Skip to main content

Keys Detected by Key Manager

During full scans, Key Manager finds and updates information about user keys in SSH-client and server configuration.

If the Scan ~/.ssh directory host setting is enabled, then all the key files under the users' ~/.ssh directories are scanned, regardless of whether they are in configuration.

If the Scan user-specific OpenSSH client configurations host setting is enabled, then the file locations specified in user-specific OpenSSH client configurations are scanned as well.

Default Key Locations in SSH Configurations

For OpenSSH-related (OpenSSH, SunSSH, Quest SSH) hosts:

  • Private-key locations are specified in the global OpenSSH client configuration file (typically /etc/ssh/ssh_config). By default, the locations are:
IdentityFile     $HOME/.ssh/identity
IdentityFile     $HOME/.ssh/id_rsa
IdentityFile     $HOME/.ssh/id_dsa
Identityfile     $HOME/.ssh/id_ecdsa
Identityfile     $HOME/.ssh/id_ed25519

The specified identity files (private keys) and their corresponding public-key files are detected. When the Key Manager back-end setting Scan user-configured private keys is enabled, IdentityFile locations specified in users' private client-configuration files (at ~/.ssh/config) are also scanned for private keys.

  • Authorized-key locations are specified in the OpenSSH server configuration file (typically /etc/ssh/sshd_config). By default, the location is:
AuthorizedKeysFile  .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys2

On Tectia and Attachmate RSIT hosts, user keys are by default located under the $HOME/.ssh2/ directory.

note

The OpenSSH IdentityFile paths $HOME/.ssh/id_ecdsa and $HOME/.ssh/id_ed25519 were added to defaults in OpenSSH versions 5.7 and 6.7 respectively. The AuthorizedKeysFile path .ssh/authorized_keys2 is not present by default on all versions of OpenSSL-related server products.

Custom key locations to search for private keys

You can define a list of custom locations per user account to look for private keys. The custom locations are defined in the host settings under the setting Custom locations to search for private keys (for more information about the related host setting, see Host Settings).

note

Only script-based scans will scan the custom private key locations.

If a previously scanned folder specified in custom private key location setting is deleted, Key Manager will mark those keys as deleted without scanning the folder again.

For custom locations to be scanned, you must also make sure the Host setting Scan ~/.ssh directory is set to Yes.