Jump to content
1527460Kevin

SSH key rotation

Recommended Posts

Hello,

 

Anyone that has added some sort of SSH key management with Passwordstate, maybe with the use of API's?

I've read in the user manual that it is possible to start a remote session via an SSH key in a password list, is it however also possible to do some sort of SSH key rotation? maybe via the use of a script that generates new keys on the hosts and pushes them to Passwordstate or something like it?

I'm curious wether someone here has done it or has thought about it.

 

Thanks for all the help so far, I'm loving both Passwordstate and the community!

 

Share this post


Link to post
Share on other sites

Hi Kevin,

 

We believe the only way this would be possible would be via our API, but unfortunately we've never tackled something like this. Hopefully someone in the community has strong linux scripting skills, to point you in the right direction.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Aye, it should be possible to achieve, but it'll need some work on multiple ends of things.

 

The biggest problem is the distribution of the private key. @1527460Kevin suggests generating them on the Linux box and then pushing them out to PasswordState. Personally, that's not something I'd recommend because now you're transporting the literal key to your system, which either is not password protected, or your transporting along with its password. That could/would be not a problem, except that you're wanting to do it unattended. I mean, if you're doing it personally, you can immediately tell if something's gone wrong.

 

The prettiest solution I can think of is to:

  1. Generate the new keypair on the PasswordState box using puttygen.
  2. Import the private key into the appropriate account object into PasswordState using the API and remove the original file from the file system.
  3. Have the Linux/Unix hosts use AD for their authentication backend (through SSSD).
  4. Push the public key into the relevant user's altSecurityIdentities field in AD.

All this should be doable with Powershell, combined with API calls to PasswordState. It also takes care of the public key distribution, saving you the effort of sending the pubkey to X amount of servers.

 

Alternatively you could of course push the pubkey to each of the X servers that the account exists on, using pscp (the Putty CLI SCP client).

 

However, that brings me back to an issue I was having earlier last week: PasswordState does not have a way of linking one account to X amount of hosts. Unless it's an AD account, you'll find 1:1 - account:host relationships. That's not always ideal.

 

 

Share this post


Link to post
Share on other sites

Glad to hear that it's been of some help!

 

I have a setup where an AD-account is used as privileged Linux user for the password changes by PasswordState, it uses the SSH keys you can store in PState and does it exactly in the way I've explained: pubkey in AD. What's more, we even pull our SUDO commands for the account in question from AD, as explained on my blog. I'll have to look into automating the key rotation you've asked about, as that will up the security a bit more :)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...