SSH key Management

SSH Key Management

Automated SSH Key enrolment, distribution & life-cycle management


The problem many organizations face today is that their IAM solutions do not support SSH keys as a method of login.

Like with any method of authentication, SSH logins are governed by corporate IAM, which in the simplest form answers the question of who can access and where? Usually, the source of truth for this is the corporate LDAP, Active Directory (AD) in many cases, which hosts the relation between identities and their allowed locations of access. With SSH keys this landscape is however very different: no such single source exists, but instead, authorization information is distributed across the Unix/Linux server estate itself. If a company hosts 100 servers, then this equates to that there are 100 individual decision (or breach) points for access. As one access can lead to another, the real figure can be much larger.
The problem many organizations face today is that their IAM solutions do not support SSH keys as a method of login. Technically speaking, the existing IAM solutions are unable to bridge the gap between numerous authorizations within a Unix/Linux server estate and the identities and authorizations found within the centrally managed AD/LDAP.

RCDevs helps you to

Centrally-manage your SSH Keys


Many, or even all, Unix and Linux logins go ungoverned, without the ability to determine which key belongs to which identity and if the access is in breach with company IAM guidelines. In practice, this means that an unknown identity may login with a key that is not even known to exist. To make things even worse, SSH logins are generally for privileged access, the most critical form of access.
The RCDevs’ SpanKey solution provides SSH key life-cycle management from self-service web enrolment to automated key distribution to auditing unwanted access and renewal of outdated keys. SpanKey operates on standard LDAP/AD with authorizations conveniently managed in the same central location as related identities. SpanKey solution is designed to support even the largest of IT estates.

Main features

Entitlement and Identity Management
Instead of needing to manage SSH authorizations and related key policies (entitlements) on individual hosts, by hand or by custom scripts, they are simply saved in existing central entitlement and identity storage, normally the corporate AD/LDAP, where roles are governed with the method of adding users in and out of relevant LDAP groups. That is, a standard LDAP group can host details about expiration, usage and various other key entitlements that then are automatically enforced upon member hosts and identities of that group.
Work-flow of requesting and accepting key access as well as key renewals are handled through easy-to-use Web Self-Services which one can embed within existing IAM frameworks via for example standard SAML or ADFS. Thanks to OpenOTP capabilities embedded in SpanKey the Self-Services also natively support Multi Factor Authentication ranging from Yubikeys and PIV cards to soft tokens, QRCodes, on-demand SMS OTP and many more.
Authentication and Authorization
With SpanKey the decision of granting access is moved from individual hosts to a centralized SpanKey server and thereby ultimately the corporate AD/LDAP. This is accomplished via the SpanKey agent that links to the SSH authentication process via standard Unix/Linux Pluggable Authentication Module (PAM) framework. This not only simplifies the overall process of authentication, but makes it significantly more secure as authorization data is no longer in control of the accounts stored locally on hosts, but within the centrally controlled AD/LDAP.
Monitoring SSH key access has a dual purpose in the scope of IAM life cycle management:

To detect and report any SSH (not only key-based) access that is in breach of configured policies.
To provide an organic remediation work-flow for legacy SSH key environments, using pre-defined assignment rules where keys are automatically associated with owners (identities) based on login data collected transparently from ongoing logins.
Key features
Full support for existing LDAP/AD directory implementations
Super easy setup (1 minute on a blank Linux host)
AD accounts in Linux (no more PAM-LDAP or Winbind)
RBAC on Web Management Interface (WebADM)
SSH authentication with local key cache for offline use
RBAC for SSH public key access
Host access permissions with simple server tagging
Role Based Key Controls (from stanzas, command restrictions, ..)
Support for shared accounts (conserving personal audit)
Automated Public Key Expiration
Easy Key Enrolment via Web Self-Services
Support for Master Keys
Support for Recovery Keys
Automated Key Renewal
Supported algorithms: RSA 1024, 2048 and 4096 bit keys. Elliptic Curve With 256, 384 and 521 bits keys. DSA With 1024 bit keys only
HSM support for key generation and encryption
Graphical session recording in an encrypted DB or NAS
Auditd rule deployment and log collection for user sessions
Automatic account creation and temporary accounts
Optional multi-factor authentication with RCDevs OpenOTP
User enrolment via self-services
Support for Hardware PIV keys and smatcards.
Supported on most Linux distributions
Server side lock screen

Compatible with

This is a non-exhaustive list of SpanKey compliant Linux Distributions

SpanKey servers run on your WebADM Cluster and are connected to your Active Directory or other LDAP directory. The SpanKey agent for Linux is provided as the source, RPM/DEB packages. It can be used on:

Oracle / RedHat / Centos Servers (>= RHEL6)
Debian / Ubuntu
Suse Linux
See how simple it is to integrate SpanKey Server:

Install and configure Spankey SSH Key Management Server

Spankey v1

Spankey v2

The OpenOTP Experience

Test OpenOTP’s MFA with our Free Online Demo accounts!
Also check out our tutorial & demo videos!