Key Review Examples
This section includes examples of how to perform various key review tasks using Key Manager. The examples cover the common use cases related to user key review. The covered use cases are not an exhaustive listing of all the user key-review tasks that can be performed through Key Manager.
Finding user keys that are on certain host(s)
In order to find all the user keys on certain hosts, you must find the private keys and the authorized keys on those hosts.
To find all private keys on a host, navigate to the User keys→Private keys page. Add the filter criteria Hostname and provide it with the host name. To find all the private keys belonging to a certain host group, click the Host Groups below the filter panel, and select the desired host group. To find all the private keys belonging to hosts with a certain tag, you can use the filter criteria Host tags with the name of the tag.
To find all authorized keys on a host, in a host group, or on hosts with a certain tag, navigate to the User keys→Authorized keys page and perform the same filtering actions you would for private keys.
Finding unmanaged user keys
The management state of an user key is unmanaged if it has been found, or set up on a managed host via other means than the Key Manager system. Such keys may appear if some of the keys on a host were not found when it was in the monitored state, an example situation is when keys are located on network drives that have been unavailable for some time. In other cases, such keys may be set up manually without the use of Key Manager, which may indicate that somebody is making unauthorized changes to the managed environment. Therefore, we recommend periodically reviewing the unmanaged keys in your managed environment.
To find all unmanaged user keys, navigate to the User keys→Private keys page for private keys, or to the User keys→Authorized keys page for authorized keys. On the page, specify the filter criteria Fingerprint management state with the value Unmanaged.
Finding user keys by owner (such as root)
To find all user keys owned by root, navigate to the User keys→Private keys page for private keys, or to the User keys→Authorized keys page for authorized keys. On the page, specify the filter criteria Username, and provide it with the value root.
Finding authorizations by source and/or destination
You can use filters to display authorizations by source (private key location) and/or destination (authorized key location). These instructions are to be performed on the User keys→Private keys page.
To find all authorizations from the host server01.example.com, add a filter criteria Private key hostname and provide it with the value server01.example.com.
To find all authorizations to the host server02.example.com, add a filter criteria Authorized key hostname and provide it with the value server02.example.com.
You can specify the source and destination using host groups as well, by using Private key host group and Authorized key host group filters respectively. For example, to find the authorizations that go from the host group "Server Group 01" to the host group "Server Group 02", specify the following two filter criteria:
-
Specify the source hosts by adding the filter criteria Private key host group with the value "Server Group 01"
-
Specify the destination hosts by adding the filter criteria Auth key host group with the value "Server Group 02"
tipIf you want to find all authorizations between two host groups, you will have to find all the authorizations from group 1 to group 2, and additionally find all the authorizations from group 2 to group 1.
Hiding authorizations with unknown private keys
When reviewing authorizations on the User keys→Authorizations page, you can use filters to hide the authorizations with unknown source or destination.
To hide the authorizations with unknown destinations, add the Authorized key status filter with the value Active (is on host and is in config).
Similarly, to hide the authorizations with unknown sources, add the Private key status filter with the value Active (is on host and is in config).