Spankey Campaign
SSH Key Life-Cycle
Into WebADM
RCDevs SPANKEY helps you to
Manage your SSH Key through your IAM platform
Bridging IAM and SSH Key Life-Cycle
SSH Key management made easy
RCDevs SpanKey is an SSH key life-cycle management solution that makes SSH key-based controls and governance exceptionally easy and effortless, combining them with the existing standard Identity Management solutions. Unlike most SSH key management solutions, SpanKey does not depend on heavy to deploy key vaults, but operates together with a standard LDAP/AD, with user-to-key and key-to-host associations intuitively managed in LDAP/AD accounts and groups.
You are 3 Steps away from
Managing your SSH key life-cycle with WebADM
Installing on the Server
Download RCDevs software packages or virtual appliance.
Installing on the Client
The SpanKey client requires nscd and OpenSSH. Take a look at the video tutorials.
Configuration
Once the SpanKey server package is installed, you have to enable the SpanKey service in WebADM
SPANKEY at your fingertips
Take a look at a better way to manage SSH Key
SpanKey Installation
SpanKey Configuration
For an easier configuration
We provide an example of few minutes configuration
How keys are securely stored and managed
Why Is SSH Key Management important for You?
Most SSH deployments use private/public key pairs to authenticate user access. Key pairs are in many senses more secure than passwords, but they open a whole new Pandora’s box to enterprises: key management, the need to control how keys are securely stored and managed, from creation to revocation and deletion. Without proper key management, UNIX and Linux logins in an enterprise go ungoverned, lacking oversight on which key belongs to which identity and if the connections established with the keys comply with the company’s policies and guidelines. In practice, this means that an unknown identity may log in to a critical production system with a key that is not even known to exist.
SSH key management is essential to maintaining security since the entire SSH protocol, and therefore the security of it is built around public and private key pairs. Proper SSH key management protects against critical risks that can lead to system failures or allow important information to fall into the wrong hands.
SSH key management is essential to maintaining security since the entire SSH protocol, and therefore the security of it is built around public and private key pairs. Proper SSH key management protects against critical risks that can lead to system failures or allow important information to fall into the wrong hands.
A few more things You need to know
Get the best out of SpanKey
Easy Keys Enrollment with Self-Service
The RCDevs’ Self-Service applications include an SSH key management feature that allows users to create their own SSH key-pair and get the associated public key automatically enrolled on the SpanKey server. The list of allowed SSH key types (RSA/ECC/DSA) and key length (number of bits) is configurable on the SpanKey server. The self-service generates a new key pair and securely provides the private key in several formats, including PuTTY and OpenSSH. A policy configuration can optionally enforce passphrase protection. The self-service access can be protected by an OTP login method with RCDevs’ OpenOTP.
Graphical Session Recording
With SpanKey, terminal sessions are monitored and recorded. Idle sessions get automatically locked after a configurable time and a user password prompt is used for unlocking. But more important, terminal user sessions are recorded live into the WebADM secure record database. The session is stored encrypted on either the SQL database or a NAS mount. For audit and investigation purposes, you can also re-play terminal sessions with the session player within WebADM. SpanKey is able to record a one day SSH session in 3 MBytes only! So unlike with competitor solutions where recording gets quickly heavy in storage size, SpanKey lets you keep your audit information for a year without requiring extra terabytes.
Automated Public Key Expiration
Expiring SSH keys after a fixed amount of time is required for ensuring a certain level of trust for the user keys and to comply with ISO or PCI regulations. When SpanKey is configured with key expiration, the users are automatically notified upon the expiration of their public. An email is sent with a renewal link allowing them to self-renew their just-expired public key.
Fixed issues with MountPoints having an empty LDAP base DN.
Fixed license expiration issues with trial licenses.
Fixed issues with MountPoints having an empty LDAP base DN.
Fixed license expiration issues with trial licenses.
Support for Shared Account
Shared accounts are very common practice with the Enterprise use of SSH. A shared account (like ‘root’ or a ‘webmaster’ user) is a system account that is used concurrently by several administrators. In SpanKey you can transform any generic LDAP user into a shared SSH account simply by linking this account to a ‘shared access LDAP group’. Then all the members of the group gain access to the shared account with their own SSH key.
Master Keys and Recovery Keys
In SpanKey you can define master groups where the members of the group are considered as super users and can use their SSH key to access any other SpanKey account. A master group can be configured differently for different sets of target servers via WebADM Client Policies. By default, the SpanKey agents will erase the users’ authorized keys files at runtime to prevent users from adding unhanded public keys. If recovery keys are configured, then these keys are automatically written to the user’s authorized_keys file for recovery purposes (in the event where the SpanKey agent cannot communicate with the SpanKey server).
HSMs & Hardware SSH Devices
When HSMs (ie. YubiHSM) are used in WebADM, the SSH private key generation will use the HSM’s true random generation to gather the required entropy (random bytes) used in the SSH key-pair creation process. SpanKeys uses HSMs for both RSA and ECC (Elliptic Curve) key generation. SpanKey supports Hardware Devices like Smartcards and the Yubikeys v4 with PIV Applet. With Hardware SSH devices, there is no SSH private key file; the users just need to plug the device in the USB port for connecting remote servers with SSH.
To request an online demo, you only have to create your account or contact us.
Online Demos are available for free to let you try RCDevs multi-factor in 5 minutes and authenticate with your mobile or Yubikey.
