Documents in SpanKey Server

SpanKey SSH Key Management Quick Start

1. Overview SpanKey is a centralized SSH key server for OpenSSH, which stores and maintains SSH public keys in a centralized LDAP directory (i.e. Active Directory). With SpanKey there is no need to distribute, manually expire or maintain the public keys on the servers. Instead, the SpanKey agent is deployed on the servers and is responsible for providing the users’ public keys on-demand. The SpanKey server provides per-host access control with “server tagging”, LDAP access groups, centralized management from the RCDevs WebADM console, shared accounts, privileged users (master keys), recovery keys… It supports public key expiration with automated workflows for SSH key renewal (via Self-Services).

Feitian ePass NFC

SSH Authentication with a Feitian ePass NFC/FIDO/U2F Security Key Feitian ePass NFC FIDO U2F Security Key can work as a Generic Identity Device Specification (GIDS) smart card. There also are many other manufacturers and card models to which these instructions can be applied, but the specific tools to initialize the card can be different. In this how-to, we will prepare a USB/NFC hardware key for SSH authentication and register the device in WebADM.

SpanKey Upgrade Guide from version 1.x.x to 2.x.x

1. Introduction In this documentation, we will see how to upgrade SpanKey Server and Client from version 1 to version 2. Note SpanKey Server v1 and v2 can work with both SpanKey Client v1 and v2 for NSS request only. For SSH key management features, you must use matching Server and Client versions. 2. Upgrade SpanKey Server In this document, we will upgrade the Spankey Server from v1.0.3-6 to v2.

Smart Card - PIV

Authentication with a Yubikey Smart Card / PIV In this How-To we will configure a user in WebADM for using a PIV key. We need a WebADM server already configured. 1. Import the Inventory We need to create a inventory file like this: "Type","Reference","Description","DN","Data","Status" "PIV Device","<ID1>","PIV Yubikey","","PublicKey=<pub_key1>","Valid" "PIV Device","<ID2>","PIV Yubikey","","PublicKey=<pub_key2>","Valid" "PIV Device","<ID3>","PIV Yubikey","","PublicKey=<pub_key3>","Valid" For my test, I have a Yubikey Nano with a PIV certificate and I use yubico-piv-tool for the management of the Yubikey, but it can work with other PIV keys.

proxy_user rights on Active Directory

How to configure proxy_user rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permission for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter, register token metadata on the user account… Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

super_admin rights on Active Directory

How To configure super_admin rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permission for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter. Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

Policies

1. Overview This documentation will explain policies configurable for Web Services and Web Applications under WebADM admin GUI. WebADM provides different kinds of policies : default application configuration (weight 1), per-group (weight 2), per-user (weight 3), per-application (weight 4-6). Settings with the highest weight override settings with the lowest weight. (e.g for OpenOTP: My default OpenOTP settings require a LoginMode=LDAP only but the user who is trying to log in has a policy configured on his account with the LoginMode=LDAP+OTP.

How to use your Yubikey with RCDevs

1. Overview In this How-To, we will demonstrate how to reprogram your Yubikey with the Yubikey Personalization Tool, to generate an inventory file through Yubico tool to import the Yubikey in WebADM inventory and how to assign and use your Yubikey with OpenOTP. For this recipe, you will need to have WebADM and OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual. 2. Yubico Personalization Tool Once Yubico Personalization Tool is installed, open it.