Skip to main content

Optimizing Shell-Based Scans

Key Manager can perform optimized shell-based scan on hosts that satisfy the following conditions:

  • The host is a Unix machine.

  • The host only runs OpenSSH and/or Tectia SSH products.

  • User keys are located in user-specific directories under a centralized location on the host, such as a root-owned directory. For example, if the centralized location on the host is /root/keys/, then the user keys for the user alice are located under /root/keys/alice/, and the user keys for the user bob are located under /root/keys/bob/.

  • For all SSH products on the host, all user-key locations specified in the SSH product configurations point to user-specific directories under the centralized key location.

note

The Key Manager key-relocation feature can be used for relocating keys and configuring SSH software in a way that supports optimized key scans. For instructions about using the key-relocation feature, see Relocating User Keys.

When the conditions are satisfied, Key Manager scans the user keys from the central directory as root, instead of scanning for each user's keys from their home directories as the user. Key Manager is able to skip scanning users who do not have any user keys.

You can check the job logs of host-scan jobs to determine whether a host is scanned using optimized key scans. To do this:

  1. In the GUI, on the Logs → Jobs page, find the most recently finished scan-host job for the host. We recommend filtering by Job type (Scan host) and Hostname to help find the correct job record.

  2. Perform a View Full Log action on the target scan job. This displays the job log.

  • If the host is scanned using the optimized key scan, the job log contains an entry like the following: 
    All key search paths for product openssh-client are compatible with user pruning, scanning only 202 users for keys
  • If the host is scanned using the regular scan, the job log contains an entry like the following: 
    Unable to list users having key path "%h/.ssh/authorized_keys" for product openssh-server with single listdir, can't optimize key scan.