Skip to main content

Choosing the Best Scan Method

This section describes the relative merits of the scan methods supported by Key Manager: shell-based scans and script-based scans.

Shell-based scans

Key Manager runs commands over management connections to gather host data.

Advantages

  • Supported on both agentless and agent-based hosts.

Disadvantages

  • Slow compared to script-based scans. Though performance can be improved on hosts with relocated keys (see Optimizing Shell-Based Scans).

  • Updates also unchanged items to database, which results in database load.

  • Unable to distinguish network-shared keys.

Script-based scans

Automatically execute the Key Manager host utility on target hosts to gather data, and import it to Key Manager.

Script-based-scan setup is described in Enabling Script-Based Scans.

Advantages

  • More efficient on hosts with thousands or more users. Possibly 10 to 100 times faster compared to shell-based scans.

  • Low database traffic: only updates objects that have changed since previous scan.

  • Can detect users from network directories, and SSH keys from NFS locations. Can also determine which users and keys are from network locations.

Disadvantages

  • Scan-data import imposes additional load on front ends. You may need to deploy additional Key Manager front ends.

  • Only supported on agentless Unix hosts.

  • Only supports Full scans.

  • The Key Manager host utility must be distributed to target hosts.

    To run the host utility, target hosts must have:

    Hosts using the offline-scan method have the following additional requirements:

    • Unix platforms must have a minimum supported version of Python 1.5 or later.

    • Windows platforms must be installed with the following:

      • .Net version 4 (Client Profile or Full Framework).

      • CLR version 4.

Offline scans

Manually execute the Key Manager host utility on target hosts to gather data, and import it to Key Manager.

Offline-scan setup is described in Host Discovery with Offline Scans.

Advantages

  • Scan a host without having to deploy it: no need to configure management accounts, or Key Manager agents.

  • Can be used to quickly discover a host, before deciding whether it should be deployed.

Disadvantages

  • Host must still be deployed to enable management actions.

  • The Key Manager host utility must be manually distributed to target hosts. Resulting scan data must be manually imported to Key Manager.

    To run the host utility, target hosts must have:

    Hosts using the offline-scan method have the following additional requirements:

    • Unix platforms must have a minimum supported version of Python 1.5 or later.

    • Windows platforms must be installed with the following:

      • .Net version 4 (Client Profile or Full Framework).

      • CLR version 4.

Enabling Script-Based Scans

In script-based scans, Key Manager scans hosts by running the Key Manager host utility on them.

To enable script-based scans on host(s):

  1. Set up the host utility in either of the following ways:

    • Allow Key Manager to automatically upload the host utility. To do this, enable the host setting Update host script automatically as needed. Ensure the directory part of the Host script path (/var by default) is readable and writable by the management account.

    • Manually upload the host utility. Manually upload the host utility to the Host script path. Ensure the directory part of the Host script path (/var by default) is readable by the management account.

      Also ensure that the host utility has correct permissions (replace sshmgr with the management-account name, replace /var/sshmgr-host-script with your Host script path):

      # chown sshmgr:sshmgr /var/sshmgr-host-script
      # chmod 755 /var/sshmgr-host-script

      The host utility ssh-mgr-host-utility.sh can be obtained from the host utility package sshmgr-host-utility-*.zip.

  2. If you have placed the host-utility script somewhere else than the default path /var/sshmgr-hostscript

    • Configure the host setting Host script path to point to where the host utility is/will be on target hosts.

    • If using an unprivileged management account with sudo, also correct the path in the SSHUKM_HOST_UTILITY alias in the sudoers file.

  3. For hosts with network users, you may set the host setting Full scan type to control whether network users and their keys are scanned. For more information about the Full scan type setting, see Host Settings.

  4. To switch to script-based scans (instead of shell-based scans), enable the host setting Execute jobs using a script copied to the host, instead of over interactive SSH connection.

    Target hosts are now configured to use script-based scans whenever Full scans are performed.

    Key Manager Back Ends periodically poll hosts to execute script-based scans on Key Manager Front Ends. By default, Back Ends randomly choose a Front End to perform the script-based scan. However, in larger Key Manager deployments where some Front-End/Back-End servers are notably closer to each other than others, you may set up preferred Front-End/Back-End clusters. This is done using tags:

    1. On System→Management Servers, select a Back End for which you want to set up preferred Front Ends, then in its action menu, select Tag.

      Enter a new tag for the Back End.

    2. Back on System→Management Servers, select a Front End that should be preferred, then in the action menu, select Tag.

      Provide the same tag to the Front End. Repeat this for all preferred Front Ends.

    With this configuration, any script-based scans started by the tagged Back End will primarily be run on one of the similarly-tagged Front End(s). In case where none of the tagged Front Ends are reachable, script-based scan will fall back to executing the scan on any other Front End.

Enabling Shell-Based Scans

To convert a host to using shell-based scans, disable the host setting Execute jobs using a script copied to the host, instead of over interactive SSH connection.

New hosts default to using shell-based scans.