DSS authentication with Password Safe Cloud

Applying DSS authentication on a managed system is a secure alternative to using password authentication. By implementing DSS authentication you can establish a more secure method of user authentication that eliminates the vulnerabilities associated with password-based access. This approach enhances the overall security of your system, reduces the risk of unauthorized access, and provides a reliable way to protect sensitive information. DSS authentication is set on the functional account and managed account properties.

DSS authentication is supported on the following systems: Linux, AIX, HP-iLO, HP-UX, DRAC, MAC OSX, Solaris, Juniper, and RACF.

Generate and distribute the key

You can generate keys using puttygen.exe on Windows systems and ssh-keygen on Unix-based systems. Consult the system documentation for other platforms.

✅

Example

How to generate a 2048-bit RSA key pair with ssh-keygen. The user account used to perform the scan is admin.

# ssh-keygen –t rsa -m PEM
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa):
/home/admin/.ssh/retina_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/retina_rsa.
Your public key has been saved in /home/admin/.ssh/retina_rsa.pub.
The key fingerprint is:
7f:5f:e3:44:2e:74:3c:c2:25:2b:82:7c:f8:0e:2a:da

/home/admin/.ssh/retina_rsa contains the RSA authentication identity of the user and should be securely transferred to the system running your scanner.

The file /home/admin/.ssh/retina_rsa.pub contains the RSA public key used for authentication. The contents of this file should be added to the file ~/.ssh/authorized_keys on all machines that the user wishes to scan using public key authentication.

Create a functional account with DSS authentication

Before you can create the account you must generate a private key. Copying or importing a key is part of setting the functional account properties with DSS authentication.

1. From the left sidebar in BeyondInsight, click Configuration.
   The Configuration page displays.

2. Under Privileged Access Management, click Functional Accounts.
   The Functional Accounts page displays.

3. Click + Create New Functional Account.
   The Create New Functional Account form displays in the right panel.

4. For the Type, select Asset.

5. Select a platform.

6. Select the elevation if desired.

7. Enter the username and password.

8. From the Authentication Type list, select DSS.

9. Upload the DSS key file.

10. Provide an alias and description, and then click Save New Account.

Create a functional account on the Unix or Linux platform

Create an account on the Unix or Linux platform with a name like functional_account.

Ensure that the su command is available on the platform.

To assign necessary privileges to the functional account, invoke the command sudo visudo in the terminal and place the following lines under the root ALL=(ALL) ALL line:

ℹ️

Note

Be sure to add sudo elevation to the functional account on the managed system. These commands are adjusted to reflect password changes and DSS key changes and are OS-specific.

MAC OSX

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/sed, /usr/bin/tee, /usr/bin/passwd

UBUNTU/REDHAT

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/sed, /usr/bin/tee, /usr/bin/passwd

SOLARIS

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/cp, /usr/bin/tee, /usr/bin/sed, /usr/bin/passwd, /usr/bin/rm

HPUX

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/cp, /usr/bin/sed, /usr/bin/tee, /usr/bin/passwd, /usr/bin/rm

AIX

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/pwdadm, /usr/bin/tee, /usr/bin/passwd, /usr/bin/sed, /usr/bin/cp, /usr/bin/rm

Test the functional account

The key can be tested from the managed system.

1. From the left sidebar, click Managed Systems.
2. Click the vertical ellipsis for the managed system.
3. Select Go to Advanced Details.
4. Under Advanced Details, select Functional Accounts.
5. In the Functional Account panel, click Test Functional Account.

Set DSS on the managed account

An alternate and secure way to set up a managed account is with DSS authentication.

Before you can create the account, you must generate a private key. Copying or importing a key is part of setting the managed account properties with DSS authentication.

To create a managed account with DSS authentication:

1. From the menu, select Managed Systems.
2. Select the managed system, and then click the More Options button.
3. Select Create Managed Account.
4. From the Authentication Type list, select DSS.
5. Configure all other settings as required, and then click Create Account.

DSS key auto management

A DSS key policy is set on a managed system that supports DSS authentication.

The Auto-Managed DSS key option enables DSS key auto-management to take place when the password for the account is changed, either manually or scheduled. It follows the same schedule as password changing.

Generating a new DSS public/private key pair results in the removal of the old public key (if there is one) from the authorized_keys file and appends the new public key.

Get the public key

1. Go to the Managed Accounts page.
2. Select the account and then click the More Options button.
3. Select Public Key.

ℹ️

Note

If a public key has been supplied, a popup displays the current public key.

Create a DSS key policy

Password Safe ships with a default DSS key policy:

• Type: RSA
• Bit size: 2048
• Encryption: Auto Managed Passphrase is Default Password Policy

You can change the settings for the default policy but you cannot delete the policy.

Optionally, you can create additional policies.

1. Select Configuration > Privileged Access Management > DSS Key Policies.
2. Click Create DSS Policy.
3. Provide a name and description.
4. Select a Key Type: RSA or DSA.
5. Enable encryption.
6. Select a password policy.
7. Click Create DSS Key Policy.