SSH Key Authentication for Accessing UNIX/LINUX Targets

For SSH access to a UNIX/Linux target server, you can use SSH key pairs instead of a password to authenticate a client to an SSH server.
capam32
HID_SSHKeyPairPolicyPanel
For SSH access to a UNIX/Linux target server, you can use SSH key pairs instead of a password to authenticate a client to an SSH server.
To configure SSH key authentication, you must:
  1. Create an SSH key pair policy using the UI or generate a key pair using a third-party utility. If you use a utility, copy the key pair to a local system from which you can upload them into the credential database.
  2. Create a UNIX target application and select the SSH Key pair policy that you created.
  3. Configure a target account that is associated with the UNIX target application. For the account, set the Protocol field to SSH-2 Public Key Authentication.
  4. Create an access policy that uses the SSH key pair.
Complete the following procedures:
2
Create an SSH Key Pair Policy with the UI
For the appliance to generate an SSH key pair, configure an SSH key policy. The key policy specifies the characteristics for the key pair, specifically the cryptographic algorithm, and the key size. When you update the target account that uses the key pair, the appliance pushes the public key to the target device.
Follow these steps:
  1. Select 
    Credentials
    Manage Targets
    SSH Key Pair Policies
    .
  2. Select 
    Add
    .
  3. Provide a unique 
    Name
     for the policy.
  4. (Optional) Provide a 
    Description
     for the policy.
  5. Select the
    Key Type
    : RSA or DSA
  6. Specify the 
    Key Length
    . The drop-down list shows the options available for the key type.
  7. Select 
    Test
    .
    A message displays that the options are acceptable and shows the sample SSH public key fingerprint.
  8. Select 
    OK
    .
After you create a key pair, you can select it when you configure a target application.
Select the SSH Key Policy for the UNIX Target Application
Remember to configure a UNIX/LINUX target device before you create a target application.
Follow these steps:
  1. Select
    Credentials, Manage Targets, Applications
  2. Select
    Add
    .
  3. In the Add Target Application dialog, complete the fields, selecting
    UNIX
    for the
    Application Type
    .
    Several more tabs populate the page.
  4. Select the
    SSH-2
    tab.
  5. In the
    SSH Key Pair Policy
    field, select the key pair policy.
  6. Select
    OK
    .
Add the SSH Key Pair to a Target Account
Follow these steps:
  1. Select
    Credentials, Manage Targets, Accounts
    .
  2. Select
    Add
    .
  3. Complete the fields, noting the following specific entries:
    • Application Name
      : Search and select the UNIX target application that you created.
    • Account Name
      : Enter a valid account name on the target device
    • Protocol
      : Select SSH-2 Public Key Authentication
  4. Do
    one
    of the following tasks:
    • For the appliance to generate the key pair, select the keys icon next to the Private key box.
    • To upload keys that are generated by a utility, select
      Choose File n
      ext to the Private and Public key boxes. Browse to the relevant file on your local system. 
  5. Select the
    Password
    tab and for the
    Synchronized
    setting, select
    Update both the Password Authority Server and the target system
    .
  6. Select
    OK
    .
    In the list of target accounts, a green checkmark in the Verified column next to the specific account indicates that the keys were verified.
Create an Access Policy that Uses the SSH Keys
After you configure your target components, can now manage access to the target server by creating a policy.
Follow these steps:
  1. Select Policy, Manage Policies.
  2. Select Add.
  3. On the Association tab, select the user.
  4. on the Access tab, select
    SSH:22.
  5. For that access method, search for the target account you created earlier. 
  6. Select
    OK
    .
Test SSH Access using SSH Key Authentication
The appliance can now authenticate to the UNIX target using the SSH key pair. The target server uses the public key to authenticate When the appliance connects to the target using SSH, it uses the private key. The target server authenticates the access request using the public key.
Follow these steps:
  1. As the user, log in to the UI and select the Access page.
  2. Select the SSH icon for the target server to launch an SSH session.
  3. When the command window opens, view the public key by entering:
    cat .ssh/authorized_keys
Securing Privileged Accounts that use SSH Keys
Privileged Access Manager
 secures privileged accounts by preventing users from knowing the account passwords. When you initially deploy the appliance in your environment, you configure the appliance to change the passwords for those accounts. If SSH keys for those privileged accounts exist before you deploy the appliance, changing the passwords does not prevent the existing SSH keys from working. So, those privileged accounts are not fully secure.
SSH key discovery allows you to seek out these keys so you can remove them. Once removed, the privileged accounts are truly secured; you can only use them through the appliance. Learn how to use SSH key discovery by reading Use SSH Key Discovery to Find Key Pairs.