What is an SSH Key?

A Secure Shell (SSH) key is an access credential that is similar to a password. These keys are used to manage access to servers in a company’s Unix/Linux environment. SSH keys can be comparable to a very long digit passcode, the length of which depends on the encryption used for the key. These keys always come in pairs, with one key as the public key and the other as the private key. The pair works together to encrypt and decrypt information.

Why should SSH Keys be managed?

SSH keys can be used by hackers to gain access to an environment. One key can provide access to a network for an attacker and allow them to create permanent access keys. It allows an attacker to move laterally throughout a network going from server to server. If a key is used to provide root or admin access to a machine, it can allow the installation of malware.

How to manage SSH Keys in Secret Server

The easiest way to manage your SSH keys in Secret Server is to use the Discovery feature. It will also give you an idea of all the SSH keys in your environment. Follow these steps to discover SSH keys.

Discovering SSH Keys

1. Navigate to Administration > Discovery. Enable Discovery if it is not enabled already.

2. Click Create Discovery Source > Select Unix and fill out the information for the subsequential Tabs.

3. Name the Discovery Source.

4. Enter an IP Scan Range that will be used to determine the machines that the Secret Server will scan. Multiple entries of IP ranges should be their own line.

5. Select the Site you want Discovery to be performed with.

6. Select the Secret you want Secret Server to scan your environment with or create a Secret for the account. The template for the Secret can be the Generic Discovery Credential template or a specific Unix template. The scanning account needs the ability to login and execute sudo without a password prompt.

7. By default, the Unix Discovery Source you just created doesn’t have the SSH Public Key scanner out-of-the-box, so you will need to add it. Navigate to the Discovery main page (Admin > Discovery) and click on the Discovery Source name.

8. Click on the Scanner Settings.

9. In the Find Accounts section, click the “+” symbol next to Add New Account Scanner. If the Settings page doesn’t open up right away after adding a new scanner, click the pencil symbol on the far-right side of the screen to navigate to the Settings page.

10. In the Settings page, click the Add Secret link for the Scanner and select the Secret that has the ability to login and execute sudo for the selected IP Range. These permissions are necessary to navigate each user’s home directory on a machine in search of SSH public key entries in the user’s <user home directory>/.ssh/authorized_keys file.

11. After running Discovery, navigate to Discovery Network View and click on the Public Key section.

12. Select the key you want to import. A wizard to guide the import of the key will appear. Select the Secret template you have created for SSH key management or select an out-of-the-box template. {Unix Account (SSH Key Rotation) or Unix Account (Privileged Account SSH Key Rotation)} NOTE: If you want to enable certain features that aren’t enabled on a template’s out-of-the-box state, then duplicate the template, name it, and enable the features. It is best practice to leave the out-of-the-box templates as they are so you can resort back to the template’s original state if needed.

13. After filling out your information for the Secret tab, click the Private Key tab. There are two options listed: “I have the matching private key” and “I want to change the public SSH key on the account”. The first option allows you to upload a file and passcode that pairs with the public key, in the Import Key tab. There will be a “Test SSH key pair match with discovered public key” button, which will determine if the keys match. The second option should be selected if you wish to manage or take over the public key when you import it. All selected public keys to import will be managed and given a new random SSH key.

14. The Initial Takeover tab provides an Add Secret link to select a Secret to be used for the takeover of the key. The Secret should be an account with Unix sudo or su permissions.

15. For the Key Rotation tab, select a Secret for the account that will be used for future rotations of the key. It should also have Unix sudo or su permissions. You can also control this by assigning a privileged account at the Secret Policy level.

16. Click the Finish button and import the key to create a Secret.

Rotating SSH Keys Delinea lists the following requirements on the machine being managed to use their SSH key rotation commands:

• SSH key logins should be enabled on the target using keys in OpenSSH format. A Secret can be created with keys in PuTTY format but they will be converted to OpenSSH when the key is rotated.

• Public keys should be stored in [~userhome]/.ssh/authorized_keys (not authorized_keys2).

• Grep and Sed should be installed on the target.

• If doing a privileged SSH key rotation, where a privileged user sets the key for another user, the privileged user must have sudo permissions that do not prompt for a password and the permissions to edit the user’s authorized_keys file with sudo.

From <https://docs.thycotic.com/secrets/current/admin/encryption-and-security/ssh-key-rotation/ssh-key-rotation-basic>   There are two templates out-of-the-box for SSH key rotation in Secret Server. The first one, Unix Account (SSH Key Rotation), will be used if the account is able to change its own password and should be changed through Secret Server. The second one, Unix Account (Privileged Account SSH Key Rotation), should be used if the account is unable to change its own password and may be changed outside of Secret Server, which means Secret Server may not have the current credentials for the account. Rotating SSH Keys using the Secret’s Credentials

1. From the Secrets you imported from Discovery, select a Secret using the Unix Account (SSH Key Rotation) template.

2. If you haven’t already, upload the private key file to the Secret and enter a passphrase for the private key if necessary.

3. It is recommended, though not required, to upload a public key as well. Secret Server is capable of generating a public key from the private key during a rotation, but it could fail if the key in authorized_keys doesn’t match the generated one.

4. When you are ready to rotate the key, click the Change Password Now button in the upper right of the Secret page. It will prompt you to manually enter what the next password will be or you can select Randomly Generated. Note: It is possible to make the randomly generated password meet a certain requirement by editing the Template’s password requirement or from the Security tab of a Secret.

5. For the SSH key, a similar option is provided. You can generate a new SSH key or upload what the next private key will be in a textbox.

6. Click change to start the password and key rotation.

Rotating SSH Keys using a Privileged Account

1. Follow steps 1-3 from the section above (Rotating SSH Keys using the Secret’s Credentials), only now you will be selecting the Unix Account (Privileged SSH Key Rotation) Template.

2. There are multiple ways to assign the privileged account, which will be used to rotate the key and password.

a. The account can be assigned on an individual Secret level. Go to the Remote Password Changing tab of the Secret and click Edit. Select the bubble next to Privileged Account and select the Secret for the account which will be used to for rotation.

b. The account can be assigned through the Secret Template of the Secret. Go to Admin > Secret Templates > and select the Secret Template you are using for the Secret. It is best practice to duplicate an out-of-the-box template if you are making custom changes. Navigate to the Mapping tab of the Secret Template and link the Secret next to Privileged Account.

c. The account can be assigned through a Secret Policy as well. Either edit an existing policy or create one from the Admin > Secret Policies page. On the Remote Password Changing tab, link the Secret of the privileged account. The Secret Policy will have to be applied to the Secret directly or through inheritance from the folder.

3. When you are ready to rotate the key, click the Change Password Now button in the upper right of the Secret page. It will prompt you to manually enter what the next password will be or you can select Randomly Generated. Note: It is possible to make the randomly generated password meet a certain requirement by editing the Template’s password requirement or from the Security tab of a Secret.

4. For the SSH key, a similar option is provided. You can generate a new SSH key or upload what the next private key will be in a textbox.

5. Click Change to start the password and key rotation.

If you want to learn more about how Privileged Access Management (PAM) tools can help you manage your accounts, visit our PAM and PAMaaS pages.