Safeguard SSH key Authentication support

Hi,

The account specified on the Connection tab is what is called a service account on the Asset 
- This service account is normally used to connect and manage the target Asset Accounts.

For sessions, you may also enable this service account for session requests if that is what your intended configuration or you can use a managed account for sessions that is different from the service account. 

Its not clear How you configured the Scope of the Access Request Policy for this SSH access policy but you may need to specify the Asset and Account in the scope.

SSH Sessions with accounts using SSH Keys is supported from SPP yes.

Thanks!

Hi,

The account specified on the Connection tab is what is called a service account on the Asset 
- This service account is normally used to connect and manage the target Asset Accounts.

For sessions, you may also enable this service account for session requests if that is what your intended configuration or you can use a managed account for sessions that is different from the service account. 

Its not clear How you configured the Scope of the Access Request Policy for this SSH access policy but you may need to specify the Asset and Account in the scope.

SSH Sessions with accounts using SSH Keys is supported from SPP yes.

Thanks!

Dear Tawfiq,

Thank you for your input.

I was able to configure SSH key authentication instead of password, and it’s working as expected. However, I have a follow-up question. I’m using the same user account with the same SSH key across 20 different servers.

Since the account creation in Safeguard requires selecting an Asset (unless it’s an AD-joined account), what would be the best practice to handle this scenario? Is there a recommended way to efficiently manage the same account across multiple non-domain joined Linux assets?

Appreciate your guidance.

Best regards,

SPP does have a feature (SSH Key Sync Group) to sync the same SSH Key across multiple managed accounts.

This way all the member accounts of the SSH Key Sync group will have the same group SSH Key.

Please refer to the Admin guide section here:

https://docs.oneidentity.com/bundle/safeguard-for-privileged-passwords_administration-guide_8.0/page/guides/administrationguide/sshkey-sshkeysyncgroups.htm

Thanks!

Thank you for the reference, Tawfiq. I’ve reviewed that section of the guide, but I wasn’t able to locate an option to upload a static SSH key in this context.

Just to clarify — when adding accounts to a group, will the first account be treated as the source for SSH key propagation to the other accounts? Will this automatically assign the same key to all of them?

Hi,

The Sync Group itself would be the source of the SSH Key that will be managed for the group in this case.

The Web UI does not provide a way to set a static or an initial SSH key to the Sync Group but rather SPP will generate a new SSH Key for the group and update all the accounts to have this same - newly generated - SSH Key.

As per the guide: "The new key is generated for the sync group and configured for each of the synced accounts on the target host."

Thanks!

Hi Tawfiq,Just to confirm — does that mean there's no option to upload a static SSH key, similar to how we upload a key to an account for authentication? In my use case, I don’t intend to rotate or manage the key through Safeguard — I just need to use an existing key as-is.

Thanks

You can import the same SSH private key on each Account > Properties > Secrets > SSH Key > Set > Import SSH Key

Reference for Set SSH Key on account can be found here:
https://docs.oneidentity.com/bundle/safeguard-for-privileged-passwords_administration-guide_8.0/page/guides/administrationguide/accounts-checkchangesetsshkey.htm

Thanks!

Hi Tawfiq,

This is exactly what I’m trying to avoid — having to upload the SSH key on each individual account while selecting the corresponding asset.

In my case, the same username and SSH key are used across multiple servers, so I’m looking for a more efficient way to handle this setup without repeating the same process for every asset.

You can use the options for Import Accounts (using the AssetAccount template) and Import SSH Keys (using the AssetAccountSshKey template) to add the accounts and then add the same Private SSH key to all these accounts in bulk, please refer to the admin guide section here:

https://docs.oneidentity.com/bundle/safeguard-for-privileged-passwords_administration-guide_8.0/page/guides/administrationguide/importobjects.htm

Thanks!