Set up centralized SSH key rotation

Rotating SSH key manually across large, complex environments can become unwieldy and raise security risks. We therefore recommend using Devolutions Server’s PAM features to centralize SSH key management.

This method is rather straightforward: SSH keys imported from an SSH key provider in Devolutions Server are linked to SSH entries in Remote Desktop Manager, allowing for simplified, centralized key management.

Devolutions PAM’s SSH key rotation requires access to authorized_keys files in your managed systems. It is therefore recommended to use the StrictModes configuration within your SSH server settings.

For StrictModes compatibility, use the following commands on filesystems supporting Access Control Lists (ACLs):

setfacl -m u:<PAM_USER>:--x /home/<ACCOUNT>
setfacl -m u:<PAM_USER>:--x /home/<ACCOUNT>/.ssh
setfacl -m u:<PAM_USER>:rw /home/<ACCOUNT>/.ssh/authorized_keys

Replace <PAM_USER> with the username of the account Devolutions PAM uses to manage SSH keys and switch ACCOUNT with all the accounts to be managed with SSH keys.

1.  In Devolutions Server, go to Administration – Privileged access – Providers and click the Add (+) icon. Select the SSH key managed provider type.

   

2. Enter the required information. Be sure to check both Add PAM vault and Add a new scan configuration.

   

3. Click on Test connection to make sure everything is in order, and Save the provider.

4. Then, in the Scan configuration window, enter a name and click Ok.

5. Head over to Administration – Privileged access – Scan configurations. Click on the View result button (eye icon) of the newly created scan configuration.

   

6. Select the SSH key you wish to use and click on the Import selected computers button.

   

7.  Set a destination folder for the imported key and click Ok.

1. Click Add a new entry and create an SSH terminal session entry. Enter host and credentials.

2. In the General sub-tab of the SSH key tab, set the Entry type to Privileged account. Click the ellipsis (…) icon right of the Account field and find your PAM account.

   

3. Click Ok, and then Add to finalize entry creation.

To make sure the method worked, check out the SSH terminal entry in Remote Desktop Manager, and enter cat ~/.ssh/authorized_keys in the console. The key returned should then match the one in the PAM folder created during step #7 in Devolutions Server.