SSH Authentication Templates

Overview

With this Secret Server feature, admins can use private SSH keys for PuTTY launcher sessions as well as for RPC tasks (configurable through password changer settings) and Unix and Linux discovery. Passphrases can additionally be stored, if necessary, to decrypt the private keys for additional security. The Unix Account (SSH) secret template includes text-entry fields for the private key and passphrase by default.

The SSH Key template is included by default and can be used to store SSH keys that can later be selected for use in RPC, discovery or launcher authentication for other secrets:

Starting with version 10.1.000000, Secret Server also supports SSH key rotation on secrets.

The Unix Account (SSH Key Rotation) and Unix Privileged Account (SSH Key Rotation) secret templates use password changers that change the public key in the account's authorized_keys file as well as change the password on the account. Secret Server ships with a password changer and custom command sets that allow an account to change its own public key and password, and a password changer and custom command sets that changes a user's public key and password using a privileged account. These scripts can be customized for different Unix environments.

Settings

Typical settings for these templates include:

  • Secret Template Name

  • Name Pattern: You can use a naming pattern to enforce a standardized name for this Secret Template. The naming pattern uses regular expressions.

  • Description

  • All History: Save all history of secret names using this template.

  • Secret Name History Length: Number of secret names to keep in history for this template.

  • Validate Password Requirements On Create: If enabled, password fields must meet the password requirements when a secret is created.

  • Validate Password Requirements On Edit: If enabled, password fields must meet the password requirements when a secret is edited.

  • SSH Key Format: PuTTY or OpenSSH. PuTTY's PPK format is proprietary and mainly used within the PuTTY suite, primarily on Windows systems. OpenSSH's key format, being open and standardized, enjoys broader support and compatibility across different platforms and SSH clients.

  • Required Permission To Edit Password Change Configuration: Specifies which permission is allowed to edit the password change configuration on a secret from this template.

  • SSH Key Algorithm: ECDSA (strongly recommended) or RSA (for backwards compatibility). See ECDSA Versus RSA for details.

  • SSH Key Bit Size (RSA only): 1024, 2048, or 4096 bits.

ECDSA Versus RSA

ECDSA (Elliptic Curve Digital Signature Algorithm) and RSA (Rivest-Shamir-Adleman) are both cryptographic algorithms used for securing data, but they operate on different mathematical principles and offer distinct characteristics, especially when employed as SSH key algorithms:

  • Security: Both RSA and ECDSA provide high levels of security, but they achieve this through different means. RSA's security is based on the factorization problem of large integers, while ECDSA's security relies on the elliptic curve discrete logarithm problem. Generally, ECDSA can achieve comparable security to RSA with a much shorter key length. For instance, a 256-bit ECDSA key is roughly equivalent in security to a 3072-bit RSA key.

  • Performance: ECDSA keys are typically smaller than RSA keys for a comparable security level, which means they can be faster for generating and verifying signatures due to the reduced computational complexity. This can lead to quicker SSH key exchanges and potentially faster connections, especially important in environments with a high volume of SSH traffic.

  • Compatibility: RSA is more universally supported across different systems and SSH implementations due to its longer presence in the market. ECDSA support is widespread but slightly less universal, which could affect interoperability in diverse environments.

  • Key Length and Scalability: RSA keys usually start at 2048 bits for adequate security, with 3072 and 4096 bits being common for increased security. ECDSA keys, due to their efficiency, start at 256 bits (equivalent to P-256 curve), with P-384 and P-521 being options for higher security needs. This makes ECDSA more scalable and efficient as security demands increase.

In summary, ECDSA offers a more efficient and potentially faster alternative to RSA for SSH key algorithms, especially where high security with lower computational overhead is desired. However, RSA's universal compatibility and long-standing reputation may make it a preferable choice in environments prioritizing interoperability and proven security mechanisms.