DocumentationRelease Notes
Log In
Documentation

Managed Systems

Suggest Edits

What is a Managed System?

A managed system is a computer or device where one or more account passwords are to be maintained by Password Safe. Managed systems can be Windows machines, Unix/Linux machines, network devices, databases, firewalls, routers, iLO machines, and LDAP or Active Directory domains.

Work with managed systems

A managed system is any system being managed by Password Safe. A managed system can be an asset, database, directory, or cloud platform. By default, all managed systems are listed on the Managed Systems page, as the Smart Group filter is set to the built-in Smart Group All Managed Systems. You can filter the systems listed in the grid by selecting a different Smart Group from the Smart Group filter list.

Managed systems can be manually created from the Managed Systems page, as well as from the Assets page. Managed systems can also be added using Smart Rules.

View managed systems details

You can view details about the managed system, such as:

  • Identifying details, attributes, and policies
  • Managed accounts on the managed system
  • Smart Groups associated with the managed system
  • Accounts linked to managed accounts on the managed system
  • Public keys related to the managed system
  • Functional account for the managed system

View the details of a managed system as follows:

  1. From the Managed Systems page, click the vertical ellipsis for the managed system.
  2. Select Go to Advanced Details.
  3. Click through the tabs in the Advanced Details pane to view details on each topic.

ℹ️

Note

For managed systems that are linked to assets, you can click the View Asset link in the upper left to view the details of the asset. Click View Managed System to return the Advanced Details for the managed system.

Import an SSH server key using a Smart Rule

You can import SSH Server keys from a host and accept the key on the Advanced Details for a managed system. Supported key types are RSA, DSA, and ECDSA. From the Smart Rules page, create an asset-based Smart Rule using Actions settings such as the below:

  1. Select Manage Asset Using Password Safe from the dropdown.
  2. Select a Platform that supports server keys, such as Cisco.
  3. Select the Functional Account.
  4. For the Key Enforcement Mode option, choose either Auto Accept Initial Key or Manually Accept Keys.
  5. Set the other settings as desired or leave as defaults.
  6. Add another action to Show Asset as Smart Group.
  7. Click Create Smart Rule.

Manage the SSH server keys

After the Smart Rule processes, hosts with SSH Server keys are populated in the Smart Group you created.

An email notification is sent to the Administrators user group when a key is imported and the Key Enforcement Mode is set to Manually Accepted Keys. The email notifies the administrators that a fingerprint requires action, what asset the key is on, and also provides details about the fingerprint.

The Fingerprint Verification email template can be modified from Configuration > Privileged Access Management > Mail Templates.

Accept or deny a key

  1. From the Managed Systems page, click the vertical ellipsis for the managed system.
  2. Select Go to Advanced Details.
  3. Click the Server Keys tab.
  4. Click the vertical ellipsis for the server key you wish to work with.
    • If auto approved, no further action is required.
    • If manually approved, click Accept or Deny.
  5. After a key is accepted, from the Functional Accounts tab, click the Test Functional Account button to verify the key with the functional account.

Add a key manually

  1. From the Managed Systems page, click the vertical ellipsis for the managed system.
  2. Select Go to advanced details....
  3. Click the Server Keys tab.
  4. Click + Create New Server Key above the grid.
  5. Click Accept or Deny.
  6. Select a Key Type from the list and enter a Fingerprint and a Description.
  7. Click Create Key.
  8. After a key is added, from the Functional Accounts tab, click the Test Functional Account button to verify the key with the functional account.

ℹ️

Note

The fingerprint must be unique. An error message is displayed if the key is already imported.

Use DSS authentication

Applying DSS authentication on a managed system is a secure alternative to using password authentication. By implementing DSS authentication you can establish a more secure method of user authentication that eliminates the vulnerabilities associated with password-based access. This approach enhances the overall security of your system, reduces the risk of unauthorized access, and provides a reliable way to protect sensitive information. DSS authentication is set on the functional account and managed account properties.

DSS authentication is supported on the following systems: Linux, AIX, HP-iLO, HP-UX, DRAC, MAC OSX, Solaris, Juniper, and RACF.

ℹ️

Note

Password Safe accepts SSH keys in the OpenSSH format. This includes support for newer key types typically used in that format, such as Ed25519.

Generate and distribute the key

You can generate keys using puttygen.exe on Windows systems and ssh-keygen on Unix-based systems. Consult the system documentation for other platforms.

Example

How to generate a 2048-bit RSA key pair with ssh-keygen. The user account used to perform the scan is admin.

# ssh-keygen –t rsa -m PEM
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa):
/home/admin/.ssh/retina_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/retina_rsa.
Your public key has been saved in /home/admin/.ssh/retina_rsa.pub.
The key fingerprint is:
7f:5f:e3:44:2e:74:3c:c2:25:2b:82:7c:f8:0e:2a:da

/home/admin/.ssh/retina_rsa contains the RSA authentication identity of the user and should be securely transferred to the system running your scanner.

The file /home/admin/.ssh/retina_rsa.pub contains the RSA public key used for authentication. The contents of this file should be added to the file ~/.ssh/authorized_keys on all machines that the user wishes to scan using public key authentication.

Create a functional account with DSS authentication

Before you can create the account you must generate a private key. Copying or importing a key is part of setting the functional account properties with DSS authentication.

  1. From the left sidebar in BeyondInsight, click Configuration.
    The Configuration page displays.

  2. Under Privileged Access Management, click Functional Accounts.
    The Functional Accounts page displays.

  3. Click + Create New Functional Account.
    The Create New Functional Account form displays in the right panel.

  4. For the Type, select Asset.

  5. Select a platform.

  6. Select the elevation if desired.

  7. Enter the username and password.

  8. From the Authentication Type list, select DSS.

  9. Upload the DSS key file.

  10. Provide an alias and description, and then click Save New Account.

ℹ️

Note

For more information, please see Generate and distribute the key.

Create a functional account on the Unix or Linux platform

Create an account on the Unix or Linux platform with a name like functional_account.

Ensure that the su command is available on the platform.

To assign necessary privileges to the functional account, invoke the command sudo visudo in the terminal and place the following lines under the root ALL=(ALL) ALL line:

ℹ️

Note

Be sure to add sudo elevation to the functional account on the managed system. These commands are adjusted to reflect password changes and DSS key changes and are OS-specific.

MAC OSX

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/sed, /usr/bin/tee, /usr/bin/passwd

UBUNTU/REDHAT

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/sed, /usr/bin/tee, /usr/bin/passwd

SOLARIS

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/cp, /usr/bin/tee, /usr/bin/sed, /usr/bin/passwd, /usr/bin/rm

HPUX

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/cp, /usr/bin/sed, /usr/bin/tee, /usr/bin/passwd, /usr/bin/rm

AIX

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/pwdadm, /usr/bin/tee, /usr/bin/passwd, /usr/bin/sed, /usr/bin/cp, /usr/bin/rm

Test the functional account

The key can be tested from the managed system.

  1. From the left sidebar, click Managed Systems.
  2. Click the vertical ellipsis for the managed system.
  3. Select Go to Advanced Details.
  4. Under Advanced Details, select Functional Accounts.
  5. In the Functional Account panel, click Test Functional Account.

Set DSS on the managed account

An alternate and secure way to set up a managed account is with DSS authentication.

Before you can create the account, you must generate a private key. Copying or importing a key is part of setting the managed account properties with DSS authentication.

To create a managed account with DSS authentication:

  1. From the menu, select Managed Systems.
  2. Select the managed system, and then click the More Options button.
  3. Select Create Managed Account.
  4. From the Authentication Type list, select DSS.
  5. Configure all other settings as required, and then click Create Account.

DSS key auto management

A DSS key policy is set on a managed system that supports DSS authentication.

The Auto-Managed DSS key option enables DSS key auto-management to take place when the password for the account is changed, either manually or scheduled. It follows the same schedule as password changing.

Generating a new DSS public/private key pair results in the removal of the old public key (if there is one) from the authorized_keys file and appends the new public key.

Get the public key

  1. Go to the Managed Accounts page.
  2. Select the account and then click the More Options button.
  3. Select Public Key.

ℹ️

Note

If a public key has been supplied, a popup displays the current public key.

Create a DSS key policy

Password Safe ships with a default DSS key policy:

  • Type: RSA
  • Bit size: 2048
  • Encryption: Auto Managed Passphrase is Default Password Policy

You can change the settings for the default policy but you cannot delete the policy.

Optionally, you can create additional policies.

  1. Select Configuration > Privileged Access Management > DSS Key Policies.
  2. Click Create DSS Policy.
  3. Provide a name and description.
  4. Select a Key Type: RSA or DSA.
  5. Enable encryption.
  6. Select a password policy.
  7. Click Create DSS Key Policy.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.