SpanKey SSH Key Management
  Download PDF

1. Overview

SpanKey is a centralised SSH key server for OpenSSH, which stores and maintains SSH public keys in a centralised LDAP directory (i.e. Active Directory). With SpanKey there is no need to distribute, manually expire or maintain the public keys on the servers. Instead the SpanKey agent is deployed on the servers and is responsible for providing the users’ public keys on-demand. SpanKey server provides per-host access control with “server tagging”, LDAP access groups, centralized management from the RCDevs WebADM console, shared accounts, privileged users (master keys), recovery keys… It supports public key expiration with automated workflows for SSH key renewal (via Self-Services). For information on SpanKey, please visit RCDevs Website.

For this recipe, you will need to have WebADM installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual before installing SpanKey server. SpanKey server should be installed on the WebADM server.

2. Packages Installation

2.1. RHEL & CentOS through RCDevs Repository

2.1.1. Add RCDevs Repository

On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates. Add the repository:

curl http://www.rcdevs.com/repos/redhat/rcdevs.repo -o /etc/yum.repos.d/rcdevs.repo

Clean yum cache :

yum clean all

You are now able to install RCDevs packages on your system.

2.1.2. SpanKey Server Installation

yum install spankey

After Spankey server installation, you need to restart WebADM services :

/opt/webadm/bin/webadm restart

To enable SpanKey web service, you need to login on the WebADM GUI. Under Applications tab, click Authentication in catagory box and you should find SSH Public Key Server (SpanKey). Click on REGISTER button.

2.1.3. SpanKey Client Installation

yum install spankey-client nscd openssh-server openssh-client

SpanKey client require nscd and OpenSSH. NSCD is the Linux name service caching daemon which is required for caching NSS information on the Linux client. Without NSCD, any user or group ID resolution will trigger SpanKey NSS requests. Caching on client side will prevent your servers from being overloaded with NSS requests.

2.2. Debian & Ubuntu through RCDevs Repository

2.2.1. Add RCDevs Repository

On a Debian system, you can use our repository, which simplify updates. Add the repository:

echo "deb http://rcdevs.com/repos/debian ./" > /etc/apt/sources.list.d/rcdevs.list 
apt-key adv --fetch-key http://rcdevs.com/repos/debian/RPM-GPG-KEY-rcdevs.pub

Clean apt cache :

apt-get update

You are now able to install RCDevs packages on your system with apt-get command.

2.2.2. SpanKey Server Installation

apt-get install spankey

After Spankey server installation, you need to restart WebADM services :

/opt/webadm/bin/webadm restart

To enable SpanKey web service, you need to login on the WebADM GUI. Under Applications tab, click Authentication in catagory box and you should find SSH Public Key Server (SpanKey). Click on REGISTER button.

2.2.3. SpanKey Client Installation

apt-get install spankey-client nscd openssh-server openssh-client

SpanKey client require nscd and OpenSSH. NSCD is the Linux name service caching daemon which is required for caching NSS information on the Linux client. Without NSCD, any user or group ID resolution will trigger SpanKey NSS requests. Caching on client side will prevent your servers from being overloaded with NSS requests.

Note

With Ubuntu servers, depending of your OS setup, you may need to install libldap as well.

2.3 Installation Using the Self-Installer

You first need to download Spankey software package. You can download the latest package on the RCDevs Website. Download and copy the SpanKey server self-installer package to your server. You can copy the package file to the server with WinSCP or SCP. Then connect via SSH to your server, uncompress and run the self-installer package with:

gunzip spankey-2.x.x-x.sh.gz
bash spankey-2.x.x-x.sh

Follow the installer.

For the SpanKey client :

gunzip spankey_client-2.x.x.sh.gz
bash spankey_client-2.x.x.sh

Follow the installer and don’t forget to install NSCD package.

3. Configurations

3.1. SpanKey Server

Once SpanKey server package is installed, you have to enable SpanKey service in WebADM. Go to the WebADM Administrator console, click on Applications tab > Authentication and click on Register button for SSH Public Key Server. The default configuration is ready and suited for most Linux environments, but for initial tests it is recommended to click on CONFIGURE button and set the following options in SSH Public Key Server (SpanKey server) :

This will disable server caching, generally helpful during configuration stage and tests.

Important note

For production server caching is highly recommended.



  • The SSH Key format can be defined here.
  • RSA Key Length can also be settled here.
  • The SSH Key Lifetime can be adjusted too.
  • Send Self-Registration : This option can be enabled if you want to have a new self-registration request when the SSH key has expired.
  • Enable Offline Mode : Offline mode can be enabled in case of SpanKey server is unavailable.
  • Require Second Factor : An OTP validation can be added during the authentication workflow.

Some other settings can be enabled on Spankey server :

  • Create Home Directory : If enabled, the user home directory will be automatically created during the first login if not present.
  • Record Session Data : This is a new feature of SpanKey ! This setting allow you to record and store in SQL database, terminal sessions and SFTP sessions. Sessions are replayable video who can be found in Databases tab > Recorded sessions under WebADM Admin Console.

  • Max Session Time : This setting can be settled if you want to define a maximum session time.

Under SSH Public Key Server configuration, your can find various configurations options to set access controls to your SSH key based logins, such as Master Group, Backup Keys, Authorized Group, Tagging… Some of these settings are described in chapter “Advanced Configuration”.

Important Note

Require client certificate for SpanKey client is highly recommended for production use !



3.2. SpanKey Client

SpanKey client consist of two components activated at setup time.

  • SSH component - provides user login with public keys stored within a directory server (Active Directory, OpenLDAP, Open Directory…).
  • NSS component - provides native mapping of your directory users and groups to those in Linux.

3.2.1. SpanKey Client Setup Script

At the end of the installation of SpanKey package, run the following command to launch setup wizard: /opt/spankey/bin/setup The wizard will prompt you for the details similar to below:

[root@webadm1 tmp]# /opt/spankey/bin/setup 
Checking system architecture... Ok

Enter one of your running WebADM server IP or hostname: 192.168.3.55
Detected hostname is 'webadm1.yorcdevs.com'. Would you like to use it as client id (y/n)? n
Do you want to enable SpanKey Client for OpenSSH server (y/n)? y
Do you want to enable SpanKey Client NSS plugin (y/n)? y
Do you want to register SpanKey Client logrotate script (y/n)? y
Do you want SpanKey Client to be automatically started at boot (y/n)? y

Primary OpenOTP service URL is: 'https://192.168.3.55:8443/spankey/'
Secondary OpenOTP service URL is: 'NONE'.
Use 'webadm1.yorcdevs.com' as client id: No
Enable SpanKey Client for OpenSSH server: Yes
Enable SpanKey Client NSS plugin: Yes
Register SpanKey Client logrotate script: Yes
SpanKey Client must be automatically started at boot: Yes

Do you confirm (y/n)?: y

Applying SpanKey Client setting from default configuration files... Ok
Retrieving WebADM CA certificate from host '192.168.3.55'... Ok
The setup needs now to request a signed 'SpanKey' client certificate.
This request should show up as pending in your WebADM interface and an administrator must accept it.
Waiting for approbation...

At this step, you have to login on the WebADM Administration GUI to approve the SSL certificate request.

Click on the red button at the end of the home page.

On the next screen, you can show the SSL certificate request in pending :

Click on the Accept button and the Spankey-client setup will continu.

Waiting for approbation... Ok
Updating file '/etc/ssh/sshd_config'... Ok
Updating file '/etc/nsswitch.conf'... Ok
Updating file '/etc/pam.d/password-auth'... Ok
Registering SpanKey Client service... Ok
Adding logrotate script... Ok

SpanKey Client has successfully been setup.

Do not forget to start SpanKey itself and restart the following daemons:
 - sshd
 - nscd

[root@webadm1 tmp]# 

Configuration of SpanKey client is done, you have to restart sshd, nscd and spankey-client :

[root@spankey_client ~]# service sshd restart 
[root@spankey_client ~]# service nscd restart 
[root@spankey_client ~]# service spankey restart

SpanKey client setup is done.

4. Advanced Configurations

4.1. SpanKey Client

4.1.1. Files and Folders

SpanKey client is installed under /opt/spankey/ folder.

Find below the SpanKey client software installation file structure and important files.

  • /opt/spankey/bin/ : Location for SpanKey service binaries and startup scripts.

    • spankey : SpanKey executable control script for starting and stopping the service process. To start SpanKey from command line, issue ./spankey start. To stop SpanKey, issue ./spankey stop.

    • setup : Initial SpanKey setup script run by the self-installer. The setup can be re-run manually at any time.

  • /opt/spankey/doc/ : Location for spankey documentation resources.

  • /opt/spankey/conf/ : Location for SpanKey configuration files.

    • spankeyd.conf : Main configuration file. Defines the basic SpanKey client parameters.
[root@webadm conf]# vi spankeyd.conf
#-#-#-#
#
#  spankeyd's main configuration file.
#
        #-#-#-#
        #
        #  The entry below tells the daemon where the log file must be.
        #  At the very early stage (when the daemon started but did not read yet this configuration file)
        #  logs are sent to the standard output. Anyway, since the launcher script use a redirection, you won't even see them.
        #
                log_file             /opt/spankey/logs/spankeyd.log
        #
        #  When log level is set to 'Normal', all components will log both errors and warnings only.
        #  'Verbose' will make all components just log everything.
        #
                log_level            Normal
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  Where to produce the daemon's pid file.
        #
                #pid_file             /opt/spankey/temp/spankeyd.pid
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  The daemon needs this CA file to trust SpanKey servers it will talk to.
                ca_file              /opt/spankey/conf/ca.crt
        #
        #
        #-#-#-#
        
        
        #-#-#-#
        #
        #  An optional client certificate and password spankeyd will use to communicate with SpanKey servers.
        #
                client_cert_file     /opt/spankey/conf/spankey.pem
                #client_cert_password PaSsWoRd
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  The section below contains a list of backend servers the daemon should connect to.
        #  It must contains one or two target OTP server.
        #  Any additional server in the list will just be ignored.
        #
                server_urls {
                        url1 https://192.168.3.55:8443/spankey/

                }
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  How spankeyd will relay request to the WebADM backend.
        #   - "balanced" means the request will be balanced between server 1 and server 2 in a round-robin fashion.
        #   - "ordered" means server 2 is kept as a hot spare in case the primary server stops answering requests properly.
        #
                #server_policy        BaLaNcEd
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  The default domain name to pass when the requester only provided a username.
        #  It typically overrides the default domain in the SpanKey server configuration.
        #
                #default_domain_name Default
        #
        #  To let backends know how to extract fields 'domain' and 'username' correctly from the username string the client entered.
        #
                #domain_separator     \\
        #
        #
        #-#-#-#

        #-#-#-#
        #
        #  Requested Tags (user must present all the tags).
        #
                #requested_tags       TAG1,TAG2
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  User settings (better configure settings in client policies).
        #  Fixed list of SpanKey policy settings to be passed via the SpanKey API.
        #
                #user_settings        SpanKey.KeyExpire=10
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  The client identifier to be sent to OpenOTP servers along authentication requests.
        #  This allows to apply per client contextual policies on the WebADM server while running an authentication workflow.
        #
                client_id            spankeyd
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  The SOAP request TCP timeout is by default 30.
        #  Just keep it as it unless you really understand all the possible consequences a change could have.
        #
                #soap_timeout         30
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  Min UID & GID.
        #  Requests for user IDs and group IDs below the configured values will always use local files.
        #
                min_userid            500
                min_groupid           100
        #
        #
        #-#-#-#
#
#
#-#-#-#
  • /opt/spankey/lib/ : Location for SpanKey system libraries.
  • /opt/spankey/libexec/ : Location for SpanKey system executables.
  • /opt/spankey/logs/ : Location for log files produced by SpanKey client.
  • /opt/spankey/temp/ : Location for SpanKey temporary data files. Under this directory, you will find service PID files.

4.2. SpanKey Server

Below are described some of the most relevant SSH Public Key Server configuration options.

4.2.1. Master Group

In SpanKey you can define master groups where the members of the group are considered as super users and can use their SSH key to access any other SpanKey account. A master group can be configured in SpanKey global configuration or in a client policy. To configure a master group, go on SpanKey global configuration or client policy and configure your Master Group.

On my side, my master group is CN=master,CN=Users,DC=yorcdevs,DC=com and the member of this group is my CN=Administrateur,CN=Users,DC=yorcdevs,DC=com who has a public key enrolled on his account :

That means the administrator’s account is able to login on every accounts with his own private key. The public key of administrateur account is added to every user account. If I call the authorized_key command for different users I should see the administrateur public key and the public key of the user :

[root@spankey_client ~]# /opt/spankey/libexec/authorized_keys ff
environment="ONE_TIME_AUTH_TOKEN=0C8932FE51F0C9EF41D50D33A6CAC7F6",command="/opt/spankey/libexec/command_wrapper",environment="SPANKEY_USERNAME=ff",environment="SPANKEY_DOMAIN=yorcdevs" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrLrlnq/RcSZlY1wn69vJRO6IN1ivtMEYrd8PJidPxol20K1okqzSYjxoDUsNmPRP6Pq/Ezd5K2ez/jboMIedZ6FVrg8qG9nwvSmzS1ooPKE5aOnb8/SjKSrY0BdSTo5p+zQUTvMEZaokAwj69uvWaLgMlxMp8L+k5VZ8STYIglYg5Khp/hfl/sy+yth7EIUfVyRkCiQuV37ot+Y97ob/eogmd1aScJESQjy1dRmI/A8n3kbYaZVTrEVsyQyf7zhBzuT5+kjkz7fCAPJu33SH0E4Z0HKeYhX1utIGGWE88OewCOMqi1XAyUQtgl0R8UIcTk7oYqP9oh+8H2WxH9c4J ff@yorcdevs
environment="ONE_TIME_AUTH_TOKEN=0C8932FE51F0C9EF41D50D33A6CAC7F6",command="/opt/spankey/libexec/command_wrapper",environment="SPANKEY_USERNAME=Administrateur",environment="SPANKEY_DOMAIN=yorcdevs" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5emLR6hSGdS9xx46LZUgVDZmZLPdmUR3qpx0B2SBqmqWv/Sm8U6xuicjjjL0G3Su1Kwyx6xcIllh7KKQiGkJUOyHl5MkbkCFY2JpyOEpmXC/t2A7htbI1RDaLKRsF4wjBx7nOxPkzWQjvjKdPnUUCt+VSl0MGBahAo8XGMvK1KJuak70n116S7m1/9Xw4Hnbn77iRSCI0CZ8Q5zUYrXRZOlD/W7d5sdSkuxK+r5tlzyg2mZ7nm4F3FR9Kdxny3x4nlSyUP6sjjAUnUxkBKpeiENnOFcCz3uAZJZk73fg93DvYVZq7T1Lbgu+D1bpLbW50NZvH60+Rg7sqYyJuDuFp Administrateur@yorcdevs

We can see 2 public keys for ff account, his own public key and administrator’s public key.

[root@spankey_client ~]# /opt/spankey/libexec/authorized_keys yoann 
environment="ONE_TIME_AUTH_TOKEN=CC334118B1988D79120AE8F24A9AB937",command="/opt/spankey/libexec/command_wrapper",environment="SPANKEY_USERNAME=yoann",environment="SPANKEY_DOMAIN=yorcdevs" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDrSmyDygWjIrzc+R6Fdj6z6/kkWhsoRs64VP+l+KaQ6AIh7Vkpw9EfYMlQvJBcNCHYcJ55UCFxWAUp1lJo1creP4PlKpjaj2HuU4ARy0Zh2N9uTwXVbfMCzAihxBmqQbbsZl0lPxtlR8tFAfivV/xjp2H5HwfvkEyE/yn+dH84p+VbumztzmHepSMhSCYOscSCOqUAZYXbeZmv6ddPrvokb2yozhkvmtuK6vwoe1eIYPs/Un0e+nw1AHhUu9wMZoTlPQGV2GhBPBcscDLzG5G+VhiBGJM824qou5IYUGmWkz5t/Shvt16wOS8mfxQpQhyYDrP5WjSQiHDxXPeUef0H yoann@yorcdevs
environment="ONE_TIME_AUTH_TOKEN=CC334118B1988D79120AE8F24A9AB937",command="/opt/spankey/libexec/command_wrapper",environment="SPANKEY_USERNAME=Administrateur",environment="SPANKEY_DOMAIN=yorcdevs" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5emLR6hSGdS9xx46LZUgVDZmZLPdmUR3qpx0B2SBqmqWv/Sm8U6xuicjjjL0G3Su1Kwyx6xcIllh7KKQiGkJUOyHl5MkbkCFY2JpyOEpmXC/t2A7htbI1RDaLKRsF4wjBx7nOxPkzWQjvjKdPnUUCt+VSl0MGBahAo8XGMvK1KJuak70n116S7m1/9Xw4Hnbn77iRSCI0CZ8Q5zUYrXRZOlD/W7d5sdSkuxK+r5tlzyg2mZ7nm4F3FR9Kdxny3x4nlSyUP6sjjAUnUxkBKpeiENnOFcCz3uAZJZk73fg93DvYVZq7T1Lbgu+D1bpLbW50NZvH60+Rg7sqYyJuDuFp Administrateur@yorcdevs
[root@spankey_client ~]# 

It’s the same for yoann’s account…

Now, tying to login with ff and yoann’s account with the administrator’s private key :

11:56 $ ssh -i Administrateur.pem ff@192.168.3.55

Test Hello 

Session's lock idle time is 1 minute.
Session's max duration is 5 minutes.

bash-4.2$ whoami
ff
bash-4.2$ exit 
exit

>>>> Session's duration was aprox 14 seconds <<<<
Connection to 192.168.3.55 closed.
11:56 $ ssh -i Administrateur.pem yoann@192.168.3.55

Test Hello 

Session's lock idle time is 1 minute.
Session's max duration is 5 minutes.
bash-4.2$ whoami
yoann
bash-4.2$ exit 

>>>> Session's duration was aprox 12 seconds <<<<
Connection to 192.168.3.55 closed.

4.2.2. Backup/Recovery Keys

By default, the SpanKey agents will erase users’ authorized_keys file at runtime to prevent users from adding rogue public keys. If recovery keys are configured, then these keys are automatically written to the user’s authorized_keys file, for recovery purposes (to be used in the event where SpanKey client cannot communicate with the SpanKey server).

To configure a backup key, go on the WebADM Admin GUI, click on Applications tab, in Authentication category, you can find SSH Public Key Server, click on CONFIGURE button. You are now in SpanKey server configuration. Find the Power Users & Recovery section, check the box Backup Keys and put the public key to have an access on the target server even if SpanKey client or SpanKey server are down. Put the public key in the authorized key format here :

That means, the private key associate to this public key will be able to login on the target server even if SpanKey server or SpanKey client are down.

The public key can be found when you click on the user on the left tree, in Application Actions box, click on SSH Public Key Server and Register/Unregister SSH Public Key.

I can see the public key enrolled for this user in SSH key format and in authorized key format.

Now, we will do a test to see if the backup key is returned by the authorized key command for the yoann user on a SpanKey client :

[root@spankey_client conf]# /opt/spankey/libexec/authorized_keys yoann
environment="ONE_TIME_AUTH_TOKEN=0C691E139D54F643405CCA43DC738D5E",command="/opt/spankey/libexec/command_wrapper",environment="SPANKEY_USERNAME=yoann",environment="SPANKEY_DOMAIN=yorcdevs",environment="PS1=[\u@\h \W]\\$ ",environment="TOTO=[\u@\h \W]\\$ " ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5YW0Tc6sC0Sm+4cn1Gaf4eayN569HzU7UlJiznh5xo+YVrcGgzLHXVjm6ZOxuUYv7P7V1rKGsv1PLa5VIFhYcZuqyhsF5eMLDhGr8N59JpPUCTMjkXZV4ss5A6VXMm5ZxA0zQknZoBwHClMfPFi22KG2bkSc75oxk543sgkQDBbNjSNdSiIuHQdz77aeWjhBWP2ws1LVlEH7W6i687yAnMiTSDouNQNAK2MUtm4S8cKtTMNskLWD43ubqwPquvdyRHYofu/DGqL/gaKuWPn52au4h9qKSLTK3cbNBAMrDVM8ObAWX+gLps5VCovDZxpzFcgy8wvc3oyp2aN6UVH7h yoann@yorcdevs

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5emLR6hSGdS9xx46LZUgVDZmZLPdmUR3qpx0B2SBqmqWv/Sm8U6xuicjjjL0G3Su1Kwyx6xcIllh7KKQiGkJUOyHl5MkbkCFY2JpyOEpmXC/t2A7htbI1RDaLKRsF4wjBx7nOxPkzWQjvjKdPnUUCt+VSl0MGBahAo8XGMvK1KJuak70n116S7m1/9Xw4Hnbn77iRSCI0CZ8Q5zUYrXRZOlD/W7d5sdSkuxK+r5tlzyg2mZ7nm4F3FR9Kdxny3x4nlSyUP6sjjAUnUxkBKpeiENnOFcCz3uAZJZk73fg93DvYVZq7T1Lbgu+D1bpLbW50NZvH60+Rg7sqYyJuDuFp Administrateur@yorcdevs

As you can see, yoann user has his own public key returned by SpanKey server and the Administrateur recovery key previously configured.

Below are logs on SpanKey server side for the authorized key request :

[2018-06-06 17:58:04] [192.168.3.55] [SpanKey:EAJ8T5JQ] New spankeyAutorizedKeys SOAP request
[2018-06-06 17:58:04] [192.168.3.55] [SpanKey:EAJ8T5JQ] > Username: yoann
[2018-06-06 17:58:04] [192.168.3.55] [SpanKey:EAJ8T5JQ] > Client ID: SpanKey
[2018-06-06 17:58:04] [192.168.3.55] [SpanKey:EAJ8T5JQ] Registered spankeyAutorizedKeys request
[2018-06-06 17:58:04] [192.168.3.55] [SpanKey:EAJ8T5JQ] Resolved LDAP user: CN=yoann,CN=Users,DC=yorcdevs,DC=com
[2018-06-06 17:58:04] [192.168.3.55] [SpanKey:EAJ8T5JQ] Found user fullname: yoann
[2018-06-06 17:58:04] [192.168.3.55] [SpanKey:EAJ8T5JQ] Found 19 user settings: EnableLogin=Yes,EnvVariables=PS1="[\\u@\\h \\W]\\\\$ ",TOTO="[\\u@\\h \\W]\\\\$ ",X11Forwarding=Yes,PortForwarding=Yes,AgentForwarding=Yes,PTYAllocation=Yes,BackupKeys=[1 Items],MinUID=500,MinGID=100
[2018-06-06 17:58:04] [192.168.3.55] [SpanKey:EAJ8T5JQ] Found 1 user data: PublicKey
[2018-06-06 17:58:04] [192.168.3.55] [SpanKey:EAJ8T5JQ] Found 2048 bits RSA public key
[2018-06-06 17:58:04] [192.168.3.55] [SpanKey:EAJ8T5JQ] Returning 1 authorized public key
[2018-06-06 17:58:04] [192.168.3.55] [SpanKey:EAJ8T5JQ] Returning 1 backup keys
[2018-06-06 17:58:04] [192.168.3.55] [SpanKey:EAJ8T5JQ] Sent success response

4.2.3. Shared Account/Authorized Group

Authorized Groups operate on the principle of shared account. Shared accounts are a common practice in Enterprise use of SSH. A shared account (i.e. ‘webmaster’ user) is a system account which is used concurrently by several administrators. In SpanKey you can transform any generic LDAP user into to a shared SSH account simply by linking this account to a ‘shared access LDAP group’. Then all the members of that group can gain access to the shared account with their own SSH key. For example, my shared account is webmaster and I want to allow the access to webmaster account by IT group members.

Member of this group are yoann and vagrant accounts :

After that, I click on my webmaster account on the left tree. In Object Details box, I click on CONFIGURE button.

Choose SpanKey application and in Shared Account section, I configure my IT group like below :

Now, I’m able to login on my SpanKey_client with yoann private key on the shared account webmaster :

✔ ~/Desktop 
16:43 $ ssh -i yoann.pem webmaster@192.168.3.55

Test Hello 

Session's lock idle time is 1 minute.
Session's max duration is 5 minutes.

bash-4.2$ whoami
webmaster
bash-4.2$ 

Logs on the SpanKey server side :

[2018-05-24 16:38:57] [192.168.3.55] [SpanKey:BW4PXUB5] New spankeyAutorizedKeys SOAP request
[2018-05-24 16:38:57] [192.168.3.55] [SpanKey:BW4PXUB5] > Username: webmaster
[2018-05-24 16:38:57] [192.168.3.55] [SpanKey:BW4PXUB5] > Client ID: spankeyd
[2018-05-24 16:38:57] [192.168.3.55] [SpanKey:BW4PXUB5] Registered spankeyAutorizedKeys request
[2018-05-24 16:38:57] [192.168.3.55] [SpanKey:BW4PXUB5] Checking SpanKey license for YOANN TRAUT
[2018-05-24 16:38:57] [192.168.3.55] [SpanKey:BW4PXUB5] License Ok (17/50 active users)
[2018-05-24 16:38:57] [192.168.3.55] [SpanKey:BW4PXUB5] Resolved LDAP user: CN=webmaster,CN=Users,DC=yorcdevs,DC=com
[2018-05-24 16:38:57] [192.168.3.55] [SpanKey:BW4PXUB5] Found 17 user settings: EnableLogin=Yes,X11Forwarding=Yes,PortForwarding=Yes,AgentForwarding=Yes,PTYAllocation=Yes,AllowedGroup=CN=IT,CN=Users,DC=yorcdevs,DC=com
[2018-05-24 16:38:57] [192.168.3.55] [SpanKey:BW4PXUB5] Found 1 user data: PublicKey
[2018-05-24 16:38:57] [192.168.3.55] [SpanKey:BW4PXUB5] Found 2048 bits RSA public key
[2018-05-24 16:38:57] [192.168.3.55] [SpanKey:BW4PXUB5] Allowed group 'IT' with 2 member public keys
[2018-05-24 16:38:57] [192.168.3.55] [SpanKey:BW4PXUB5] Returning 3 authorized public keys
[2018-05-24 16:38:57] [192.168.3.55] [SpanKey:BW4PXUB5] Sent success response
[2018-05-24 16:38:58] [192.168.3.55] [SpanKey:HBVVV6S3] New spankeyNSSList SOAP request
[2018-05-24 16:38:58] [192.168.3.55] [SpanKey:HBVVV6S3] > Database: group
[2018-05-24 16:38:58] [192.168.3.55] [SpanKey:HBVVV6S3] > Client ID: spankeyd
[2018-05-24 16:38:58] [192.168.3.55] [SpanKey:HBVVV6S3] Registered spankeyNSSList request
[2018-05-24 16:38:58] [192.168.3.55] [SpanKey:HBVVV6S3] Found 2 posix groups
[2018-05-24 16:38:58] [192.168.3.55] [SpanKey:HBVVV6S3] Sent success response
[2018-05-24 16:38:59] [192.168.3.55] [SpanKey:QTW0HV19] New spankeySessionStart SOAP request
[2018-05-24 16:38:59] [192.168.3.55] [SpanKey:QTW0HV19] > Username: webmaster
[2018-05-24 16:38:59] [192.168.3.55] [SpanKey:QTW0HV19] > Command: /bin/bash
[2018-05-24 16:38:59] [192.168.3.55] [SpanKey:QTW0HV19] > Client ID: spankeyd
[2018-05-24 16:38:59] [192.168.3.55] [SpanKey:QTW0HV19] > Source IP: 192.168.3.181
[2018-05-24 16:38:59] [192.168.3.55] [SpanKey:QTW0HV19] Registered spankeySessionStart request
[2018-05-24 16:38:59] [192.168.3.55] [SpanKey:QTW0HV19] Resolved LDAP user: CN=webmaster,CN=Users,DC=yorcdevs,DC=com (cached)
[2018-05-24 16:38:59] [192.168.3.55] [SpanKey:QTW0HV19] Found 8 user settings: WelcomeText=Test Hello ,MaxSessionTime=5,LockSessionTime=1,RecordSessions=Yes,CreateHomedir=Yes
[2018-05-24 16:38:59] [192.168.3.55] [SpanKey:QTW0HV19] Started terminal session of ID 9fdNPXG3OOeeRM1e valid for 600 seconds
[2018-05-24 16:38:59] [192.168.3.55] [SpanKey:QTW0HV19] Sent success response

4.2.4. TAGs

All hosts managed by SpanKey Server can be tagged in the SpanKey client configuration. For example, all web servers could be tagged with acronym «WEB» in the configuration file of SpanKey client. Then you can add this Tag for all Webmaster accounts to ensure SSH access to every web server. To configure a Tag, click on a user account and in the section Object Details there is WebADM Settings. Click on Configure button. Go on SpanKey application and there is the option Allowed Server Tags.

TAGs can be configured on an LDAP account or an LDAP group. To set a tag on an account or a group, go on the WebADM Admin GUI, click on your account/group, in object details box, you can find WebADM settings, click on CONFIGURE. In applications box on the left, select SpanKey. You are now in SpanKey configuration for your user or your group. In Access Restriction category, check the box Allowed Server Tags and configure you TAGs. On my side, I configured web and sql TAGs for my Vagrant user.

Now, I just have to TAG my servers where SpanKey client is configured. TAG should be configured in /opt/spankey/conf/spankeyd.conf.

After tagging my server, I perform a login with an account who has the same TAG configured. See below the result of the authentication :

[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] New spankeyAutorizedKeys SOAP request
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] > Username: vagrant
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] > Tags: web
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] > Client ID: spankeyd
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] Registered spankeyAutorizedKeys request
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] Checking SpanKey license for RCDevs
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] License Ok (17/50 active users)
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] Resolved LDAP user: CN=vagrant,CN=Users,DC=yorcdevs,DC=com (cached)
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] Using SQL server 'YO_SQL2'
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] Found 17 user settings: EnableLogin=Yes,X11Forwarding=Yes,PortForwarding=Yes,AgentForwarding=Yes,PTYAllocation=Yes,AllowedTags=[1 Items]
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] Found 2 user tags: WEB,SQL
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] Found 1 user data: PublicKey
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] Found 2048 bits RSA public key
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] Validated authorization for server tag 'WEB'
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] Returning 1 authorized public key
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:5J3W502T] Sent success response
[2018-05-24 09:54:51] [192.168.3.55] [SpanKey:SP6Y2UOV] New spankeySessionStart SOAP request

It works well for the Vagrant user, I will try now an authentication with the account yoann who don’t have the web TAG. See below the result of the authentication :

[2018-05-24 09:57:53] [192.168.3.55] [SpanKey:2T4SREKM] New spankeyAutorizedKeys SOAP request
[2018-05-24 09:57:53] [192.168.3.55] [SpanKey:2T4SREKM] > Username: yoann
[2018-05-24 09:57:53] [192.168.3.55] [SpanKey:2T4SREKM] > Tags: web
[2018-05-24 09:57:53] [192.168.3.55] [SpanKey:2T4SREKM] > Client ID: spankeyd
[2018-05-24 09:57:53] [192.168.3.55] [SpanKey:2T4SREKM] Registered spankeyAutorizedKeys request
[2018-05-24 09:57:53] [192.168.3.55] [SpanKey:2T4SREKM] Resolved LDAP user: CN=yoann,CN=Users,DC=yorcdevs,DC=com (cached)
[2018-05-24 09:57:53] [192.168.3.55] [SpanKey:2T4SREKM] Resolved LDAP groups: domain admins
[2018-05-24 09:57:53] [192.168.3.55] [SpanKey:2T4SREKM] Found 17 user settings: EnableLogin=Yes,X11Forwarding=Yes,PortForwarding=Yes,AgentForwarding=Yes,PTYAllocation=Yes
[2018-05-24 09:57:53] [192.168.3.55] [SpanKey:2T4SREKM] Found 1 user data: PublicKey
[2018-05-24 09:57:53] [192.168.3.55] [SpanKey:2T4SREKM] Found 2048 bits RSA public key
[2018-05-24 09:57:53] [192.168.3.55] [SpanKey:2T4SREKM] Account is missing authorization for server tag 'WEB'
[2018-05-24 09:57:53] [192.168.3.55] [SpanKey:2T4SREKM] No authorized public key found
[2018-05-24 09:57:54] [192.168.3.55] [SpanKey:2T4SREKM] Sent failure response

As you can see, the authentication failed because the account is missing an authorization for server TAG web.

4.2.5. Guest Account

Another feature of SpanKey is Guest Account. A Guest account can be used by a consultant for example. If enabled, the user’s home directory will automatically created and deleted after logout. Account is deleted after the last opened session is closed. In my example, I will configure an account named Oracle_Guest. To configure this account as a Guest Account, click on your user on the left tree, in object details box, you can find WebADM settings, click on CONFIGURE. In applications box on the left, select SpanKey. You are now in SpanKey configuration for your users. In UNIX Account Options category, check the box Guest Account Mode and set this feature to Yes.

In that scenario, I can also configure a TAG for this Guest User, SQL TAG for example, to allow the access to every SQL tagged servers by my Oracle consultant through the Guest account.

4.3. OpenSSH

The SpanKey client setup script ask us during the setup if we want enable SpanKey for OpenSSH and we reply Yes to this question.

This action involves changing /etc/ssh/sshd_config configuration file. The script edit the following parameters :

AuthorizedKeysCommand /opt/spankey/libexec/authorized_keys
AuthorizedKeysCommandUser root
PermitUserEnvironment yes
UsePAM yes

Depending on the SSHd version, you might need to use AuthorizedKeysCommandRunAs instead of AuthorizedKeysCommandUser. Restart SSHd if you change the configuration.

service sshd restart

4.4. NSS Provider

4.4.1. RHEL & CentOS

The SpanKey client setup script ask us during the setup if we want to enable SpanKey for NSCD and we reply Yes to this question.

This action involves changing /etc/nsswich.conf configuration file.

The script edit the following parameters :

passwd:	files spankey sss
shadow:	file sss
group:	files spankey sss

Restart NSCD to apply the configuration :

service nscd restart 

4.4.2. Debian & Ubuntu

The SpanKey client setup script ask us during the setup if we want to enable SpanKey for NSCD and we reply Yes to this question.

This action involves changing /etc/nsswich.conf configuration file.

The script edits the following parameters :

passwd:	compat spankey
shadow:	compat
group:	compat spankey

4.5. PAM

4.5.1. RHEL & CentOS

The SpanKey client setup script also edit PAM configuration. The edited file is /etc/pam.d/password-auth.

Setup script changes the line :

account required pam_unix.so

To :

account required pam_unix.so broken_shadow

And to validate your setup is working correctly, run:

getent passwd

This command should return all LDAP accounts for the host (LDAP account extended to UNIX account).

[root@webadm temp]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
admin:x:1000:1000:admin:/home/admin:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
systemd-bus-proxy:x:998:996:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
webadm:x:997:995::/opt/webadm:/bin/bash
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
radiusd:x:95:95:radiusd user:/var/lib/radiusd:/sbin/nologin
spankey:x:996:1001:SpanKey Client System User:/opt/spankey:/sbin/nologin
#### These accounts are local accounts 


Administrateur:x:1111:111::/home/administrateur:/bin/bash
quick:x:500:100::/home/quick:/bin/bash
yoann:x:1010:100::/home/yoann:/bin/bash
test:x:800:100::/home/test:/bin/bash
#### These accounts are LDAP accounts

Note

« getent passwd » command may take few minutes to yield results.

After the getent passwd command, you should have the following result in /opt/webadm/logs/webadm.log (server side) if the command has worked sucessfully :

[2018-05-22 17:11:25] [192.168.3.55] [SpanKey:AFA5ES1I] New spankeyNSSList SOAP request
[2018-05-22 17:11:25] [192.168.3.55] [SpanKey:AFA5ES1I] > Database: user
[2018-05-22 17:11:25] [192.168.3.55] [SpanKey:AFA5ES1I] > Client ID: spankeyd
[2018-05-22 17:11:25] [192.168.3.55] [SpanKey:AFA5ES1I] Registered spankeyNSSList request
[2018-05-22 17:11:25] [192.168.3.55] [SpanKey:AFA5ES1I] Found 4 posix users
[2018-05-22 17:11:25] [192.168.3.55] [SpanKey:AFA5ES1I] Sent success response

4.5.2. Debian & Ubuntu

The SpanKey client setup script also edit PAM configuration. The modified file is /etc/pam.d/common-account and the following line is edited :

account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so broken_shadow

And to validate your setup is working correctly, run:

getent passwd

This command should return all LDAP accounts for the host (LDAP account extended to UNIX account).

[root@webadm temp]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
admin:x:1000:1000:admin:/home/admin:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
systemd-bus-proxy:x:998:996:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
webadm:x:997:995::/opt/webadm:/bin/bash
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
radiusd:x:95:95:radiusd user:/var/lib/radiusd:/sbin/nologin
spankey:x:996:1001:SpanKey Client System User:/opt/spankey:/sbin/nologin
#### These accounts are local accounts 


Administrateur:x:1111:111::/home/administrateur:/bin/bash
quick:x:500:100::/home/quick:/bin/bash
yoann:x:1010:100::/home/yoann:/bin/bash
test:x:800:100::/home/test:/bin/bash
#### These accounts are LDAP accounts

Note

« getent passwd » command may take few minutes to yield results.

After the getent passwd command, you should have the following result in /opt/webadm/logs/webadm.log (server side) if the command has worked sucessfully :

[2018-05-22 17:11:25] [192.168.3.55] [SpanKey:AFA5ES1I] New spankeyNSSList SOAP request
[2018-05-22 17:11:25] [192.168.3.55] [SpanKey:AFA5ES1I] > Database: user
[2018-05-22 17:11:25] [192.168.3.55] [SpanKey:AFA5ES1I] > Client ID: spankeyd
[2018-05-22 17:11:25] [192.168.3.55] [SpanKey:AFA5ES1I] Registered spankeyNSSList request
[2018-05-22 17:11:25] [192.168.3.55] [SpanKey:AFA5ES1I] Found 4 posix users
[2018-05-22 17:11:25] [192.168.3.55] [SpanKey:AFA5ES1I] Sent success response

5. Users Management

To enable your LDAP users to be propagated as Linux accounts, and to work with SpanKey, they must be extended with “Unix Account” object class. This is done in WebADM graphical interface (can be done as a batch jobs as well) as follows:

  1. Choose LDAP account that you like to extend.
  2. Make sure the account is a WebADM account. If not, you must first extend the account with WebADM object class:
  3. Choose WebADM Account in Add Selector. Click Add.
  4. Choose UNIX Account in the Add Extension selector. Click Add.

  5. Enter the following informations and click Proceed. Click on Extend Object.

Now, the LDAP Account is extended for UNIX Authentication. Within the extended LDAP object, click on SSH Public Key Server (Actions box) to generate a SSH Private Key for the user:

  1. In Application Action box, click on SSH Public Key Server (3 actions), and select the first item Register / Unregister SSH Public Key.

  2. Configure your preferred Key Format and Key Length.
  3. Configure key expiration (optional).
  4. Click on Register.

Your Public and Private Key are now generated by SpanKey server. Choose the format of the Private Key (OpenSSH or Putty) and click on Download Private Key button.

Note

Register or Unregister of SSH Key can also be done through WebADM User Self-Services UI.

Now you can use the generated private key with your LDAP account, through SSH client or Putty and on any server where SpanKey Client is installed on. Without needing to deploy the user’s public keys in authorized_keys files. To test, connect with your private key on a server managed by SpanKey client, like below:

ssh -i MyPrivateKey.pem test@192.168.3.55
[test@192.168.3.55 ~]#

6. Video Tutorial


Play Video on Youtube