SSH Logon Operations

On the Logons tab of the Server Manager page you can view all the Linux user accounts associated with authorized_keys files containing valid SSHClosed The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. public keys. The logons shown here include both those discovered on SSH servers during the initial discovery phase using the orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. and those created in Keyfactor Command and published to the SSH servers using the orchestrator.

On this tab you can create new logons, see the number of keys associated with each logon, and create mappings between Keyfactor Command users and the logons in order to allow the orchestrator to publish new SSH keys for those users to the SSH servers (see SSH).

Figure 353: Linux Logons Grid

Before adding a new logon, be sure that you have switched the server to which you will add your logon (or its server group) to inventory and publish policy mode (see Server Manager) so that the new logon will be published to the server. If the server is in inventory only mode and you add a new logon for it in Keyfactor Command, the logon will appear in Keyfactor Command only and will not be published out to the server.

Tip:  New logons can also be added from the access management options for server groups and servers while creating Linux logon to Keyfactor Command user mappings (see Edit Access to a Server Group and Edit Access to an SSH Server).

To add a new logon or edit access for an existing one:

  1. In the Management Portal, browse to SSH > Server Manager.
  2. On the Server Manager page, select the Logons tab.

  3. On the Logons tab, click Add or Edit.

    Figure 354: Add a Linux Logon—Basic Tab

  4. In the Add Logon dialog on the Details tab, enter a Linux Username for the user.

    Tip:   If you have enabled SSSD support for your Keyfactor Bash OrchestratorClosed The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise. and are adding a domain user, specify the user in username@domain format. For example bbrown@keyexample.com (or, depending on SSSD configuration, such as the case-sensitivity setting; BBROWN@keyexample.com). Note that the logon may be modified by the SSSD configuration file in ways in which Keyfactor Command cannot know about. Refer to SSH-SSSD Case Sensitivity Flag for guidance on what to enter based on how the SSSD case sensitivity flag is configured.
    Note:  This field cannot be modified on an edit.

  5. In the Servers with Publish Policy dropdown on the Details tab, select an available SSH server on which to create the logon. Only servers that are configured in inventory and publish policy mode (see Server Manager) will appear in this dropdown. This field is required.

    Note:  This field cannot be modified on an edit.

  6. On the Access Management tab in the Users & Groups with Login Access dropdown, select a user or service account to associate the logon with. Only accounts that have keys stored in Keyfactor Command or that have been designated as server group owners will appear in the dropdown. If desired, you may enter an Active Directory group name in this field. This will cause the keys stored in Keyfactor Command for any Active Directory users that are members of this group to be mapped to the selected Linux logon and published to the server on which the Linux logon exists. Any Active Directory users that are members of this group but who do not have keys stored in Keyfactor Command will not be mapped to the selected Linux logon. Click Add. The Access Management tab is optional.

    Tip:  For keys created through the My SSH Key portal (see My SSH Key Operations), a Keyfactor user is an Active Directory user account. For keys created through the Service Account Keys page (see Service Account Key Operations), a Keyfactor user is a user-generated service account name of the form servicename@hostnameClosed The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername)..

    Figure 355: Add a Linux Logon—Access Management Tab

  7. Click Save to save the new logon.
Note:  When the logon is created on the Linux server, a home directory will be created for it and within this, the .ssh directory and authorized_keys file. The logon user will be made owner of the home directory and granted rwx permissions to it. No password is set for the user and as initially configured, the user will not be able to remotely login.
Tip:  The time it will take for new logons to appear on your Linux server will depend on the frequency of the server synchronization configured for the server group to which the server belongs (see Add or Edit a Server Group).
Note:  If you opt to create Linux logon to Keyfactor user mapping using Active Directory groups, be aware that the key count values shown on the Logons grid will not reflect the keys associated with the members of the groups.

Figure 356: Creating Linux Logon to Keyfactor User Mappings Using Active Directory Groups Key Value

To delete a logon, highlight the row in the logons grid and click Delete at the top of the grid or right-click the logon in the grid and choose Delete from the right-click menu.

Note:  Deleting a logon in Keyfactor Command does not delete it on the Linux server. It must be manually removed from the Linux server at the same time. If this is not done, when the next inventory of the Linux server is performed, the logon will be recreated in Keyfactor Command. This function is intended primarily to be used to clean up logons from SSH servers that have been retired.
Tip:  Click the help icon () next to the page title to open the Keyfactor Software & Documentation Portal to this section. You will receive a prompt indicating:

You are being redirected to an external website. Would you like to proceed?

You can also find the help icon () at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Software & Documentation Portal at the home page or the Keyfactor API Endpoint Utility.

Keyfactor provides two sets of documentation: the On-Premises Documentation Suite and the Managed Services Documentation Suite. Which documentation set is accessed is determined by the Application Settings: On-Prem Documentation setting (see Application Settings: Console Tab).