Rotation of the Password and SSH Key for SSH Secrets


Ekran System allows the passwords and SSH keys of SSH secrets to be rotated, which means that they are changed/reset on a regular basis to reduce the risk of them being compromised.


A SSH secret has two account options for connection:

• Using a password

• Using an SSH key

Accordingly, rotation of SSH passwords and SSH keys work in different ways.

NOTE: In most cases, the target host defined in the secret will be using an OpenSSH server that is commonly used in most Linux systems. For this reason, for the purposes of this document it is assumed that this SSH server is used. For correct SSH secrets usage or rotation, the target host defined in the SSH secret should first of all be correctly configured and running the OpenSSH server.


SSH Password Rotation for SSH Secrets

Precondition: The user login and password defined in the SSH secret should be valid for the target host.

Rotation logic: The Ekran System Application Server connects to the target host using the credentials defined in the secret, and changes the password of the current user to the new one generated.
Both the old and new passwords are stored in the Application Server database during all operations, and the old password is deleted from the database only after all operations have completed successfully.
In the case of failure, the secret password will be restored to a valid state using one of the two passwords.


SSH Key Rotation for SSH Secrets

Precondition: The user login and private key (+passphrase) defined in the SSH secret should be valid for the target host, and the corresponding public key need to be located in the ~/.ssh/authorized_keys file (in the user's home directory on the target host).
As an SSH client, the PuTTY application can be used, and should be installed on an Ekran System Client in Jump Server mode (although this is not required for rotation, the SSH key used in the secret should be in the PuTTY format).
For PuTTY key generation, and for OpenSSH server configuration using PuTTY, please see: https://www.ssh.com/academy/ssh/putty/windows/puttygen article. 

Rotation logic: Ekran System Application Server connects to the target host using the login and private key defined in the secret, and replaces the public key defined in the ~/.ssh/authorized_keys file with the new one that corresponds to the new PuTTY key generated,
Both the old and new keys (and their passphrases) are stored in the Application Server database during all operations, and the old key is deleted from the database only after all operations have completed successfully.
In the case of failure, the secret key (+passphrase) will be restored to a valid state using one of the two keys.