SSH key Management
SSH Key Management
Automated SSH Key enrollment, distribution & life-cycle management
The problem many organizations face today is that their IAM solution does not support SSH keys as a method of login.
Technically speaking, the existing IAM solutions are unable to bridge the gap between numerous authorizations within a Unix/Linux server estate and the identities and authorizations found within the centrally managed AD/LDAP.
Like with any method of authentication, SSH logins are governed by corporate IAM, which in the simplest form answers the question of who can access and where? Usually, the source of truth for this is the corporate LDAP, Active Directory (AD) in many cases, which hosts the relation between identities and their allowed locations of access. With SSH keys this landscape is however very different: no such single source exists, but instead, authorization information is distributed across the Unix/Linux server estate itself. If a company hosts 100 servers, then this equates to that there are 100 individual decision (or breach) points for access. As one access can lead to another, the real figure can be much larger.
Centrally Manage your SSH Keys
Many, or even all, Unix and Linux logins go ungoverned, without the ability to determine which key belongs to which identity and if the access is in breach with company IAM guidelines. In practice, this means that an unknown identity may login with a key that is not even known to exist. To make things even worse, SSH logins are generally for privileged access, the most critical form of access.
The RCDevs’ SpanKey solution provides SSH key life-cycle management from self-service web enrolment to automated key distribution to auditing unwanted access and renewal of outdated keys. SpanKey operates on standard LDAP/AD with authorizations conveniently managed in the same central location as related identities. SpanKey solution is designed to support even the largest of IT estates.
Main Features
Entitlement & Identity Management
Provisioning
Authentication & Authorization
Monitoring
Full support for existing LDAP/AD directory implementations
Incredibly easy setup (1 minute on a blank Linux host)
AD accounts in Linux (no more PAM-LDAP or Winbind)
RBAC on Web Management Interface (WebADM)
SSH authentication with local key cache for offline use
RBAC for SSH public key access
Host access permissions with simple server tagging
Role Based Key Controls (from stanzas, command restrictions, ..)
Support for shared accounts (conserving personal audit)
Automated Public Key Expiration
Easy Key Enrollment via Self-Services
Support for Master Keys
Support for Recovery Keys
Automated Key Renewal
Supported algorithms: RSA 1024, 2048 & 4096 bit keys. Elliptic Curve With 256, 384 & 521 bits keys. DSA With 1024 bit keys only
HSM support for key generation & encryption
Graphical session recording in encrypted DB or NAS
Audit rule deployment & log collection for user sessions
Automatic account creation & temporary accounts
Optional MFA with OpenOTP Security Suite
User enrollment via Self-Services
Support for Hardware PIV keys & Smartcards
Supported on most Linux distributions
Server side lock screen
Compatible with
SpanKey compliant Linux Distributions
SpanKey servers run on your WebADM Cluster and are connected to your Active Directory or other LDAP directory. The SpanKey agent for Linux is provided as the source, RPM/DEB packages.
It can be used on:
Oracle / RedHat / Centos Servers (>= RHEL6)
Debian / Ubuntu
Suse Linux
UNIX / BSD MacOS
SEEING
IS BELIEVING
Whether you are buying a car or a security solution, you always want to test drive it before signing on the dotted line. We know this and you know this.
Contact us for your Free PoC or check it out for yourself.