Password Vault SSH Key Rotation
Even though the passwords for the privileged accounts are changed, rotated, or stored by the Password Vault module, users who have downloaded RSA Private Keys for their accounts continue logging in to the systems with these private keys. To prevent this, SSH Keys can be changed by the Password Vault module periodically as well.
The Password Vault supports the RSA, DSA, ECDSA, ED25519, and ECDH cryptographic algorithms for key operations. It should be noted that the lengths of these algorithms can be customized within the Password Vault, and it is recommended to review and control the Vault Configuration settings for managing these algorithm lengths.
To add an SSH key Password Vault:
- Navigate to Secrets > Vault.
- Open the Vault tab.
- Click on to Add Button and Select Add Account.
- Enter the Host, Change Period, and Username.
- Select One of the SSH Key Types as the Configuration. This action changes the Password field to an RSA Private Key field.
- Establish an SSH connection to the target device and copy the contents of the /home//.ssh/id_rsa file (or any other path that includes the RSA Private Key for the user)
- Paste the file into the RSA Private Key field.
- Click Save.
The Password Vault account will be saved and listed in the Password Vault Accounts section. From this moment on, if the account type is dynamic, the SSH Key will be changed periodically. If the account type is static, the SSH Key will be unchanged.
The process of checking out and resetting the SSH Key is similar to any other Password Vault account.
New users on the target device can also be found using the SSH Key. This feature is described in section Discover Newly Users as it works the same as the other strategies.