SpanKey™ Server (SSH Key Management Made Easy)
The IT infrastructure for most mid-size to large organization relies on Linux and/or UNIX servers. The management of these servers is generally implemented with SSH access for administrators and host-to-host scripting. The SSH protocol is very secure and extremely convenient for server management because it provides terminal access via remote consoles and secure file transfer with SCP/SFTP. The underlying SSH protocol relies on asymmetric key technologies using the industry standards RSA and Elliptic Curves. User authentication requires the user’s public key(s) to be distributed to the personal and shared accounts on the target servers.
SpanKey is a centralized SSH key server for OpenSSH where the public keys are stored in your central LDAP directory (ex. Active Directory). With SpanKey there is no need to distribute, manually expire or maintain the public keys on the servers. Instead the SpanKey agent is deployed on the servers and is responsible for providing the users’ public keys on-demand. SpanKey server provides per-host access control with “server tagging”, LDAP access groups, centralized management from the RCDevs WebADM console, shared accounts, privileged users (master keys), recovery keys… It supports public key expiration with automated workflows for SSH key renewal (via Self-Services).
Where to use SpanKey:
SpanKey servers runs on your WebADM Cluster and is connected to you Active Directory or any other LDAP Directory. The SpanKey agent for Linux is provided as RPM and DEB packages. It can be used on:
Public Key Algorithms:
SpanKey supports the industry standards for public key -based authentication with OpenSSH:
- Oracle / RedHat / Centos Servers
- Debian / Ubuntu
- Suse Linux
- UNIX / BSD MacOS
- RSA With 1024, 2048 and 4096 bits
- ECC (Elliptic Curve) With 256, 384 and 521 bits
- DSA With 1024 bits only
Easy Keys Enrolment with Self-Services
The RCDevs’ Self-Service applications include an SSH key management feature which allows users to create their own SSH key-pair and get the associated public key automatically enrolled on the SpanKey server. The list of allowed SSH key types (RSA/ECC/DSA) and key length (number of bits) is configurable on the SpanKey server. The self-service generates a new key pair and securely provides the private key in several formats, including PuTTY and OpenSSH. A policy configuration can optionally enforce passphrase protection. The self-service access can be protected by an OTP login method with RCDevs’ OpenOTP.
Graphical Session Recording
With SpanKey, terminal sessions are monitored and recorded. Idle sessions get automatically locked after a configurable time and a user password prompt is used for unlocking. But more important, terminal user sessions are recorded in live into the WebADM secure record database. Session are stored encrypted on either the SQL database or a NAS mount. For audit and investigation purposes, you can also re-play terminal sessions with the session player within WebADM. SpanKey is able to record a one day SSH session in 3 MBytes only! So unlike with competitior solutions where recording gets quickly heavy in storage size, SpanKey lets you keep your audit information for a years without requiring extra terabytes.
Automated Public Key Expiration
Expiring SSH keys after a fixed amount of time is required for ensuring a certain level of trust for the user keys and to comply with ISO or PCI regulations. When SpanKey is configured with key expiration, the users are automatically notified upon expiration of their public. An email is sent with a renewal link allowing them to self-renew their just-expired public key.
Support for Shared Account
Shared accounts are very common practice with the Enterprise use of SSH. A shared account (like ‘root’ or a ‘webmaster’ user) is a system account which is used concurrently by several administrators. In SpanKey you can transform any generic LDAP user into a shared SSH account simply by linking this account to a ‘shared access LDAP group’. Then all the members of the group gain access to the shared account with their own SSH key.
Master Keys and Recovery Keys
In SpanKey you can define master groups where the members of the group are considered as super users and can use their SSH key to access any other SpanKey account. A master group can be configured differently for different sets of target servers via WebADM Client Policies.
By default, the SpanKey agents will erase the users’ authorized_keys file at runtime to prevent users from adding unhanded public keys. If recovery keys are configured, then these keys are automatically written to the user’s authorized_keys file for recovery purposes (in the event where the SpanKey agent cannot communicate with the SpanKey server).
HSMs & Hardware SSH Devices
When HSMs (ie. YubiHSM) are used in WebADM, the SSH private key generation will use the HSM’s true random generation to gather the required entropy (random bytes) used in the SSH key-pair creation process. SpanKeys uses HSMs for both RSA and ECC (Elliptic Curve) key generation.
SpanKey supports Hardware Devices like Smartcards and the Yubikeys v4 with PIV Applet. With Hardware SSH devices, there is no SSH private key file; the users just need to plug the device in the USB port for connecting remote servers with SSH.
SpanKey Server and SpanKey OpenSSH Agent