By Zach DeMeyer Posted October 7, 2018
Can you manage SSH keys in Microsoft® Active Directory®? Well, we’d like to say that the short answer is yes, but it isn’t nearly that simple. To modify Active Directory (MAD or AD) to be an SSH key public store takes some significant time and effort. It is possible, but painful.
The Importance of SSH Key Management
In an era where AWS® and Google Cloud Platform are so popular, SSH key management has become a critical part of what an identity provider should do. IT admins and DevOps engineers either manually manage SSH access or rely on configuration management tools such as Chef, Puppet, and many others to distribute public keys. While both of these options are viable, they come with significant hassle and issues.
So, given that Active Directory is one of the more widely used identity providers, shouldn’t it be able to succinctly manage SSH keys? Well, in practice, AD SSH key management is a lengthy process, with several steps requiring painstaking care from both the admin and the engineer. Managing SSH keys in AD includes extending the AD Schema, which can be a troublesome task for even the savviest of admins. The process gets even more tedious if the end user is leveraging a Mac® or Linux® workstation.
Limitations of SSH Keys in AD
Once the SSH keys are up and running in AD, however, there are still some limitations. Ultimately, Active Directory requires admins to create scripts to facilitate their SSH key management. While they allow for complete customizability, SSH key management scripts have a checklist of considerations in order to ensure that the SSH keys being managed are properly secure and, most of all, usable. These include binding user identities to LDAP via Kerberos, leveraging the TLS protocol for key transfer, caching user keys on a per-user basis, SSH key event logging and more. When you boil it down, managing SSH keys in Active Directory can be quite the hassle.
The good news is that there is a modern approach to SSH key management that is an alternative to Active Directory. Not only can this cloud directory service be a public SSH key store, but it also can be an identity provider for the cloud era. IT admins and DevOps engineers can centralize an identity and securely manage and connect users to their IT resources.
SSH Key Management with JumpCloud
This solution is called JumpCloud® Directory-as-a-Service®. Directory-as-a-Service (DaaS) utilizes agent-based endpoint management to create a basis for unified user identities. With regards to SSH key management, DevOps engineers can create and manage their SSH key access entirely on their own. Once they have generated their SSH key pair, they can upload the public key to their JumpCloud User Portal account. This key is then automatically disseminated across all systems they have access to that require SSH key authentication. When it’s time to rotate SSH keys, the user just has to follow the same process, and the new keys are automatically dispersed to the necessary systems. Additionally, IT admins can maintain these keys remotely via the JumpCloud Admin console, and subsequently deactivate these keys at the same time of deactivating the associated user account during offboarding. This feature ensures that keys that are no longer in use remain inactive, cutting off potential attack vectors.
So, can you manage SSH keys in Active Directory? Not easily, but you can with JumpCloud Directory-as-a-Service. To learn more about Directory-as-a-Service’s SSH key management, as well as a host of other features the platform offers, feel free to contact our support team or check out our YouTube channel. As always, you can sign up for JumpCloud to get the most out of the DaaS product. Signing up includes ten users forever, and is completely free.