Use DSS Authentication

Applying DSS authentication on a managed system is a secure alternative to using password authentication. DSS authentication is set on the functional account and managed account properties.

DSS authentication is supported on the following systems: Linux, AIX, HP-iLO, HP-UX, DRAC, MAC OSX, Solaris, Juniper, RACF.

Password Safe accepts SSH keys in the OpenSSH format. This includes support for newer key types typically used in that format, such as Ed25519

Generate and Distribute the Key

You can generate keys using puttygen.exe on Windows systems and ssh-keygen on Unix-based systems. Consult the system documentation for other platforms.

How to generate a 2048-bit RSA key pair with ssh-keygen. The user account used to perform the scan is admin.
# ssh-keygen –t rsa -m PEM
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa):
/home/admin/.ssh/retina_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/retina_rsa.
Your public key has been saved in /home/admin/.ssh/retina_rsa.pub.
The key fingerprint is:
7f:5f:e3:44:2e:74:3c:c2:25:2b:82:7c:f8:0e:2a:da

/home/admin/.ssh/retina_rsa contains the RSA authentication identity of the user and should be securely transferred to the system running your scanner.

The file /home/admin/.ssh/retina_rsa.pub contains the RSA public key used for authentication. The contents of this file should be added to the file ~/.ssh/authorized_keys on all machines that the user wishes to scan using public key authentication.

Create a Functional Account with DSS Authentication

Before you can create the account you must generate a private key. Copying or importing a key is part of setting the functional account properties with DSS authentication.

  1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Functional Accounts.
  2. Click Create Functional Account.
  1. For the Type, select Asset.
  2. Select a platform.
  3. Select the elevation if desired.
  4. Enter the username and password.
  5. From the Authentication Type list, select DSS.

     

  6. Upload the DSS key file.
  7. Provide an alias and description, and then click Save New Account.

For more information, please see Generate and Distribute the Key.

Create a Functional Account on the Unix or Linux Platform

Create an account on the Unix or Linux platform with a name like functional_account.

The command applies to Password Safe v6.4.4 or later.

To assign necessary privileges to the functional account, invoke the command sudo visudo in the terminal and place the following lines under the root ALL=(ALL) ALL line:

Be sure to add sudo elevation to the functional account on the managed system. These commands are adjusted to reflect password changes and DSS key changes and are OS-specific.

MAC OSX

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/sed, /usr/bin/tee, /usr/bin/passwd

UBUNTU/REDHAT

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /bin/sed, /usr/bin/tee, /usr/bin/passwd

SOLARIS

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/cp, /usr/bin/tee, /usr/bin/sed, /usr/bin/passwd, /usr/bin/rm

HPUX

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/cp, /usr/bin/sed, /usr/bin/tee, /usr/bin/passwd, /usr/bin/rm

AIX

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/pwdadm, /usr/bin/tee, /usr/bin/passwd, /usr/bin/sed, /usr/bin/cp, /usr/bin/rm

Test the Functional Account

The key can be tested from the managed system.

  1. From the menu, select Managed Systems.
  2. Select the managed system, and then click the More Options button.
  3. Select Go to advanced details.

Screenshot of testing the functional account on the managed system.

  1. Select Functional Accounts.
  2. Click Test Functional Account.

Set DSS on the Managed Account

An alternate and secure way to set up a managed account is with DSS authentication.

Before you can create the account, you must generate a private key. Copying or importing a key is part of setting the managed account properties with DSS authentication.

To create a managed account with DSS authentication:

  1. From the menu, select Managed Systems.

Create a managed account with DSS authentication

  1. Select the managed system, and then click the More Options button.
  2. Select Create Managed Account.

 

Screenshot of setting the DSS Authentication on the Managed Account

  1. From the Authentication Type list, select DSS.

 

  1. Configure all other settings as required and then click Create Account.

For more information, please see the following:

DSS Key Auto Management

A DSS key policy is set on a managed system that supports DSS authentication.

The Auto-Managed DSS key option enables DSS key auto-management to take place when the password for the account is changed, either manually or scheduled. It follows the same schedule as password changing.

Generating a new DSS public/private key pair will remove the old public key (if there is one) from the authorized_keys file and append the new public key.

For more information, please see Create a DSS Key Policy.

Get the Public Key

  1. Go to the Managed Accounts page.

Screenshot of Managed Account - Public Key

  1. Select the account and then click the More Options button.
  2. Select Public Key.

If a public key has been supplied, a popup displays the current public key.

Create a DSS Key Policy

Password Safe ships with a default DSS key policy:

  • Type: RSA
  • Bit size: 2048
  • Encryption: Auto Managed Passphrase is Default Password Policy

You can change the settings for the default policy but you cannot delete the policy.

Optionally, you can create additional policies.

  1. Select Configuration > Privileged Access Management > DSS Key Policies.
  2. Click Create DSS Policy.
  3. Provide a name and description.
  4. Select a Key Type: RSA or DSA.
  5. Enable encryption.
  6. Select a password policy.
  7. Click Create DSS Key Policy.