Use SSH Key Discovery to Find Key Pairs

An administrator can install SSH keys to protect access to privileged accounts. When you initially deploy the appliance in your network, you configure the appliance to change your privileged account passwords. However, if you deploy the appliance after SSH keys are installed, changing the passwords does not stop the SSH keys from working. So, those privileged accounts are not fully secure.
capam32
An administrator can install SSH keys to protect access to privileged accounts. When you initially deploy the appliance in your network, you configure the appliance to change your privileged account passwords. However, if you deploy the appliance
after
SSH keys are installed, changing the passwords does not stop the SSH keys from working. So, those privileged accounts are not fully secure.
SSH key discovery allows you to find these keys so you can remove them. Once removed, the privileged accounts are truly secure, and only the
Privileged Access Manager
can manage these privileged accounts. SSH key discovery does not manage private keys of privileged users.
SSH key discovery only occurs for application types Linux and UNIX.
The following topics explain how to run SSH key discovery:

Prerequisites

Before you perform SSH key discovery, complete the following prerequisites:
  • Enable Account Discovery at the target application and target account
  • Grant sudo permissions to the administrative account
  • Edit the sudoers file to disable password authentication
Enable Account Discovery at the Target Application and Target Account
SSH key discovery requires that you set up account discovery. For configuration instructions, see Account Discovery.
  1. Select a target application type that supports account discovery, such as UNIX.
  2. Optionally, configure the options on the
    Account Discovery
    tab. This tab does not enable account discovery but it defines other options. Account Discovery is enabled at the target account, by selecting the Discovery Allows checkbox.
    The options on the tab differ depending on the application type. For example, a UNIX application provides the UID and GID values or ranges, which limit the number of discovered accounts. The UID and GID settings are used in conjunction, so that the targets must satisfy
    both
    criteria to be discovered.
  3. Configure a target account to allow discovery. Add a target account, select the Password tab, and select the
    Discovery Allowed
    checkbox.
    The appliance uses only those accounts with Discovery Allowed enabled as credentials for discovery.
    If
    Discovery Allowed
    is checked, the "Allow multiple server discovery for this type of application" checkbox is also displayed for UNIX accounts. This checkbox lets the account act as a global discovery account for any server and application of this type. For example, if you have 20 servers with a common account and password, use one account and select this box. Then for any discovery job with this application type selected, this account is used as a credential for discovery.
Grant sudo Permissions to the Administrative Account
Grant sudo
permissions to the administrative account doing the discovery on the remote target system. SSH key discovery skips any accounts with inadequate permissions.
An administrator can create SSH keys for specific privileged accounts. For SSH key discovery, the administrative account uses sudo with the following commands:
  • test
  • cat
  • date
  • ssh-keygen
To test whether an account has sufficient access, issue one of these commands while logged on using that account. For example:
sudo -l ssh-keygen
Successful commands echo the full command name, while failures report insufficient access:
Sorry, user user may not run sudo on [server].
Edit the sudoers File to Disable Password Authentication
If the administrative account uses only SSH key pairs instead of a password, configure the target server not to ask for a password.
To prevent the administrator from being prompted for a password, edit the
sudoers
file by adding a NOPASSWD entry for the account. For example:
jdoe ALL=(ALL) NOPASSWD: ALL
Follow these steps:
  1. On the remote target server, edit the sudoers file in the
    /etc
    directory.
  2. Find the entry for the administrative account.
  3. Add
    NOPASSWD
    to its entry. For example:
    jdoe ALL=(ALL) NOPASSWD: ALL
  4. Repeat for each server that is targeted for SSH key discovery.

Process to Discover Keys

To perform discovery of SSH keys, follow these steps:
  1. Create a scan profile.
  2. Run the scan and view results.
  3. View the scan results in the scan profile history.
  4. (Optional) Export the results to a CSV file.

Add and Run a Scan Profile

Start by adding a Scan Profile. Follow these steps:
  1. Select
    Credentials
    ,
    Discovery
    .
  2. Select the
    Scan Profiles
    tab and select the
    ADD
    button.
    On the
    Profile
    tab, name the profile, and give it an optional description. Purge Interval sets the number of days after which devices that are discovered by this scan are deleted. Devices that have also been discovered by another profile are not deleted. The Purge Interval default is set on the Global Settings page, under Basic Settings, as Scan Purge Interval.
  3. On the
    Servers
    tab, move
    Available Servers
    to the
    Selected Servers
    column. The Available Servers list is populated by managed devices.
  4. Optionally, create a schedule to run the scan. Otherwise, skip to the next step to run the scan on demand.
    • Select the
      Schedule
      tab.
    • Select a
      Frequency. O
      ther fields appear.
    • Select the appropriate time intervals.
    • Select
      OK
      to save the scan profile.
  5. Select
    OK
    to save the scan profile and return to the Device Scan Profiles list. Select the scan profile from the list and select
    RUN
    .
Selecting
Delete
for a highlighted Scan Profile deletes its scan profile history. It also deletes any accounts that are associated with that profile, unless they are associated with another profile.
Monitor the Scan
You can monitor the progress of a scan on the
Scan Profile Jobs
tab. You can also cancel the job on this panel by selecting
CANCEL JOB
. Once a job is complete, view a summary of its results on the Scan Profile History tab.
Tables in the Discovery area allow filtering by column values. You can use asterisks and percent signs as multiple-character wildcards.
The Scan Profile Jobs and other tables are refreshed according to the value of the
Table Refresh Interval
field. This field is on the first tab of the Global Settings page. The default refresh time is 60 seconds.

View the Scan Results

Select the
Scan Profile History
tab to view the results of the discovery scans. Each row shows a Scan Profile, its latest Discovery time. You can also select the buttons to view different aspects of a scan.  The Summary also displays the number of errors encountered. These numbers refer only to the latest run of this scan profile.
For account discovery scans, see Account Discovery.
View Summary Details Display
The View Summary Details button opens the scan results window. The summary shows the following information:
  • A count of discovered keys, how many are new, and not found. "Not found" keys were discovered by a previous run of the same scan profile, but are now missing.
  • Scan Information tab displays the scan profile name and the job time.
  • The Discovered Keys, New Keys, and Not Found Keys tabs list the Account Names and SSH key fingerprints in each respective category.
The Logs tab displays a table including each action that is taken regarding this scan.
View Key Scan Results
To view key scan results, select a profile on the Scan Profile History page then select the
View Key Scan Results
button. The following information about the discovered keys is available:
Field
Description
Account Name
One or more accounts that are associated with an SSH key. If you export the results to a CSV file, this field is named userIds
.
Fingerprint
Shows the public key fingerprint as hex pairs separated by colons.
Key File Age
The number of days when the key file was last modified. This number of days might not be the age of the key itself.
Key Size
The size (or length) of the SSH key in bits
Device Name
The server where the key was discovered. If you export the results to a CSV file, this field is the targetServerName.
Authorized Key File Name
The location of the
authorized_keys
file. The names of the SSH keys are stored in this file.
Is Managed (read only)
If the appliance manages the SSH key, this checkbox is selected. To enable the appliance to manage a key, the existing keys at the remote target must first be revoked manually. Then, generate a new key pair with the appliance. Only SSH keys that are generated and deployed with Credential Manager are managed.
The
Export
button creates a CSV file with a row for each discovered account that is listed.
The
View
button opens the View Discovered Keys dialog for the Account Name whose box is checked. The dialog has a
Basic Info
and
Advanced Info
tab. The Advanced Info tab displays log information that is not shown in the Account Scan results panel.

Discovered Keys

The Discovered Keys tab contains the same information as the View Key Scan Results.  From this tab, you can select accounts and view details about discovered keys.
View Discovered Keys
To open the View Discovered Key page for an account, select the account entry on the Discovered Keys page then select
View
. The
Basic Info
tab of the page contains the same information as the Discovered Keys tab.
The
Advanced Info
tab provides the following additional information:
Field
Description
Key
Displays the entire public key, including the modulus or base64 key. For SSH protocol 1, only RSA is supported (rsa1). For SSH-2, base64 is displayed.
Key Instance
It is possible to duplicate the
authorized_keys
text file so this field maintains data consistency. Any duplicate keys have an incremented integer here, typically 1.
Key Type
Displays the type of SSH key.
Comment
SSH key generation allows inclusion of comments in the key file, which are displayed in this field if present.
Revoked
Some systems are configured to allow an SSH key to be revoked. Key discovery tests each key to see if it was revoked using the command "
ssh-keygen –Q
". If so, that is saved as a property.
Bubble Babble
Bubble Babble is an encoding method for binary data fingerprints. The bubble babble format renders the hexadecimal digits into pseudowords that can be pronounced more easily than a series of hexadecimal digits.
Export Discovered Keys to a File
You can export information about discovered SSH keys to a CSV file for use in spreadsheets and databases. To export all SSH keys, select the Discovered Keys tab. Select the Export button above the displayed list to generate a CSV file. To export data from a specific scan, select the Scan Profile History tab. Select a Scan Profile, then select View Key Scan Results. The Export button appears above the list of keys.
The exported CSV file contains more information than is displayed in the UI. In addition to what is found in the UI, the following fields are included:
  • targetApplicationName:
    The name of the target application
  • protocolVersion:
    SSH Protocol 1 or 2
  • options:
    Login options as included in the SSH key file
  • exponent:
    Part of SSH protocol 1 (RSA1) key, with values such as 65527
  • modulus:
    Part of SSH protocol 1 (RSA1) key, a long integer
  • base64Key:
    Part of SSH protocol 2 key, a long base64 representation of the public key
  • authorizedKeyFileTimestamp:
    The timestamp of the authorized key file, used to determine Key File Age field
  • lastLogin:
    Displays the last time that this key was used to log in, as determined by its last log entry. If the log file does not go far back enough, this field might be blank