ssh product overview - venafi · pdf filessh product overview ... no key rotation ... lab:...
TRANSCRIPT
![Page 1: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/1.jpg)
SSH Product Overview
![Page 2: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/2.jpg)
SSH Product Overview
▪ Understanding SSH
▪ SSH Discovery and Remediation
▪ Agentless SSH
▪ Agent Based SSH
![Page 3: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/3.jpg)
Where is SSH used?
SSHTLS
Customers
Partners
EmployeesAdmins with Root Access
ApplicationOwners
SystemAdmins
SSH (SCP or SFTP)
File Transfer & Remote Script
Execution
Jupiter
![Page 4: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/4.jpg)
Where is SSH used?
SSHTLS
Customers
Partners
EmployeesAdmins with Root Access
ApplicationOwners
SystemAdmins
SSH (SCP or SFTP)
File Transfer & Remote Script
Execution
Jupiter
Simple rule of thumb:
If it’s not Windows or a Mainframe, SSH is
probably used to login into it.
![Page 5: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/5.jpg)
SSH Basics – User Access
Host Keys
Server11
User Keys
AHost Keys
Server11
Server Keys
1
Server1
Server2
Alice
Server Keys
1Authorized Keys
AliceA Server Keys
2Authorized Keys
AliceA
User Keys
AHost Keys
Server11
Server22
![Page 6: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/6.jpg)
SSH Basics – Server-to-Server Access
Trusted Keys
Server11
Client Keys
C
Trusted Keys
Server11
Server1
Server2
Alice
Server Keys
1Authorized Keys
AliceA Server Keys
2Authorized Keys
AliceA
User Keys
AHost Keys
Server11
Server22
Server Keys
1Authorized Keys
AliceA
Server22
Server Keys
2User Keys
2Authorized Keys
AliceAHost Keys
Server11
![Page 7: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/7.jpg)
The State of SSH in Most Organizations
▪ No inventory
▪ No key rotation
▪ Weak keys
▪ Terminated employees still have access
▪ Potential backdoor keys
▪ Pivoting opportunities for attackers
![Page 8: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/8.jpg)
SSH Discovery and Remediation
Venafi Products can discover and report back to Venafi server crucial details about SSH keys.
Discovery is a critical part of identifying the status of your SSH key environment across all of your systems.
![Page 9: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/9.jpg)
SSH Discovery and Remediation
Identifying orphaned public keys and resolving them quickly can help to avoid potentially serious vulnerabilities, particularly when an orphaned key is found in a root or administrative account on a server.
Venafi Products allow us to add/remove SSH keys.
![Page 10: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/10.jpg)
Agentless SSH
▪ TPP server(s) will SSH to target systems to perform scans and remediation
▪ Work performed at the time of User UI action
▪ Discussed in detail in it’s own module
![Page 11: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/11.jpg)
Agent Based SSH
▪ Requires installation of Agent software
▪ Supports wide range of OS types
▪ Can gather SSH Key Usage info
▪ Agents call home for work
▪ Discussed in detail in it’s own module
![Page 12: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/12.jpg)
Agent vs. Agentless Considerations
▪ Network traffic direction
▪ Agent(+): Key usage logging
▪ Agentless(+): More platform independent (e.g., mainframe, etc.)
▪ Agentless(-): Credential management for our own agentless access
▪ Agent(+): Better support for “intermittent” systems (e.g., user laptops)
▪ Agent(+): Support for Windows
![Page 13: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/13.jpg)
Review
1. What are SSH Keys used for?
2. What is the purpose of authorized_keys file?
3. What is default expiration for a SSH key?
![Page 14: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/14.jpg)
Agentless SSH
![Page 15: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/15.jpg)
Agentless SSH Overview
▪ SSH discovery can find SSH keys on devices that do not have agents installed on them
▪ SSH Remediation can add and remove SSH keys
▪ TPP uses a remote SSH connection to connect to the systems or servers
▪ TPP will scan per configured work and create keysets in Aperture
![Page 16: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/16.jpg)
Configuring Agentless SSH
▪ Create Credential Objects
▪ Create Device Objects
▪ Configure SSH Work
▪ Allow scheduled work to happen
▪ View Results in Aperture
![Page 17: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/17.jpg)
Create Credential Objects
▪ Password (Aperture or WebAdmin)
▪ SSH Private Key (WebAdmin)
![Page 18: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/18.jpg)
Create Device Objects
▪ Done in WebAdmin
▪ Supports sudo
▪ Set Temp Directory if using sudo
![Page 19: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/19.jpg)
Device Objects
▪ Device Inventory▪ See status of Devices▪ Use filters▪ Can be created using Network Discovery
![Page 20: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/20.jpg)
View Device Objects
▪ Shows status info
▪ Test Connection
![Page 21: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/21.jpg)
Edit Device Objects
![Page 22: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/22.jpg)
Configure Agentless SSH Work
▪ Enable folders for Agentless
![Page 23: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/23.jpg)
Configure Agentless SSH Work
▪ Create Group
▪ Agent Type = No Agent Installed
![Page 24: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/24.jpg)
Configure Agentless SSH Work
▪ Hardcodes Membership Criteria
![Page 25: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/25.jpg)
Configure Agentless SSH Work
▪ Work Types:
‐ SSH Discovery
‐ SSH Remediation
▪ Work explained in upcoming module
![Page 26: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/26.jpg)
Run Agentless SSH Scan
▪ Runs per schedule
▪ Can be triggered on demand
![Page 27: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/27.jpg)
Lab: Agentless SSH
▪ Lab coming up after next module
![Page 28: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/28.jpg)
Review
1. What are benefits of Agentless SSH?
2. Can we mix and match Agent and Agentless SSH?
3. Can Agentless SSH typically be used with Windows Servers?
![Page 29: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/29.jpg)
Configuring SSH Work
![Page 30: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/30.jpg)
Configuring SSH Work Overview
▪ SSH work can apply to Agents and Agentless SSH
▪ Done on the Group under Agents > Groups
▪ Specify what to scan
▪ Specify where to scan
▪ Specify when to scan
▪ Enable Remediation
![Page 31: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/31.jpg)
Enabling SSH Discovery Work
▪ We can create a new group for SSH work only
▪ Discover SSH Work = Yes
![Page 32: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/32.jpg)
SSH Discovery Work Settings
▪ Scan interval is similar to Agent check-in time options are:
‐ Daily
‐ Weekly
‐ Monthly
‐ Hourly
‐ On Receipt
‐ Every 30 Minutes
▪ Randomization to not over load VMs
![Page 33: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/33.jpg)
SSH Discovery Work Settings
Default scan paths for SSH server information and keys.
![Page 34: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/34.jpg)
SSH Discovery Work Settings
▪ Specify folder where agent will look for:‐ Host Keys
‐ User Keys
‐ Host Keys and User Keys
▪ Supports wildcards
▪ Specify where to not scan
![Page 35: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/35.jpg)
SSH Discovery Work Settings
▪ Should the agent scan Network File System (NFS) mount points
▪ Minimize the impact of discovery
![Page 36: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/36.jpg)
SSH Discovery Work Settings
▪ Select a file size threshold after which the agent should ignore files
▪ By setting this limit to 1mb, all keystore files larger than 1mb are ignored during SSH discovery.
![Page 37: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/37.jpg)
SSH Discovery Work Settings
▪ Logging level detail
▪ Default is Info
▪ Written to System logs
![Page 38: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/38.jpg)
SSH Remediation Work
▪ SSH Remediation > Remediate SSH Work = Yes
![Page 39: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/39.jpg)
SSH Remediation Work
▪ How often Agents check for Remediation work
▪ Interval between Monthly and 1min
▪ Randomization▪ Start time▪ Agentless SSH
performs work immediately
![Page 40: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/40.jpg)
SSH Remediation Work
▪ Logging level detail
▪ Default is Info
▪ Agent Writes to:
‐ Syslog
‐ Event Logs
![Page 41: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/41.jpg)
SSH Key Usage Work
▪ SSH Key Usage > Collect SSH Logs = Yes
![Page 42: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/42.jpg)
SSH Key Usage Work
▪ How often Agents Deliver SSH Key Usage data
▪ Interval between daily and 1min
▪ Randomization
![Page 43: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/43.jpg)
SSH Key Usage Work
▪ Cache size on Agent side
▪ Agent logging for SSH Key Usage
![Page 44: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/44.jpg)
SSH Key Usage – Agent side
▪ Only Venafi Agent can gather SSH Key Usage!
▪ Steps required on Venafi Agent side:
https://support.venafi.com/hc/en-us/articles/215911487
![Page 45: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/45.jpg)
Lab: Configuring SSH Work
SSH labs can be done with Agentless or Agent Based SSH.
▪ Configuring Agent SSH Work Lab
‐ Agent SSH configuration
‐ Enable Discovery and Remediation
▪ Configuring Agentless SSH Lab
‐ Agentless Based SSH configuration
‐ Enable Discovery and Remediation
![Page 46: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/46.jpg)
Review
1. Where are SSH Discovery results placed?
2. How often will the Agents scan for SSH Keys?
3. How often will Agentless SSH scan run?
4. Where does the Agent log SSH discovery information?
![Page 47: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/47.jpg)
Creating and Configuring
SSH Policy
![Page 48: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/48.jpg)
Working with SSH Key Policies
▪ Lock or suggest values*
▪ Settings inherited down the tree
▪ Agents represented in Policy structure
▪ Permission assignment
▪ Find policy violations
*Unlike Certificate Policy, some locked values are just for reporting. For example multiple private key instances when locked to not allowed.
![Page 49: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/49.jpg)
Configuring SSH Policy
▪ Done in Aperture
▪ Configuration > Policies
▪ Opens Policy tree view
▪ Click on folder icon to expand
![Page 50: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/50.jpg)
SSH Policy - General
![Page 51: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/51.jpg)
SSH Policy - General
![Page 52: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/52.jpg)
SSH Policy - General
![Page 53: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/53.jpg)
SSH Policy - General
▪ Let's you allow or deny user access to one or more remote IP addresses or host names
▪ Setting will be added to authorized_keys
![Page 54: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/54.jpg)
SSH Policy - General
▪ Using forced commands, you can limit user accounts SSH access and usage
▪ Instead of the client's deciding which command will run, the Policy forces the command
![Page 55: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/55.jpg)
SSH Policy - General
▪ Login options in authorized_keys for example:
‐ no-user-rc
‐ no-X11-forwarding
‐ no-agent-forwarding
▪ More found in documentation
![Page 56: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/56.jpg)
SSH Policy – Device Connection
![Page 57: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/57.jpg)
Dashboard
![Page 58: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/58.jpg)
Dashboard
![Page 59: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/59.jpg)
SSH Keysets
▪ Inventory > SSH Keys
![Page 60: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/60.jpg)
Orphan keys
▪ SSH Keys > Orphans
▪ Shows keysets where we don’t know about the matching private or public key
▪ We can see that some one has root access to multiple systems
![Page 61: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/61.jpg)
Keyset details
![Page 62: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/62.jpg)
Keyset details
![Page 63: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/63.jpg)
Host Trust Map
![Page 64: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/64.jpg)
Devices
▪ Inventory > Devices
▪ View Device status, no need to check each keyset separately
![Page 65: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/65.jpg)
Looking at a Device
▪ Overview▪ SSH Client info▪ SSH Host info▪ Permissions
![Page 66: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/66.jpg)
SSH Client – Outgoing Access
▪ Shows client keyset instances on this host▪ Show a warning when something is out of compliance
![Page 67: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/67.jpg)
SSH Client – Known Host Keys
▪ Shows discovered known_hosts keys
![Page 68: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/68.jpg)
SSH Server – Authorized Clients
▪ Shows keys that grant access to the system
![Page 69: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/69.jpg)
SSH Server – Host Keysets
▪ Shows Host Keysets
![Page 70: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/70.jpg)
Lab: SSH Policy Lab
▪ Configure Policies for SSH
▪ View SSH Key Discovery results
![Page 71: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/71.jpg)
Review
1. What can we do through SSH Policy?
2. Can SSH Policy be configured through WebAdmin?
3. What is Host Trust Map?
4. What is the difference between SSH Host and Client keyset?
![Page 72: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/72.jpg)
Responding to SSH Key Threats
SSH Remediation
![Page 73: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/73.jpg)
SSH Remediation
In order to prevent lateral attacks on your critical servers and related network resources, you must be able to find, identify, organize, and renew your SSH key assets.
Remediation allows us to rotate existing keys and provision new ones.
![Page 74: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/74.jpg)
Enable Remediation
▪ Configuration > Folders
▪ Only available through Policy (not on specific keyset)
![Page 75: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/75.jpg)
Remediation Enabled – Private Keys
![Page 76: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/76.jpg)
Remediation Enabled – Auth Keys
![Page 77: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/77.jpg)
Working with Keysets
▪ Inventory > SSH Keys
▪ Create New Keyset
![Page 78: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/78.jpg)
Creating New Keysets
![Page 79: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/79.jpg)
Creating New Keysets
![Page 80: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/80.jpg)
Adding Key Instances
▪ Adding a Public Key instance to a Keyset
▪ Adding a Private Key instance to a Keyset
![Page 81: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/81.jpg)
Removing Key Instances
▪ Removing a key instance
![Page 82: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/82.jpg)
Add Public Key instance
![Page 83: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/83.jpg)
Making changes to Key instances
▪ Editing a Public key instance
![Page 84: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/84.jpg)
Making changes to Key instances
▪ Make changes and click Save
![Page 85: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/85.jpg)
Rotating Keys
▪ Start key rotation
![Page 86: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/86.jpg)
Rotating Keys
▪ Host Key rotation will pause and go into a “Reconfigure” stage
▪ Chance to manually restart/reconfigure SSHd if needed
![Page 87: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/87.jpg)
Changes To Keys Outside TPP
Detect
Remediate
Remote Add:
Remote Delete:
Remote Edit:
- Detect: Add to TPP
- Detect: Delete from TPP
- Detect: Edit in TPP
- Remediate: Add to TPP
- Remediate: Restore on remote
- Remediate: Restore on remote
![Page 88: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/88.jpg)
Resolving common violations
▪ Resolving Orphans
▪ Track the status of Orphan Keys
▪ Resolving Duplicate Private Keys
▪ Old Keys
▪ Weak Keys
![Page 89: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/89.jpg)
Resolving Orphans
▪ Mapping to an External Key‐ No corresponding private key instance
‐ Creates proxy of the private key
▪ Deleting Orphans‐ Would allow administrator or root access to system
‐ Cannot discover or verify the owner of a key
‐ Use Mark As feature if not 100% sure
![Page 90: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/90.jpg)
Tracking the status of orphans
▪ To keep track of the work we have done with each keyset, we can use the Mark As option
▪ Mark As lets us set the status of each keyset to either Reviewed As OK or Reviewed Needs Action
▪ Lets you identify which keysets have already been reviewed
![Page 91: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/91.jpg)
Mark As
▪ Reviewed As OK‐ Indicates that you have already resolved an orphan
▪ Reviewed Needs Action‐ Unauthorized User Trust‐ Rogue‐ Suspect‐ Owned by Former Employee
▪ Generates an event
![Page 92: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/92.jpg)
Resolving Duplicate Private Keys
▪ Compliant duplicate keys
‐ No needed
▪ Non-compliant
‐ Remove non-compliant instances
![Page 93: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/93.jpg)
Resolving Accessible Root Accounts
▪ Root accounts at the server level are typically to be avoided or kept to a minimum
‐ Remove Public Key instance from authorized_keys
‐ Add a User-access only public key
![Page 94: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/94.jpg)
Weak Key Lenghts
▪ Small key length keys introduce risk
‐ Rotate keys to comply with policy, typically to RSA 2048 or DSA 1024 keys (suggested minimum sizes per algorithm)
![Page 95: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/95.jpg)
Resolving Old Keys
▪ Keys older than allowed by Policy
‐ Rotate keys
‐ Remove keys
![Page 96: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/96.jpg)
Lab: SSH Remediation Lab
▪ Reviewing a keyset and mark as External key access
▪ Rotate a Private Key
▪ Remove a Key instance
▪ Provision a new Keyset to grant alice access from ServerA to ServerB
![Page 97: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/97.jpg)
Review
1. Why would you create a new Keyset?
2. Can you set SSH keys to auto-renew?
3. Can keys be downloaded from Aperture?
4. Can you upload a SSH Private Key to Aperture?
![Page 98: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/98.jpg)
Course Review
VSP16 Course Review
![Page 99: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/99.jpg)
Test Preparation
▪ Question & Answer
▪ Take Test
▪ Open Book
▪ Timed
▪ Test is at https://training.venafi.com
![Page 100: SSH Product Overview - Venafi · PDF fileSSH Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH](https://reader030.vdocuments.net/reader030/viewer/2022021501/5a9e2ed17f8b9a21488ce23c/html5/thumbnails/100.jpg)
Unpublished Work of Venafi, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
© 2014 Venafi Proprietary and Confidential