Symantec Privileged Access Management

  • Private Community
Back to discussions
Expand all | Collapse all

SSH Key rotation from PAM when the Key is deleted in target server

  • 1.  SSH Key rotation from PAM when the Key is deleted in target server

    Posted Jul 25, 2018 12:57 AM

    Hi All,

     

    We are using PAM 3.1.1. We have the below scenario and we need your expertise and advice on the same.

     

    We have integrated an Linux server to PAM. There is a privileged account (local account) named - pam_sysadmin which is registered and managed by PAM. This account uses the SSH keys.

     

    My understanding is: SSH Key pair has two keys, 1 - Private , 2- Public. Both the keys are stored in PAM and only the public keys is stored in the target linux server.

     

    Please correct me if my understanding is incorrect...

     

    Question 1: When PAM rotates the keys, will it rotate both Public and Private keys and updates the keys in PAM ?

    And PAM, does PAM update/sync the public key to target server?

     

    Question 2: Now, the keys are in sync between PAM and target server. Suppose a root equivalent user by mistakenly deleted the public key of the privileged account in target server, Can PAM still be able to rotate the keys and sync to target?

     

    Kindly advise... 

     

    Thanks

    dk



  • 2.  Re: SSH Key rotation from PAM when the Key is deleted in target server
    Best Answer

    Broadcom Employee
    Posted Jul 25, 2018 02:26 PM

    Hi Dk,

    Answer 1: Yes

    Answer 2: This works only if you have another account that is used to change the key of the SSH key account, i.e. change process under the UNIX tab is "Use the following account to change password”, and the chosen account has no problem logging on to the target device.