Using macros for SSH key email notifications
Venafi Trust Protection Platform™ provides a flexible macro language that allows administrators to call variable input for system configuration fields. This macro language is particularly useful when configuring system notifications and workflows. Using the macro language, administrators can dynamically populate fields such as message recipient or sender for SMTP notifications.
DID YOU KNOW? For your SSH key environment, you can use macros when you want to specify key properties in email notifications. Trust Protection Platform can dynamically put the details about a key in a notification email. The macros can be used for all key-related events such as provisioning, removal, or violation detection. To learn more about the new SSH notification templates and how to use them, see the example below.
To learn how to configure email notifications, see Configure email notifications for your administrators.
SSH key macros
Here are the SSH key-related Event macros that can be used in email notifications.
|
Macro |
Description |
|---|---|
|
$SMTP.Key[$Event.Text2$,"KeySize"]$ |
Key bit length |
|
$SMTP.Key[$Event.Text2$,"Algorithm"]$ |
Key algorithm |
|
$SMTP.Key[$Event.Value1$,"Format"]$ |
Format of the key content |
|
$SMTP.Key[$Event.Value1$,"Type"]$ |
Key type (private/public/authorized/knownhost) |
|
$SMTP.Key[$Event.Text2$,"LastUsed"]$ |
Date the key was last used, if known NOTE Authorized keys only |
|
$SMTP.Key[$Event.Value1$,"ExpirationDate"]$
|
Date the key expires Calculated as the date of key creation + maximum key age in days as set by policy. |
|
$SMTP.Key[$Event.Value1$,"AllowRestrictions"]$ |
Allowed source restrictions NOTE Authorized keys only |
|
$SMTP.Key[$Event.Value1$,"DenyRestrictions"]$ |
Denied source restrictions Authorized keys only |
|
$SMTP.Key[$Event.Value1$,"Command"]$ |
Forced command Authorized keys only |
|
$SMTP.Key[$Event.Value1$,"Options"]$ |
Other key options NOTE Authorized keys only |
|
$SMTP.Key[$Event.Value1$,"Hostnames"]$
|
Server hostnames NOTE Known host keys only |
|
$SMTP.Key[$Event.Value1$,"FilePath"]$ |
Path of the key file |
|
$SMTP.Key[$Event.Value1$,"TrustID"]$ |
Identifier of the keyset that the key is in |
To create a customized SSH email notification
- From the SSH Protect menu, click Configuration > Policy Tree.
- Open the Logging tree.
-
In the Logging tree, create an SMTP notification channel.
To learn how to do this, see SMTP channel.
-
In the Message box, use the SSH macro(s) as needed.
Example notification
Notice: Your attention is required.
$SMTP.Key[$Event.Value1$,"Algorithm"]$
$SMTP.Key[$Event.Value1$,"KeySize"]$ $Event.Formatter$
Visit https://$Hostname$/Aperture/sshKeyset/details/$SMTP.Key[$Event.Value1$,"TrustID"]$ and log in to Venafi Trust Protection Platform for more information.
This email is being sent to you by Venafi Trust Protection Platform because you are named as a contact on this notification.
Example notification result
Notice: Your attention is required.
ssh-rsa 2048 Key at ssh-server\/home/user/.ssh/id_rsa has expired.
Visit https://tpp-host/Aperture/sshKeyset/details/599B0F305903BF03D55B08791D3E4632182EE6D4 and log in to Venafi Trust Protection Platform for more information.