SSH key Management

SSH Key Management

Automated SSH Key enrollment, distribution & life-cycle management

The problem many organizations face today is that their IAM solution does not support SSH keys as a method of login.
Technically speaking, the existing IAM solutions are unable to bridge the gap between numerous authorizations within a Unix/Linux server estate and the identities and authorizations found within the centrally managed AD/LDAP.

Like with any method of authentication, SSH logins are governed by corporate IAM, which in the simplest form answers the question of who can access and where? Usually, the source of truth for this is the corporate LDAP, Active Directory (AD) in many cases, which hosts the relation between identities and their allowed locations of access. With SSH keys this landscape is however very different: no such single source exists, but instead, authorization information is distributed across the Unix/Linux server estate itself. If a company hosts 100 servers, then this equates to that there are 100 individual decision (or breach) points for access. As one access can lead to another, the real figure can be much larger.

RCDevs Security helps you

Centrally Manage your SSH Keys


Many, or even all, Unix and Linux logins go ungoverned, without the ability to determine which key belongs to which identity and if the access is in breach with company IAM guidelines. In practice, this means that an unknown identity may login with a key that is not even known to exist. To make things even worse, SSH logins are generally for privileged access, the most critical form of access.
The RCDevs’ SpanKey solution provides SSH key life-cycle management from self-service web enrolment to automated key distribution to auditing unwanted access and renewal of outdated keys. SpanKey operates on standard LDAP/AD with authorizations conveniently managed in the same central location as related identities. SpanKey solution is designed to support even the largest of IT estates.

Main Features

Entitlement & Identity Management
Instead of needing to manage SSH authorizations and related key policies (entitlements) on individual hosts, by hand or by custom scripts, they are simply saved in existing central entitlement and identity storage (usually the corporate AD/LDAP, where roles are governed with the method of adding users in and out of relevant LDAP groups). That is, a standard LDAP group can host details about expiration, usage and various other key entitlements that then are automatically enforced upon member hosts and identities of that group.
Work-flow of requesting and accepting key access as well as key renewals are handled through easy-to-use Web Self-Services which one can embed within existing IAM frameworks via for example standard SAML or ADFS. Thanks to OpenOTP capabilities embedded in SpanKey the Self-Services also natively support Multi Factor Authentication ranging from Yubikeys and PIV cards to soft tokens, QRCodes, on-demand SMS OTP and many more.
Authentication & Authorization
With SpanKey the decision of granting access is moved from individual hosts to the centralized SpanKey server and thereby ultimately the corporate AD/LDAP. This is accomplished via the SpanKey agent that links the SSH authentication process via the standard Unix/Linux Pluggable Authentication Module (PAM) framework. This not only simplifies the overall process of authentication, but makes it significantly more secure as authorization data is no longer in control of the accounts stored locally on hosts, but within the centrally controlled AD/LDAP.
Monitoring SSH key access has a dual purpose in the scope of IAM life cycle management:

To detect and report any SSH (not only key-based) access that is in breach of configured policies.
To provide an organic remediation work-flow for legacy SSH key environments, using pre-defined assignment rules where keys are automatically associated with owners (identities) based on login data collected transparently from ongoing logins.
Key Features
Full support for existing LDAP/AD directory implementations
Incredibly easy setup (1 minute on a blank Linux host)
AD accounts in Linux (no more PAM-LDAP or Winbind)
RBAC on Web Management Interface (WebADM)
SSH authentication with local key cache for offline use
RBAC for SSH public key access
Host access permissions with simple server tagging
Role Based Key Controls (from stanzas, command restrictions, ..)
Support for shared accounts (conserving personal audit)
Automated Public Key Expiration
Easy Key Enrollment via Self-Services
Support for Master Keys
Support for Recovery Keys
Automated Key Renewal
Supported algorithms: RSA 1024, 2048 & 4096 bit keys. Elliptic Curve With 256, 384 & 521 bits keys. DSA With 1024 bit keys only
HSM support for key generation & encryption
Graphical session recording in encrypted DB or NAS
Audit rule deployment & log collection for user sessions
Automatic account creation & temporary accounts
Optional MFA with OpenOTP Security Suite
User enrollment via Self-Services
Support for Hardware PIV keys & Smartcards
Supported on most Linux distributions
Server side lock screen

Compatible with

Non-exhaustive list of SpanKey compliant Linux Distributions

SpanKey servers run on your WebADM Cluster and are connected to your Active Directory or other LDAP directory. The SpanKey agent for Linux is provided as the source, RPM/DEB packages.
It can be used on:

Oracle / RedHat / Centos Servers (>= RHEL6)
Debian / Ubuntu
Suse Linux
See how simple it is to integrate SpanKey Server:

Install and configure Spankey SSH Key Management Server

Spankey v1

Spankey v2