SpanKey SSH Key Management
  Download PDF

1. Workflow

SpanKey is a centralised SSH key server for OpenSSH, which stores and maintains SSH public keys in a centralised LDAP directory (i.e. Active Directory). With SpanKey one can distribute, renew and revoke SSH keys without needing to maintain our touch the authorized keys files. Instead, SpanKey agent is deployed on hosts and logging in user public keys are then fetched ondemand. SpanKey server provides per-host access controls with “server tagging”, LDAP access groups, central Web based management with RCDevs WebADM console, support for shared account and privileged (master keys) access, use of recovery keys as well as automated public key renewal workflow (via Web Self-Services). For information on SpanKey, please visit RCDevs Website

2. Installation

2.1. SpanKey Server

SpanKey Server is included in the All-in-one version of WebADM (since WebADM v1.5.2). To use SpanKey Server, one must first download and install WebADM

To enable SpanKey service in WebADM, go to the WebADM graphical interface, select Applications > Authentication and click on Register button for SSH Public Key Server. The default configuration is ready and suited for most Linux environments, but for initial tests it is recommended to click Configure and set the following options in SSH Public Key Server :

SSH cache time : 0
NSS cache time : 0

This will disable server caching, generally helpful during configuration stage and tests.

{{< note title=“Note” >}} For production server caching is highly recommended. {{< /note >}}

Under SSH Public Key Server configuration, your can find various configurations options to set access controls to your SSH key based logins, such as Master Group, Backup Keys, Authorized Group and Tagging. These are described in chapter Configuration Options.

2.2. SpanKey Client

SpanKey Client is available as a Linux package (RPM or DEB) which can be installed on hosts that should be managed with a SpanKey Server. SpanKey client consist of two components activated at setup time.

  • SSH component - provides user login with public keys stored within a directory server (Active Directory, OpenLDAP, Open Directory…).
  • NSS component - provides native mapping of your directory users and groups to those in Linux

The latest SpanKey Client can be downloaded from RCDevs Repository. The client is available for Redhat, Debian, Ubuntu and CentOS.

Note

SpanKey Client requires rcdevs library, downloadable from the same repository.

Once you have downloaded SpanKey Client, then for each host to be managed by SpanKey Server, do the following steps :

Install OpenSSH & NSCD

If already installed, you can skip this step.

NSCD is the Linux name service caching daemon which is required for caching NSS information on the Linux client. Without NSCD, any user or group ID resolution will trigger SpanKey NSS requests. Caching on client side will prevent your servers from being overloaded with NSS requests.

To install SpanKey client in RedHat / CentOS:

yum -y install openssh-server openssh-client nscd

On Debian / Ubuntu:

apt-get install openssh-server openssh-client nscd

With Ubuntu servers, depending on your OS setup, you may need to install libldap as well.

Install librcdevs and SpanKey Client

Add RCDevs repository and install packages on the target server

curl http://www.rcdevs.com/repos/redhat/rcdevs.repo -o /etc/yum.repos.d/rcdevs.repo
yum clean all
yum install rcdevs_libs spankey_client

On Debian:

echo "deb http://rcdevs.com/repos/debian ./" > /etc/apt/sources.list.d/rcdevs.list
apt-key adv --fetch-key http://rcdevs.com/repos/debian/RPM-GPG-KEY-rcdevs.pub
apt-get update
apt-get install rcdevs-libs spankey-client

3. Configuration

SpanKey Client can be configured manually or with a setup script.

3.1. Configuration With Setup Wizard

This is the preferred option for configuring SpanKey Client.

3.1.1. SpanKey Client

At the end of the installation of SpanKey package, run the following command to launch setup wizard: /usr/bin/spankey_setup The wizard will prompt you for the details similar to below:

- Do you have a WebADM cluster or standalone server (c/s)? : s
- Enter the hostname or address for SpanKey Server: 192.168.x.x
- Do you want to enable SpanKey for OpenSSH server (y/n)? : y
- Do you want SpanKey agent to auto-create home directories (y/n)? : y
- Do you want to enable SpanKey NSS plugin (y/n)? : y
- Do you confirm (y/n)? : y
Updating /etc/spankey/spankey.conf… OK
Updating /etc/ssh/sshd_config… OK
Updating /etc/nsswitch.conf… OK
Updating /etc/pam.d/password-auth… OK
SpanKey Agent has been successfully configured.

Configuration of SpanKey Client is done.

3.2. Manual Configuration for RedHat/CentOS

3.2.1. SpanKey Client

Edit the file /etc/spankey/spankey.conf

# Address of SpanKey Server
server_url https://192.168.x.x:8443/spankey/ 

# Create home directory at the 1st login
create_homedirs Yes 

# You can custom your client ID to point to a client policy in WebADM. 
client_id “SSH“  

for a SpanKey Cluster installation

server_url1 https://192.168.x.x:8443/spankey/
server_url2 https://192.168.x.x:8443/spankey/

Note

Only 2 SpanKey server URLs can be added.

3.2.2. OpenSSH

Edit the file /etc/ssh/sshd_config

AuthorizedKeysCommand /usr/libexec/spankey/authorized_keys
AuthorizedKeysCommandUser root

Depending on the SSHd version, you might need to use AuthorizedKeysCommandRunAs instead. Restart SSHd to apply the new configurations.

service sshd restart

3.2.3. NSS Provider

Edit the file /etc/nsswich.conf

passwd: files spankey
group: files spankey
service nscd restart 

3.2.4. PAM

Edit the file /etc/pam.d/password-auth

Replace the line:

account required pam_unix.so

by:

account required pam_unix.so broken_shadow

To validate that your setup is working correct, run:

getent passwd

This should return all LDAP accounts for the host.

Note

« getent passwd » command may take few minutes to yield results.

Configuration of SpanKey Client is done.

3.3. Manual Configuration for Debian/Ubuntu

3.3.1. SpanKey Client

Edit the file /etc/spankey/spankey.conf

# Address of SpanKey Server
server_url https://192.168.x.x:8443/spankey/ 

# Create home directory at the 1st login
create_homedirs Yes 

# You can custom your client ID to point to a client policy in WebADM. 
client_id “SSH“  

Note

Only 2 SpanKey server URLs can be added.

3.3.2. OpenSSH

Edit the file /etc/ssh/sshd_config

AuthorizedKeysCommand /usr/libexec/spankey/authorized_keys
AuthorizedKeysCommandUser root

Depending on the SSHd version, you might need to use AuthorizedKeysCommandRunAs instead. Restart SSHd to apply the new configurations.

service sshd restart

3.3.3. NSS Provider

Edit the file /etc/nsswich.conf

passwd: compat spankey
group: compat spankey
service nscd restart 

3.3.4. PAM

Edit the file /etc/pam.d/common-auth

auth [success=1 default=ignore] pam_unix.so nullok_secure broken_shadow

Edit the file /etc/pam.d/common-account

account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so broken_shadow

To validate that your setup is working correct, run:

getent passwd

This should return all LDAP accounts for the host.

Note

« getent passwd » command may take few minutes to yield results.

Configuration of SpanKey Client is done.

4. User Management

To enable your LDAP users to be propagated as Linux accounts, and to work with SpanKey, they must be extended with “Unix Account” object class. This is done in WebADM graphical interface (can be done as a batch jobs as well) as follows:

  1. Choose LDAP account that you like to extend.
  2. Make sure the account is a WebADM account. If not, you must first extend the account with WebADM object class:
  3. Choose WebADM Account in Add Selector. Click Add
  4. Choose UNIX Account in the Add Extension selector. Click Add.

  5. Enter the following informations and click Proceed. Click on Extend Object.

Now, the LDAP Account is extended for UNIX Authentication. Within the extended LDAP object, click on SSH Public Key Server (Actions box) to generate a SSH Private Key for the user:

  1. In Application Action boxe, click on SSH Public Key Server (3 actions), and select the first item Register / Unregister SSH Public Key

  2. Configure your preferred Key Format and Key Length.
  3. Configure key expiration (optional)
  4. Click on Register.

Your Public and Private Key are now generated by SpanKey server. Choose the format of the Private Key (OpenSSH or Putty) and click on Download Private Key button.

Note

Register or Unregister of SSH Key can also be done through WebADM Self-Services UI.

Now you can use the generated private key with your LDAP account, through SSH client or Putty and on any server where SpanKey Client is installed on. Without needing to deploy the user’s public keys in authorized_keys files. To test, connect with your private key on a server managed by SpanKey client, like below:

ssh -i MyPrivateKey.pem test@192.168.3.54
[test@192.168.3.54 ~]#

Configuration Options

Below are described some of the most relevant SSH Public Key Server configuration options. Master Group : In SpanKey you can define master groups where the members of the group are considered as super users and can use their SSH key to access any other SpanKey account. A master group can be configured to be different per WebADM Client Policy.

Backup/Recovery Keys : By default, the SpanKey agents will erase users’ authorized_keys file at runtime to prevent users from adding rogue public keys. If recovery keys are configured, then these keys are automatically written to the user’s authorized_keys file, for recovery purposes (to be used in the event where SpanKey agent cannot communicate with the SpanKey server).

Authorized Group : Authorized Groups operate on the principle of shared account. Shared accounts are a common practice in Enterprise use of SSH. A shared account (i.e. ‘webmaster’ user) is a system account which is used concurrently by several administrators. In SpanKey you can transform any generic LDAP user into to a shared SSH account simply by linking this account to a ‘shared access LDAP group’. Then all the members of that group can gain access to the shared account with their own SSH key.

Tag : All hosts managed by SpanKey Server can be tagged in the SpanKey client configuration. For example, all web servers could be tagged with acronym « WEB » in the configuration file of SpanKey client. Then you can add this Tag for all Webmaster accounts to ensure SSH access to every web server. To configure a Tag, click on a user account and in the section Object Details there is WebADM Settings. Click on Configure button. Go on SpanKey application and there is the option Allowed Server Tags.

Video Tutorial


Play Video on Youtube