How to configure public key authentication for ssh credentials in the Vault

  • 7022584
  • 22-Jan-2018
  • 22-Oct-2020

Environment

Privileged Account Manager

Situation

How to configure public key authentication for ssh credentials in the Vault
Setting up ssh keys for increased login security
SSH Key-Based Authentication on Linux
How to configure SSH Private Key Credentials in PAM

In Privileged Account Manager (PAM) sshrelay, the user is prompted for the passphrase of private key, even though the private key has been configured for credential in the vault:
Enter passphrase for private key:
Password:

Resolution

Public key authentication with ssh is more secure than using a password alone. Passwords may eventually be cracked through brute force attacks, while ssh keys are nearly impossible to decipher this way alone.

SSH key pairs are two cryptographically secure keys that consist of a public key and a private key. The private key should be kept absolutely secret, preferably secured with a passphrase, while the public key can be shared and placed on any server. The public key can only be "unlocked" by the private key. Connecting to a server that has this public key can grant authorization to a client that has the private key. This key-pair can unlock the system without the need for a password. In this way, authorized keys on a particular server are public keys that grant access and can be thought of as locks that only the associated private key can open.

The Privileged Account Manager (PAM) Credential Vault may contain "Linux / Unix / Network Device" Resources configured with SSH-Private-Key Credentials. In this case, the private key is kept in the PAM Credential Vault. The associated public key must be placed on any servers to which access should be given as an authorized key. In order to connect to a server with an ssh private key credential, the associated public key must be placed on the server as an authorized key.

Automatically with Password Management

Linux/UNIX credentials can be automatically managed by PAM through the Password Management feature. Since the password change task is executed by the Resource's Reconcile Account, a credential could be added to the Resource that doesn't yet have ssh-key authentication configured. Simply add the Credential to the Resource in the PAM Vault, set the Credential Type to SSH Private Key and provide some value for both the SSH Private Key and Passphrase fields - any value will do since PAM will be performing the password change task which will rotate the ssh keys and a new one will be generated, it is not important for this initial credential's password or key to be correct. If the credential is automatically enrolled for Password Management based on the Resource's configuration (see Configuring Password Management for more details), then the key rotation should take place automatically based on the First Run configuration set in the Vault Properties > Linux Password Change Task. Otherwise, the password change can be manually triggered if needed.

Manually with ssh-keygen

Please consider the below steps as a simple example only:
Note: SSH supports several public key algorithms for authentication keys. Please research or consult for the most up to date security practices regarding how to select an appropriate algorithm and key size, etc.

  1. Generate the key-pair with passphrase:
    ssh-keygen -t ed25519 -f <key_file>
    e.g. ssh-keygen -t ed25519 -f example

  2. Copy the public key to the target server or run host:
    ssh-copy-id -i <pub_file> runUser@runHost
    e.g. ssh-copy-id -i example.pub runUser@runHost

  3. Verify the public key has been placed on the target server / run host in the run user's authorized_keys file:
    default location is ~/.ssh/authorized_keys

  4. Copy the generated private key file contents from Step 1 and configure the credential in the PAM Resource.

Cause

The public key has not been placed on the run host as an authorized key or the passphrase stored in the vault is incorrect.