Managing SSH Keys and Key Groups

SSH keys serve as a secure means of authentication and establishing encrypted connections between a client and server. They offer a highly secure alternative to password-based authentication for remote logins and file transfers. Widely employed in system administration and secure network communication, SSH keys deliver enhanced security, convenience, and automation features while decreasing reliance on passwords. By adhering to best practices in key generation, management, and usage, one can maximize the advantages and overall security provided by SSH keys. PAM360 allows you to manage the entire life-cycle of SSH keys of your SSH resources.

The sequence indicated below just illustrates the flow of SSH key events in PAM360. It is not necessary that you should follow them in the same order as explained below.

  1. SSH Resource Discovery
  2. Elevating Privilege for SSH Keys Management
  3. Discover SSH Keys from the SSH Resources
  4. Import the Discovered Keys to PAM360
  5. Create New Keys and Deploy
  6. Associating the SSH Keys with the User Accounts
  7. SSH Key Management Operations (Rotate, Edit, Push, Dissociate, Delete)
  8. Organize SSH Key Groups for Bulk Management
  9. Miscellaneous Operations

1. SSH Resource Discovery

The SSH keys management starts with the SSH resource discovery process. To discover the SSH keys from the organization resources via PAM360, it is required to add the respective SSH resources in the PAM360 repository. You can add the SSH resources manually or via the Linux resource discovery process.

Note: The term SSH keys mentioned here only represent the private keys of the SSH resources.

2. Elevating Privilege for SSH Keys Management

To discover, associate, deploy, and rotate SSH keys, PAM360 requires a remote login method, a login account for authentication, and privilege elevation configured with root privileges. To configure those above requirements,

  1. Navigate to Resources >> All My Passwords >> Resources.
  2. Click the Resource Actions icon beside the respective SSH resource and click Configure Remote Password Reset.
  3. Select the desired Remote Login Method, Landing Server (if configured), and enter the Port details (if modified).
  4. Select the remote login account that has to be used for authentication with the respective authentication method.
  5. Provide the privilege elevation method as 'su' as root or Use 'sudo'. If you choose the option 'su' as root, select the root account with the sudo privilege. If you choose the option Use 'sudo', the account used for remote login will get the root privileges for further operations.
  6. Now, click Save.

3. Discover SSH Keys from the SSH Resources

To discover the private keys associated with the accounts of the added/discovered SSH resources,

  1. Navigate to Resources >> All My Passwords >> Resources and click on the respective Linux resource.
  2. Select the user accounts from which the SSH keys are to be discovered, or select the accounts in bulk.
  3. Now, click Discover Keys from the top pane.
  4. The SSH keys present in the selected user accounts will be discovered in PAM360 with the relevant audit detail.
  5. You can see the discovered SSH keys from the SSH Keys >> Discovered Keys tab.

4. Import the Discovered Keys to PAM360

PAM360 requires SSH key passphrase for SSH key management. If the credentials are in place, you can import the SSH keys already discovered. To import the key files from the discovered SSH resource:

  1. Navigate to the SSH Keys >> Discovered Keys tab in the GUI.
  2. The SSH keys are listed with their details. Select the keys you want to import.
  3. Click the Import button.

The imported keys can be viewed from the SSH Keys >> SSH Keys tab.

Note: If the keys are protected with a passphrase, even though the import operation will execute successfully while associating with user accounts, you need to enter the passphrase to use the key.

4.1 Import Keys from Systems

In addition to the discovery of key files from the SSH resources, you can also specify the location, and import the keys present in any system. To import the key files from the system:

  1. Navigate to the SSH Keys >> SSH Keys >> More and click Import Keys.
  2. Click the Browse button and select the key files within the system.
  3. Note: You can either import SSH keys from systems individually or in bulk. If you opt for the individual import process, enter the passphrase of the respective SSH key. For the bulk import process, the selected SSH keys should either share the same passphrase or should be passphrase-free.

  4. Enter the name and passphrase of the key.
  5. Enter a Key Comment for your reference.
  6. Click the Add button to include the keys in the SSH keys repository.

To edit a Key Comment in the already imported keys, follow the below steps:

  1. Navigate to the SSH Keys >> SSH Keys tab.
  2. Select the required key from the repository.
  3. Click the More drop-down from the top menu, choose Edit, and enter the required comment.
  4. Select the checkbox 'Update the comment in the authorized keys file of the associated user(s) account' to apply the updated key comment in the associated end servers as well. This option eliminates the need to update the key comments manually in the authorized_keys file in the end servers.
  5. Note: Key Comment can be edited for only one key at a time.

5. Create New Keys and Deploy

PAM360 also allows you to create new key pairs and deploy them on target systems. The create and deploy feature of PAM360 can be used for one-click generation and deployment of keys. Unique key pairs are generated for each user account, and the corresponding keys are deployed automatically in the user accounts of the target servers.

The SSH key pair can be generated using RSA / DSA algorithms as per the details below:

  • RSA – 1024, 2048, or 4096-bit keys
  • DSA – 1024-bit keys.
  • ECDSA – 256, 384, or 521-bit keys
  • ED25519

5.1 To Create SSH Keys

  1. Navigate to SSH Keys >> SSH Keys tab in the GUI.
  2. Click the Create option.
  3. In the Create SSH Key window, enter the details of the key, and select the key type and length.
  4. Click the Create Key button to generate the key pair.

You will get confirmation that the new key has been created. All the keys that are created are automatically added to the centralized repository of PAM360. You can view these keys from the SSH Keys >> SSH Keys tab in the user interface. PAM360 allows you to search SSH Keys using Key Name, Key Type, Key Length, Finger Print, Created By, Age, and additional fields (if available).

Administrators can view the passphrases of keys by clicking on the show passphrase icon provided at the right end of the keys.

5.2 Create SSH Keys and Deploy

To create and associate keys with all the user accounts in a discovered resource:

  1. Navigate to Resources >> All My Passwords >> Passwords.
  2. Select the required account and select Create and Deploy under the Key Actions in the top pane to deploy the keys in all its enumerated user accounts.
  3. Select the Key Comment, Key Type, and Key Length.
  4. Select the checkbox to Elevate to "root" user.
  5. Note: For security reasons, root user login might be disabled for servers/machines. Enabling this option elevates a user login from a non-root user to a root user and allows you to associate keys with all other users on the server. Users have to provide root user and any non-root user credentials to PAM360 to elevate to a root user.

  6. Click the Deploy button to create key pairs and deploy them simultaneously in all the user accounts of the resource for which the credential is available.

6. Associating the SSH Keys with the User Accounts

After importing/creating keys, you can associate the keys with SSH users.

Note: If a root user or administrator credential has been provided for a resource, keys can be associated with all enumerated user accounts of the resource. If there are no keys available in the PAM360 database, then you will be prompted to create a key during association. Create a key pair and return to these steps.


6.1 Associating the SSH Keys with the User Accounts

  1. Navigate to Resources >> All My Passwords >> Passwords.
  2. Select the user accounts for the association.
  3. Click the Associate button under the Key Actions from the top pane.
  4. Enable the following permission as required with respect to the SSH key:
    1. Use private key to login to this account instead of password
    2. Map private key locally, if remote key association fails
  5. Select a key and click the Associate button.

6.2 Associating the SSH Keys with the Resources

  1. Navigate to SSH Keys >> SSH Keys.
  2. Select an SSH key from the list displayed and click the Associate button.
  3. In the Public Key Association window, select the user accounts.
  4. Select the checkbox to Elevate to "root" user.

    Note: For security reasons, root user login might be disabled for servers/machines. Enabling this option elevates a user login from a non-root user to a root user and allows you to associate keys with all other users on the server. Users have to provide root user and any non-root user credentials to PAM360 to elevate to a root user.

  5. Click the Associate button.

Now you have successfully associated a particular SSH key to the resources/user accounts.

7. SSH Key Management Operations (Rotate, Dissociate, Push, Edit, Delete)

7.1 Rotate SSH Keys

You can configure PAM360 to rotate the SSH keys at periodic intervals automatically. With a single click, all the deployed keys can be replaced. The keys can be rotated based on a schedule or anytime based on your need.

i. Manual Key Rotation

To rotate the keys manually:

  1. Navigate to SSH Keys >> SSH Keys.
  2. Select the keys to be rotated.
  3. Click the Rotate option.
  4. In the pop-up that opens, enable the requirements that follow and click Rotate:
    1. Push private key file to remote user account
    2. Push public key file to remote user account
    3. Use keyname as filename

A confirmation message will be displayed, and you will be redirected to the Key Rotation Audit page, where the status of rotation is updated.

Note: Only the keys which have already been associated with user accounts of resources can be rotated.

ii. Scheduled Key Rotation

To schedule the rotation of keys:

  1. Navigate to Admin >> SSH/SSL Config >> Schedules
  2. Click the Add Schedule button.
  3. In the Add Schedule window, enter a name for the schedule and select the type of schedule as Key Rotation from the drop-down list.
  4. Select the keys to be rotated.
  5. Enable the requirements that follow:
    1. Push private key file to remote user account
    2. Push public key file to remote user account
  6. Select the Recurrence Type, Start Time, and Start Date for rotation. Enter the email addresses of the users with the Subject, Content, and Signature to be notified.
  7. Click Save.

The result of the scheduled execution will get updated in the Key Audit, and the results of the rotation of the keys will get updated in the Key Rotation Audit.

7.2 Dissociate Keys from SSH Users

When an SSH user leaves the organization or is provided temporary privileged access, you can dissociate the keys associated with the user account and discontinue access. Until you dissociate all the SSH keys, you cannot delete the user account or the resource.

i. Dissociate Key from User Accounts

  1. Navigate to SSH Keys >> SSH Keys.
  2. Select a single key that has to be dissociated.
  3. Click Dissociate from the More drop-down list.
  4. If the key is associated with a single user account, select this checkbox to Dissociate key locally if remote dissociation fails, and click OK in the confirmation dialog box to dissociate the key.
  5. If the key is associated with multiple user accounts, select the user accounts from which the key has to be dissociated, select this checkbox to Dissociate key locally if remote dissociation fails, and click Dissociate in the Dissociate Users window.

ii. Dissociate Keys from Selected User Account

  1. Navigate to Resources >> All My Password >> Passwords.
  2. Select a user account for which you wish to dissociate keys and click Dissociate Keys from the Key Actions column.
  3. If the user account is associated with a single key, select OK in the pop-up window.
  4. If more than one key is associated with the selected user, select the keys which have to be dissociated and click the Dissociate button in the Dissociate Keys window.

    Note: When you select and delete the user accounts enumerated in PAM360, the SSH keys associated with them are automatically dissociated.

7.3 Push Keys to Remote User Accounts

In addition to deployment, PAM360 allows you to push a private key or a public key, or both onto its associated user accounts.

i. To push a key file to remote user accounts:

  1. Navigate to SSH Keys >> SSH Keys.
  2. Click on the Push Key to User icon () beside the selected key.
  3. Select the key(s) that needs to be pushed (private, public, or both), provide the appropriate key names, select the required associated users, and click Push.
  4. The key file(s) is/are pushed to the selected users.

This feature is also available as a part of the Key Rotation schedule. After the scheduled key rotation is performed and fresh key pairs are created and deployed, you can automatically push either the private key or both the private and public keys onto its selected associated users by enabling the 'push key to user' option instead of pushing the key files manually after every scheduled rotation.

ii. Add commands and restrict host per key:

You can add commands to specific user accounts, thereby providing an additional layer of restriction enabling them only to execute the commands on establishing a connection with the host. Also, you can predefine the appropriate key-to-user relationship by specifying the IP address of the user in the appropriate format (as specified below).

To add a command to a public key,

  1. Navigate to Resources >> All My Passwords >> Passwords.
  2. Select the user account for which you want to add a command and click on Add Command from the Key Actions column.
  3. An Add Command dialog box opens up, where you can add commands to be executed in the following format. i.e.,(command="usr/local/bin/script.sh").

To restrict hosts for a key, click on Add Command and provide the name or IP address of the hosts in the following format. i.e.,(from="host1/ip1,host2/ip2")

7.4 Edit Authorized Keys File

You can fetch authorized key files from various user accounts, edit the key content and push them to respective user accounts from PAM360. To do this,

  1. Navigate to Resources >> All My Passwords >> Passwords.
  2. Select the required user account and click on Edit Authorized Keys from the Key Actions column.
  3. A window opens displaying the list of public keys in the authorized keys file of the respective user. The keys that are managed using PAM360 are highlighted.
  4. You can now edit the contents of the keys displayed and deploy them back to the respective user accounts by clicking the Push button.

7.5 Delete Keys

When you try to delete the SSH keys from the PAM360 repository, they are first dissociated automatically from their user accounts. Key deletion fails for the SSH keys that are not dissociated from all their user accounts.

To delete the SSH Keys:

  1. Navigate to the SSH Keys >> SSH Keys tab.
  2. Select the keys to be deleted.
  3. Click the Delete button from the More drop-down list.
  4. Click OK in the confirmation window.

8. Organize SSH Key Groups for Bulk Management

PAM360 gives the provision to create key groups for easy organization and to carry out operations in bulk. You can assign, delete, or modify the group similar to working with a single SSH key. The list of items available in a group is enumerated in their respective tabs. You can drill down to the individual items by clicking the name of a group.

8.1 Create Key Groups

To create a group of SSH keys:

  1. Navigate to SSH keys >> Keys Group.
  2. Click the Add Group button. You will be redirected to the Add Key Group window.
  3. Enter the name of the group. Take care while choosing the name since it cannot be edited later.
  4. You can choose the resources to be added to a group in 2 ways:
    • By Specific key – Select the keys to be added to the group individually.
    • By Criteria – This serves as a dynamic key grouping. You will specify the exact criteria based on which you want to create the group. Here, you have many options to choose from - you can search for specific keys based on their name, type, length, or creator and filter the search in a fine-grained manner based on the criteria such as "contains", "does not contain", "equals" "not equal", "starts with" and "ends with". Click the Matching Keys button at the bottom-right corner of the window to see the corresponding keys.
    • Note: If you select the By Criteria option, the conditions specified are applicable to keys that are discovered later too. If any of those keys match the criteria, they will be automatically included in the new group.

  5. Click Save.

In addition, you can directly select individual keys from the SSH Keys >> SSH Keys tab and click the Save button for faster group creation.


8.2 Edit Key Groups

To make changes to an existing key group:

  1. Navigate to SSH Keys >> Keys Group.
  2. Click the Edit icon present in the right corner of the table view.
  3. You can change the key selection type and edit the keys available in a group or add, modify, or delete the filters applied to a group.

Once you make changes to the group and save, a message will be displayed confirming the update of the changes.

Note: The name of the group cannot be modified. However, you can add or modify the description and the list of keys available in it.


8.3 Rotate Keys of a Key Group

To rotate all the keys of a key group:

  1. Navigate to SSH Keys >> Keys Group
  2. Select the key groups and click the Rotate button.

You will be redirected to the Key Rotation Audit window, where the status of key rotation is updated.

8.4 Delete Key Groups

To delete a key group:

  1. Navigate to SSH Keys >> Keys Group.
  2. Select the key groups.
  3. Click the Delete button.

A pop-up window will appear to make sure that the selected groups are to be deleted. Click OK to delete the groups.

9. Miscellaneous Operations

9.1 Customize User Home Directory

You can customize the home directories of the users, i.e., the location where the public key is to be deployed. To do this:

  1. Navigate to Resources >> All My Passwords >> Passwords.
  2. Click the Edit User Path from the Key Actions column dropdown.
  3. Enter the modified path and click Save.

9.2 Export SSH Keys

To export key files by selecting them from the resources with which they are associated:

  1. Navigate to the Resources >> All My Passwords >> Passwords tab in the GUI.
  2. Click the name of the resource in which the key is deployed and click the Export button.

To export the key files:

  1. Navigate to the SSH Keys >> SSH Keys tab.
  2. Click the Export Keys icon available in the right corner of the table view corresponding to the required key.

Note: Even while exporting, the passphrases used to protect the keys are still in effect. That is, if the keys are to be used elsewhere, the passphrases have to be provided.


9.3 SSH Key Audits

Audits are generated when SSH keys are associated or rotated using PAM360. These reports are available in the SSH keys tab.

  1. Key Association Audit – View the result of the spontaneous and scheduled key association operations executed using PAM360.
  2. Key Rotation Audit – View the status of the spontaneous and scheduled key rotation operations executed using PAM360.

9.4 View SSH Key History

Using PAM360, you can view the history of each SSH key, from the moment it was created or imported, and the subsequent rotations along with time stamps.

To view the history of any key:

  1. Navigate to the SSH Keys >> SSH Keys tab.
  2. Select a single key.
  3. Click the Key History button.

9.5 Export Discovered Keys Report

A report of the discovered keys can be exported as PDF or to an email id. To export the report:

  1. Navigate to SSH Keys >> Discovered Keys.
  2. Select a single key.
  3. Click the Export button. You can export the report to the system as a PDF file or to desired email addresses.
    • PDF – Export and save the report of the discovered keys as a PDF in the system.
    • Email – Specify the email addresses to which the report of the discovered SSH keys is to be exported.
Top