Can you manage SSH keys in Microsoft® Active Directory®? Well, we’d like to say that the short answer is yes, but it isn’t nearly that simple. To modify Active Directory (MAD or AD) to be an SSH key public store takes some significant time and effort. It is possible, but painful.
The Importance of SSH Key Management
In an era where AWS® and Google Cloud Platform are so popular, SSH key management has become a critical part of what an identity provider should do. IT admins and DevOps engineers either manually manage SSH access or rely on configuration management tools such as Chef, Puppet, and many others to distribute public keys. While both of these options are viable, they come with significant hassle and issues.
So, given that Active Directory is one of the more widely used identity providers, shouldn’t it be able to succinctly manage SSH keys? Well, in practice, AD SSH key management is a lengthy process, with several steps requiring painstaking care from both the admin and the engineer. Managing SSH keys in AD includes extending the AD Schema, which can be a troublesome task for even the savviest of admins. The process gets even more tedious if the end user is leveraging a Mac® or Linux® workstation.
Limitations of SSH Keys in AD
Once the SSH keys are up and running in AD, however, there are still some limitations. Ultimately, Active Directory requires admins to create scripts to facilitate their SSH key management. While they allow for complete customizability, SSH key management scripts have a checklist of considerations in order to ensure that the SSH keys being managed are properly secure and, most of all, usable. These include binding user identities to LDAP via Kerberos, leveraging the TLS protocol for key transfer, caching user keys on a per-user basis, SSH key event logging and more. When you boil it down, managing SSH keys in Active Directory can be quite the hassle.
The good news is that there is a modern approach to SSH key management that is an alternative to (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Zach DeMeyer. Read the original post at: https://jumpcloud.com/blog/manage-ssh-keys-microsoft-active-directory/