Set up centralized SSH key rotation

Rotating SSH key manually across large, complex environments can become unwieldy and raise security risks. We therefore recommend using Devolutions Server’s PAM features to centralize SSH key management.

This method is rather straightforward: SSH keys imported from an SSH key provider in Devolutions Server are linked to SSH entries in Remote Desktop Manager, allowing for simplified, centralized key management.

Secure SSH key rotation with StrictModes

Devolutions PAM’s SSH key rotation requires access to authorized_keys files in your managed systems. It is therefore recommended to use the StrictModes configuration within your SSH server settings.

For StrictModes compatibility, use the following commands on filesystems supporting Access Control Lists (ACLs):

setfacl -m u:<PAM_USER>:--x /home/<ACCOUNT>
setfacl -m u:<PAM_USER>:--x /home/<ACCOUNT>/.ssh
setfacl -m u:<PAM_USER>:rw /home/<ACCOUNT>/.ssh/authorized_keys

Replace &lt;PAM_USER&gt; with the username of the account Devolutions PAM uses to manage SSH keys and switch ACCOUNT with all the accounts to be managed with SSH keys.

Steps

In Devolutions Server

  1.  In Devolutions Server, go to AdministrationPrivileged accessProviders and click the Add (+) icon. Select the SSH key managed provider type.

    Add a provider
    Add a provider
  2. Enter the required information. Be sure to check both Add PAM vault and Add a new scan configuration.

    Enter credentials and check options to add PAM vault and scan configuration
    Enter credentials and check options to add PAM vault and scan configuration
  3. Click on Test connection to make sure everything is in order, and Save the provider.

  4. Then, in the Scan configuration window, enter a name and click Ok.

  5. Head over to AdministrationPrivileged accessScan configurations. Click on the View result button (eye icon) of the newly created scan configuration.

    View result of configuration scan
    View result of configuration scan
  6. Select the SSH key you wish to use and click on the Import selected computers button.

    Select the key to import
    Select the key to import
  7.  Set a destination folder for the imported key and click Ok.

In Remote Desktop Manager

  1. Click Add a new entry and create an SSH terminal session entry. Enter host and credentials.

  2. In the General sub-tab of the SSH key tab, set the Entry type to Privileged account. Click the ellipsis () icon right of the Account field and find your PAM account.

    Select your PAM account
    Select your PAM account
  3. Click Ok, and then Add to finalize entry creation.

To make sure the method worked, check out the SSH terminal entry in Remote Desktop Manager, and enter cat ~/.ssh/authorized_keys in the console. The key returned should then match the one in the PAM folder created during step #7 in Devolutions Server.

Devolutions Forum logo Give us Feedback