Keyset details

The keyset details page shows the trust relationships and accounts that are linked to a keyset in the SSH inventory in SSH Protect. Access this page by clicking on an access link in the SSH Keyset Inventory.

At the top of the keyset details page you see the following information:

  • Keyset Type - Either User (keys used for interactive and service user authentication) or Host (keys used for host identity).
  • Algorithm - The encryption algorithm used to generate the keyset.
  • Length - The length of the key, which directly corresponds to the strength of the key.
  • Keyset ID - A unique identifier for the keyset.

The tabs of the keyset details page are: (1) Keyset details; (2) Private Keys; (3) Authorized Keys (or Known Host Keys); and (4) Permissions. Each of these tabs is described in more detail in the sections below.

The Keyset Details tab shows meta data about the keyset including:

  • MD5 Fingerprint - The MD5 hash of the key. Sometimes referred to as a "thumbprint."
  • SHA256 Fingerprint - The SHA256 hash of the key. Sometimes referred to as a "thumbprint."
  • Last Rotated - The date that the keyset was last rotated by SSH Protect.
  • Next Rotation - The date the next rotation is scheduled to happen in SSH Protect. A value is only shown here if the rotation is actually scheduled to occur.

  • Folder - If the keyset has been placed in a policy folder, the folder name will appear here. If the keyset is not in a policy folder, this field is not displayed. These keyset permissions models will be based on their device permissions.

    If you don't see the Folder field, you can move the keyset into a folder, and the field will be displayed, and policy permissions will be applied.

The Private Keys tab shows you all the locations of private keys that Trust Protection Platform knows about. The number of items is shown in the tab, as well as on the right side of the screen, above the table. There is also the ability to generate a report of the private keys for the keyset by clicking the Generate Report button.

The private key list includes the following fields:

  • Account - Owner of the key (system account or email of the owner if the key's location is not known).

  • Location - The device that uses the key (first line) and the file path (second line), as well as key format (shown with gray background). If there is a value in parenthesis, this is the environment of the device the key was located on. If the environment for the authorized key is different than the environment for the corresponding private key, an "Environment Crossing" warning is displayed at the top of the screen. This indicates that a key is split between environments, which can present a security risk.

    If the corresponding public key is located on the device in the same folder as the private key, a Show Public Key drop-down is available. When you click it, a section with information about the public key is shown, including the account, location, and status of the public key.

    This connection between the private key and the public key is important, because if there is an error during key rotation, the key data might have an error. Displaying that information in SSH Protect helps you identify issues so you can correct them.

  • Notes - If you created a manual key, you can add notes in a free-form text box, allowing you to add additional context or other information about the key. You can edit this field for manual keys only.
  • Risks - Security vulnerabilities or risks that have been identified for this key. See About SSH risks and how to resolve them for more details.

  • Status - The status of the key in Trust Protection Platform. Status can be one of:

    • OK - Key is in a steady state.

    • Provisioning - Key is marked to be provisioned to the device. The key will go in this state after the Add, Edit or Rotate operation is triggered, and will remain in this state until either SSH Protect performs the task using the agentless SSH connection, or until an agent receives and performs SSH remediation work. For more information see Setting up SSH remediation work.

    • Provisioning Failed - There was unrecoverable error during the writing out of the key file. In this case, the error message will be shown as a tool tip. You can either Cancel the operation, or you can resolve the issue causing the error, and then Retry the operation.

    • Removing - Key is marked to be removed from the device. The key will go in this state after the Delete operation is triggered, and will remain in this state until either SSH Protect performs the task using the agentless SSH connection, or until an agent receives and performs SSH Remediation work. For more information see Setting up SSH remediation work.

    • Removing Failed - There was unrecoverable error during the removal of the key. In this case, the error message will be shown as a tool tip. You can Cancel the operation, or you can resolve the issue causing the error, and then Retry the operation.

  • Actions - This column may contain an action button. For example, you may be able to specify a new passphrase for the private key.

The Authorized Keys and Known Host Keys tabs show you all the locations of public authorized and known host keys that SSH Protect knows about. The number of items is shown in the tab, as well as on the right side of the screen, above the table. The public keys are shown here only if they are located in a recognized authorized_keys file as defined in sshd_config, or in the known_hosts file.

NOTE  The tab has the name "Known Host Keys" for host keysets (if the keyset allows the device to connect as a client to another device). For user authentication keys (if the keyset allows other devices to connect to this device), the tab is called "Authorized Keys." A given device may have both host and authorized keys if it has incoming and outgoing connections.

The key list includes the following fields (not all fields may be shown, depending on your configuration):

  • Account - Owner of the key (system account or email of the owner if the key's location is not known).
  • Location - The device that uses the key (first line) and the file path (second line), as well as key format (shown with gray background). If there is a value in parenthesis, this is the environment of the device the key was located on. If the environment for the authorized key is different than the environment for the corresponding private key, an "Environment Crossing" warning is displayed at the top of the screen. This indicates that a key is split between environments, which can present a security risk.
  • Last Used - The date and time when this key was used. To see this information, you need to configure collecting Key Usage. For more information see Using key usage data for analytics.
  • Options - Authorized key options. If present, source restrictions (allow and deny), forced command and other options are displayed each on separate line with icon indicating the option being listed.
  • Notes - If you created a manual key, you can add notes in a free-form text box, allowing you to add additional context or other information about the key. You can edit this field for manual keys only.
  • Comment - Often key material in the authorized_keys file has a comment, which is any data separated from the key material by a space. When SSH Protect discovers keys in the authorized_keys file, it stores the comment, and displays it in this column. (You can also filter by this comment on the SSH Key Inventory. See Authorized key comments for more information.
  • Risks - Security vulnerabilities or risks that have been identified for this key. See About SSH risks and how to resolve them for more details.

  • Status - The status of the key in Trust Protection Platform. Status can be one of:

    • OK - Key is in a steady state.
    • Provisioning - Key is marked to be provisioned to the device. The key will go in this state after the Add, Edit or Rotate operation is triggered, and will remain in this state until either Trust Protection Platform performs the task using the agentless SSH connection, or until an agent receives and performs SSH remediation work. For more information see Setting up SSH remediation work.
    • Provisioning Failed - There was unrecoverable error during the writing out of the key file. In this case, the error message will be shown as a tool tip. You can either Cancel the operation, or you can resolve the issue causing the error, and then Retry the operation.
    • Removing - Key is marked to be removed from the device. The key will go in this state after the Delete operation is triggered, and will remain in this state until either Trust Protection Platform performs the task using the agentless SSH connection, or until an agent receives and performs SSH Remediation work. For more information see Setting up SSH remediation work.
    • Removing Failed - There was unrecoverable error during the removal of the key. In this case, the error message will be shown as a tool tip. You can Cancel the operation, or you can resolve the issue causing the error, and then Retry the operation.
    • Cleaning Up - During rotation, this indicates that the old version of the public key is marked for removal.

Click the Edit button to edit the details for any row in the table.

When discovering public keys on a device, sometimes SSH Protect locates public keys that are stored outside a known_hosts or a recognized authorize_keys file. The Idle Public Keys tab displays those keys, along with the account information and their location. Often this is because users have copied the public key to another folder, possibly for backup or other purposes. However, since these keys aren't in the known hosts or authorized keys files, you might want to remove them, as they can cause unnecessary processing when keysets are rotated.

With this information, you can go out to the devices and either move the key material into the known_hosts or authorized_keys file, or remove the key.

IMPORTANT  The Permissions tab only appears if the keyset has been assigned to a policy folder in Aperture, thus allowing you to control permissions to the keyset independently from the device permissions. If you remove the keyset from all policy folders, the keyset will revert to device permissions, and the Permissions tab will not be displayed on the keyset details page. It also only appears if your user account has the Manage Permissions permission.

The Permissions tab allows you to control permissions for Trust Protection Platform users for the keyset, for keysets that have been assigned to a policy folder in Aperture. The permissions model for keysets is the same as the permissions model for other objects in Aperture, including certificates. For more details on how permissions are granted across Aperture, including for SSH keys, see About permissions.