the record for the server group and check the Enforce Publish Policy box (see Editing or Deleting an SSH Server). This change will replicate to all servers in the group.
  2. In the Management Portal, use the Logons page to remove any Linux user accounts that should not be on the target servers (see Editing or Deleting a Logon).
  3. In the Management Portal, use the Unmanaged SSH Keys page to remove any public keys that are no longer needed from the target servers (see Deleting an Unmanaged Key).

These servers are now ready for ongoing management. The administrator is now ready to do discovery on the next group of servers, for which a second server group should be created.

See further examples in My SSH Key and Service Account Keys.

For more information about the orchestrator, see Bash Orchestrator in the Keyfactor Orchestrators Installation and Configuration Guide.

The options available in the SSH section of the Management Portal are: