My SSH Key

On the My SSHClosed The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. Key page, any user with the SSH User Keyfactor Command role permission (see SSH Permissions) can generate an SSH key pairClosed In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. for himself or herself. If the user has previously generated a key pair through Keyfactor Command, it will be displayed here. In this interface a user can view only his or her own key pair; keys for any other Keyfactor Command users are not accessible.

Example:  An administrator wants to provision new user Zed Adams and grant him access to login via secured SSH using PuTTY to three Linux servers controlled by the Keyfactor Bash OrchestratorClosed The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise.. The servers are set to both inventory and publish policy. To accomplish this, the administrator:
  1. Adds Zed's AD account to the AD group that grants him the SSH User role permission in Keyfactor Command and allows him to login to the Management Portal.

  2. Directs Zed to login to the Management Portal, go to the My SSH Key page and generate a new key pair (see Generating a New Key). She instructs him to enter the following information in the form:

  3. Instructs Zed to download the SSH private key and use the PuTTY Key Generator tool to open the key and convert it to the PuTTY format:

    1. Click Load and browse to locate the downloaded private key. This key is named something like SSH-Key-KEYEXAMPLE-zadams.identity.

    2. In the Parameters section of the page, select Ed25519 as the type of key to generate.

    3. Click Save private key and save the private key in the PuTTY format (*.ppk) in a safe location on the local machine.

    Figure 296: Use PuTTY Key Generator to Convert Zed's Private Key

  4. Uses the Keyfactor Command Management Portal to create Linux logons for Zed on each of the three servers that Zed should have access to and map Zed's new public keyClosed In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. to these three logons (see Editing Access to an SSH Server Group).

    Figure 297: Create Logons and Mappings for Zed

    Note:  The three servers that Zed needs access to are in a server group so the administrator can create Zed's logons and map his key using the Access Management option on the Server Group page. If the servers were in different server groups or the server group contained servers to which Zed should not have access, the administrator would need to create the logons and mappings separately for each server using the Access Management option on the Servers page (see Editing Access to an SSH Server).
  5. Waits for the logons to be created on the three servers and the public key to be published to them. The time that this takes depends on the frequency of the server group synchronization schedule (see Adding Server Groups).

  6. Instructs Zed to configure PuTTY to use the private key for authentication, providing also connection information for the three Linux servers to which he will be connecting.

    Figure 298: Configure PuTTY to Use Zed's Private Key

  7. Confirms that Zed is able to successfully connect using secured SSH to each of the three servers.

This information is included for a key:

The date on which the SSH key pair was generated.

The date on which the SSH key pair is considered to have reached the end of its lifetime. By default, the lifetime of an SSH key pair is 365 days (see Application Settings: SSH Tab).

A number of cryptographic algorithms can be used to generate SSH keys. Keyfactor Command supports RSA, Ed25519, and ECDSA. RSA keys are more universally supported, and this is the default key typeClosed The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519). when generating a new key.

The key lengthClosed The key size or key length is the number of bits in a key used by a cryptographic algorithm. available when generating a new key depends on the key type selected. Keyfactor Command supports 256 bits for Ed25519 and ECDSA and 2048 or 4096 bits for RSA. The default key length is 2048.

The email address of the user requesting the key. This email address is used to alert the user when the key pair is approaching the end of its lifetime (see Key Rotation Alerts).

The user-defined descriptive comment, if any, on the key. Although entry of an email address in the comment field of an SSH key is traditional, this is not a required format. The comment may can contain any characters supported for string fields, including spaces and most punctuation marks.

The fingerprint of the public key. Each SSH public key has a single cryptographic fingerprint that can be used to uniquely identify the key.

The public key of the key pair.

Figure 299: Key Information for an SSH User Key

Tip:  Click the help icon () next to the My SSH Key page title to open the embedded web copy of the Keyfactor Command Documentation Suite to this section.

You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.