Policy-Rule Types
This section describes the policy rules that are available in Key Manager. Note that the rule targets specify the sets of objects that may belong to the scope of the policy rules, and that policy rules may be further restricted by their settings.
In the case SSH server algorithms policy, and SSH server configuration policy the supported SSH software are:
- OpenSSH
- Centrify SSH
- SunSSH
- Quest OpenSSH
- Attachmate
Max auth tries subrule in the SSH server configuration policy checks only the maximum number of allowed tries for interactive authentication. Tries for public key authentication is a separate option, and not checked by the policy.
Several of the algorithm keywords used by the Attachmate server are different from standard OpenSSH keywords. These are marked as (Attachmate only) in the SSH server algorithms policy.
| Rule name | Description | Rule targets |
|---|---|---|
| Cryptographic policy | Define the allowed cryptographic algorithms along with the allowed key sizes for each algorithm. SSH keys made with disallowed algorithms and/or disallowed sizes are flagged | Active authorized keys, and present private keys |
| Duplicate private keys | Flag all private keys of which more than one copy is present | Present private keys |
| Forbidden authorizations | Flag all authorized keys on the target hosts and their accounts | Active authorized keys |
| Forbidden private keys | Flag all keys where an authorized key is on the target hosts with matching private keys having been seen on the defined disallowed source hosts | Present private keys |
| Forced command | Flag all authorized keys without a forced command. If a specific forced command is specified, all authorized keys without that command will be flagged | Active authorized keys |
| Host keys policy | Define the allowed cryptographic algorithms and specify the maximum age for SSH host keys | Hosts, and active host keys |
| Key age policy | Specify the maximum age for SSH keys. SSH keys older than the permitted key age are flagged | Active authorized keys, and present private keys |
| Key permissions policy | This policy validates the permissions of private and authorized key files as well as their containing folder against broadest permissions settings | Present authorized keys, present private keys, and their parent folders |
| Orphan authorized keys policy | Flag orphan authorized keys where there are no present private keys found in the environment | Authorized keys |
| SSH server algorithms policy | Define the Ciphers, KexAlgorithms, MACs, HostKeyAlgorithms, and PubkeyAcceptedKeyTypes values for the SSH server configuration | Hosts, and SSH software |
| SSH server configuration policy | Define the allowed SSH server configuration attribute values | Hosts, and SSH software |
| Segregation of duties | Specify the sources from which access to target hosts and accounts is permitted. Keys that may be used to gain access from unpermitted sources are flagged. In addition, if there are key-activity entries that indicate access from unpermitted sources, the keys associated to such key-activity entries are also flagged | Active authorized keys |
| Sign-off policy | Specify the signoff-validity period for user keys. Keys that have never been signed off are flagged. Keys that have not been signed off for more than the specified number of days are also flagged | Active authorized keys, and present private keys |
| Source restriction policy | Flag all authorized keys without a source restriction | Active authorized keys |
| Unused keys policy | Flag the authorizations that have not been used for a specified amount of time. Note that key usage is derived from key-activity data, and regular key-activity scans are required for this policy to provide accurate results. This policy can be set to ignore keys on hosts that have not been scanned for key activity recently | Active authorized keys |