Safeguard SSH key Authentication support

Dear Community,

I'm currently working with a Safeguard environment running version 8 LTS. We have a scenario where a user accesses an SSH asset using their username and an SSH private key without a password.

During asset onboarding, I added the SSH private key file under the Connection tab, and the Test Connection passes successfully. However, when configuring the Access Request Policy, selecting either None or User Supplied under credential options causes the SSH key authentication to fail.

I’d like to confirm whether this specific scenario—SSH key authentication without a password—is officially supported in the current version of Safeguard, or if a Request for Enhancement (RFE) would be required.

Looking forward to your input or guidance.

Parents
  • Hi,

    The account specified on the Connection tab is what is called a service account on the Asset 
    - This service account is normally used to connect and manage the target Asset Accounts.

    For sessions, you may also enable this service account for session requests if that is what your intended configuration or you can use a managed account for sessions that is different from the service account. 

    Its not clear How you configured the Scope of the Access Request Policy for this SSH access policy but you may need to specify the Asset and Account in the scope.

    SSH Sessions with accounts using SSH Keys is supported from SPP yes.

    Thanks!

  • Dear Tawfiq,

    Thank you for your input.

    I was able to configure SSH key authentication instead of password, and it’s working as expected. However, I have a follow-up question. I’m using the same user account with the same SSH key across 20 different servers.

    Since the account creation in Safeguard requires selecting an Asset (unless it’s an AD-joined account), what would be the best practice to handle this scenario? Is there a recommended way to efficiently manage the same account across multiple non-domain joined Linux assets?

    Appreciate your guidance.

    Best regards,

  • SPP does have a feature (SSH Key Sync Group) to sync the same SSH Key across multiple managed accounts.

    This way all the member accounts of the SSH Key Sync group will have the same group SSH Key.

    Please refer to the Admin guide section here:

    https://docs.oneidentity.com/bundle/safeguard-for-privileged-passwords_administration-guide_8.0/page/guides/administrationguide/sshkey-sshkeysyncgroups.htm

    Thanks!

  • Thank you for the reference, Tawfiq. I’ve reviewed that section of the guide, but I wasn’t able to locate an option to upload a static SSH key in this context.

    Just to clarify — when adding accounts to a group, will the first account be treated as the source for SSH key propagation to the other accounts? Will this automatically assign the same key to all of them?

  • Hi,

    The Sync Group itself would be the source of the SSH Key that will be managed for the group in this case.

    The Web UI does not provide a way to set a static or an initial SSH key to the Sync Group but rather SPP will generate a new SSH Key for the group and update all the accounts to have this same - newly generated - SSH Key.

    As per the guide: "The new key is generated for the sync group and configured for each of the synced accounts on the target host."

    Thanks!

  • Hi Tawfiq,Just to confirm — does that mean there's no option to upload a static SSH key, similar to how we upload a key to an account for authentication? In my use case, I don’t intend to rotate or manage the key through Safeguard — I just need to use an existing key as-is.

    Thanks

Reply
  • Hi Tawfiq,Just to confirm — does that mean there's no option to upload a static SSH key, similar to how we upload a key to an account for authentication? In my use case, I don’t intend to rotate or manage the key through Safeguard — I just need to use an existing key as-is.

    Thanks

Children