User key management for the secure shell (SSH)

US 10,003,458 B2
Filed: 12/21/2012
Issued: 06/19/2018
Est. Priority Date: 12/21/2011
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

at least one processor; and

at least one memory including instructions which when executed by the at least one processor, cause the apparatus to manage security related keys, the security related keys being utilized between a first managed host having a client and a second managed host having a server,wherein, in order to manage the security related keys, the at least one memory includes further instructions which, when executed by the at least one processor, further cause the apparatus to;

install a security related key as an authorized security related key for the second managed host for securing communications with the first managed host, andwherein, in order to cause a security related key to be installed, the at least one memory includes further instructions which, when executed by the at least one processor, further cause the apparatus to;

insert a request to install the security related key as an authorized security related key in a pending request data set;

determine if a window where the request is allowed to be processed is open; and

after determining that the window where the request is allowed to be processed is open, process the request, the processing comprising sending a request to install the security related key for the second managed host,wherein the at least one memory includes further instructions which, when executed by the at least one processor, cause the apparatus to create a new passwordless login connection,wherein, in order to create the new passwordless login connection, the at least one memory includes further instructions which, when executed by the at least one processor, further cause the apparatus to;

add an identification of a certificate authority that is accepted for authentication in a configuration file used by a secure shell (SSH) implementation; and

add a principal name used in a certificate in the configuration file used by the SSH implementation to identify a user that is permitted to authenticate to an account using the certificate issued by the certificate authority.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Management of user keys for public key authentication using the SSH in large SSH deployments is automated by deploying a management system in the environment, discovering SSH identity keys and authorized keys, analyzing authorized connections between user accounts, and automatically managing the authorized connections and the key pairs used for authentication.

66 Citations

View as Search Results

28 Claims

1. An apparatus, comprising:
- at least one processor; and
  
  at least one memory including instructions which when executed by the at least one processor, cause the apparatus to manage security related keys, the security related keys being utilized between a first managed host having a client and a second managed host having a server,wherein, in order to manage the security related keys, the at least one memory includes further instructions which, when executed by the at least one processor, further cause the apparatus to;
  
  install a security related key as an authorized security related key for the second managed host for securing communications with the first managed host, andwherein, in order to cause a security related key to be installed, the at least one memory includes further instructions which, when executed by the at least one processor, further cause the apparatus to;
  
  insert a request to install the security related key as an authorized security related key in a pending request data set;
  
  determine if a window where the request is allowed to be processed is open; and
  
  after determining that the window where the request is allowed to be processed is open, process the request, the processing comprising sending a request to install the security related key for the second managed host,wherein the at least one memory includes further instructions which, when executed by the at least one processor, cause the apparatus to create a new passwordless login connection,wherein, in order to create the new passwordless login connection, the at least one memory includes further instructions which, when executed by the at least one processor, further cause the apparatus to;
  
  add an identification of a certificate authority that is accepted for authentication in a configuration file used by a secure shell (SSH) implementation; and
  
  add a principal name used in a certificate in the configuration file used by the SSH implementation to identify a user that is permitted to authenticate to an account using the certificate issued by the certificate authority.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein, in order to manage the security related keys, the at least one memory includes further instructions which, when executed by the at least one processor, further cause the apparatus to create a private key to be for a first account, the security related key being a public key corresponding to the private key.
  - 3. The apparatus of claim 1, wherein the security related keys comprise SSH related keys, the client comprises a SSH client, the server comprises a SSH server and the request is sent to the host using the SSH protocol to connect to the host.
  - 4. The apparatus of claim 3, wherein, in order to manage the security related keys, the at least one memory includes further instructions which, when executed by the at least one processor, further cause the apparatus to discover information about user information sources for a plurality of computers.
  - 5. The apparatus of claim 1, wherein the installation of the security related key is performed in response to receiving a request to authorize a first account to log into a second account.
  - 6. The apparatus of claim 1, wherein, in order to manage the security related keys, the at least one memory includes further instructions which, when executed by the at least one processor, further cause the apparatus to revoke authorization of a first account to access a second account.
  - 7. The apparatus of claim 1, wherein, in order to manage the security related keys, the at least one memory includes further instructions which, when executed by the at least one processor, further cause the apparatus to renew a security related key pair used for public key authentication, wherein, in order to renew a security related key pair, the at least one memory includes further instructions which, when executed by the at least one processor, further cause the apparatus to:
    - create a new private key and adding it as an identity key on a host;
      
      copy a public key corresponding to the private key to the same places where a public key corresponding to the security related key pair being renewed is stored; and
      
      remove at least one public key corresponding to the security related key pair being renewed, wherein at least one of the security related keys is stored in a non-standard location.
  - 8. The apparatus of claim 1, wherein, in order to manage the security related keys, the at least one memory includes further instructions which, when executed by the at least one processor, further cause the apparatus to configure an internet protocol (IP) address restriction for a public key in an authorized security related keys file, the IP address restriction containing those IP addresses from which the apparatus permits using the public key.
  - 9. The apparatus of claim 1, wherein the at least one memory includes further instructions which, when executed by the at least one processor, further cause the apparatus to:
    - receive a request to set up an authorized connection, the request comprising a restriction on what is allowed to be done using that connection; and
      
      include the restriction in all entries in authorized security related keys files added for that connection.
  - 10. The apparatus of claim 1, wherein the at least one memory includes further instructions which, when executed by the at least one processor, cause the apparatus to:
    - bring a provisioned virtual machine under management, comprising;
      
      receive authentication from the virtual machine; and
      
      send keys to the virtual machine based on its host group, the security related keys including at least one key selected from the group consisting of;
      
      a host key for another machine;
      
      a public user key that authorizes logging into the virtual machine from at least one account on at least one other machine using public key authentication; and
      
      a private key that authorizes the virtual machine to log into at least one other machine.

11. A method of managing security related keys, the security related keys being utilized between a first managed host having a client and a second managed host having a server, the method comprising:
- installing a security related key as an authorized security related key for the second managed host for securing communications with the first managed host, the installation including;
  
  inserting a request to install the security related key as an authorized security related key in a pending request data set;
  
  determining if a window where the request is allowed to be processed-is open; and
  
  after determining that the window where the request is allowed to be processed is open, processing the request, the processing comprising sending a request to install the security related key for the second managed host;
  
  creating a new passwordless login connection, the creating including;
  
  adding an identification of a certificate authority that is accepted for authentication in a configuration file used by a secure shell (SSH) implementation; and
  
  adding a principal name used in a certificate in the configuration file used by the SSH implementation to identify a user that is permitted to authenticate to an account using the certificate issued by the certificate authority.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein the method further comprises causing a private key to be created for a first account, wherein the security related key is a public key corresponding to the private key.
  - 13. The method of claim 11, wherein the installation is performed in response to receiving a request to authorize a first account to log into a second account.
  - 14. The method of claim 11, wherein the method further comprises revoking authorization of a first account to access a second account.
  - 15. The method of claim 11, wherein the method further comprises renewing a security related key pair used for public key authentication, renewing the security related key pair including:
    - creating a new private key and adding it as an identity key on a host;
      
      copying a public key corresponding to the private key to the same places where a public key corresponding to the security related key pair being renewed is stored; and
      
      removing at least one public key corresponding to the security related key pair being renewed, wherein at least one of the security related keys is stored in a non-standard location.
  - 16. The method of claim 11, wherein the method further comprises configuring an internet protocol (IP) address restriction for a public key in an authorized security related keys file, the IP address restriction containing those IP addresses from which a management system permits using the public key.
  - 17. The method of claim 11, further comprising:
    - receiving a request to set up an authorized connection, the request comprising a restriction on what is allowed to be done using that connection; and
      
      including the restriction in all entries in authorized security related keys files added for that connection.
  - 18. The method of claim 11, further comprising bringing a provisioned virtual machine under management,wherein bringing provisioned virtual machine under management includes:
    - receiving authentication from the virtual machine; and
      
      sending keys to the virtual machine based on its host group, the security related keys including at least one key selected from the group consisting of;
      
      a host key for another machine;
      
      a public user key that authorizes logging into the virtual machine from at least one account on at least one other machine using public key authentication; and
      
      a private key that authorizes the virtual machine to log into at least one other machine.

19. A non-transitory computer readable medium comprising program code for causing a computer to perform:
- managing security related keys, said the security related keys utilized between a first managed host having a client and a second managed host having a server, wherein the managing comprises;
  
  installing a security related key as an authorized security related key for the second managed host for securing communications with the first managed host, the installing including;
  
  inserting a request to install the security related key as an authorized security related key in a pending request data set; and
  
  determining if a window where the request is allowed to be processed is open; and
  
  after determining that the window where the request is allowed to be processed is open, processing the request, the processing comprising sending a request to install the public key for the second managed host,wherein the computer program code further causes the computer to perform instructions for creating the new passwordless login connection, the creating comprising;
  
  adding an identification of a certificate authority that is accepted for authentication in a configuration file used by a secure shell (SSH) implementation; and
  
  adding a principal name used in a certificate in the configuration file used by the SSH implementation to identify a user that is permitted to authenticate to an account using the certificate issued by the certificate authority.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The non-transitory computer readable medium of claim 19, wherein the managing further comprises causing a private key to be created for a first account, wherein the security related key is a public key corresponding to the private key.
  - 21. The non-transitory computer readable medium of claim 19, wherein the program code causes the computer to perform instructions for sending the request using the SSH protocol to connect to the host.
  - 22. The non-transitory computer readable medium of claim 21, wherein the managing further comprises discovering information about user information sources for a plurality of computers.
  - 23. The non-transitory computer readable medium of claim 19, wherein the program code causes the computer to perform instructions for the causing installing in response to receiving a request to authorize a first account to log into a second account.
  - 24. The non-transitory computer readable medium of claim 19, wherein the managing further comprises revoking authorization of a first account to access a second account.
  - 25. The non-transitory computer readable medium of claim 19, wherein the managing further comprises renewing a security related key pair used for public key authentication, the renewing comprising:
    - creating a new private key and adding it as an identity key on a host;
      
      copying a public key corresponding to the private key to the same places where a public key corresponding to the security related key pair being renewed is stored; and
      
      removing at least one public key corresponding to the security related key pair being renewed, wherein at least one of the security related keys is stored in a non-standard location.
  - 26. The non-transitory computer readable medium of claim 19, wherein the managing further comprises configuring an internet protocol (IP) address restriction for a public key in an authorized security related keys file, the IP address restriction containing those IP addresses from which a management system permits using the public key.
  - 27. The non-transitory computer readable medium of claim 19, wherein the program code further causes the computer to perform instructions for:
    - receiving a request to set up an authorized connection, the request comprising a restriction on what is allowed to be done using that connection; and
      
      including the restriction in all entries in authorized security related keys files added for that connection.
  - 28. The non-transitory computer readable medium of claim 19, wherein the program code further causes the computer to perform instructions for bringing a provisioned virtual machine under management, comprising:
    - receiving authentication from the virtual machine; and
      
      sending keys to the virtual machine based on its host group, the security related keys including at least one key selected from the group consisting of;
      
      a host key for another machine;
      
      a public user key that authorizes logging into the virtual machine from at least one account on at least one other machine using public key authentication; and
      
      a private key that authorizes the virtual machine to log into at least one other machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Corp. (SSH Communications Security Oyj)
Original Assignee
SSH Communications Security Corp. (SSH Communications Security Oyj)
Inventors
Ylonen, Tatu J.
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Le, Canh

Application Number

US13/723,204
Publication Number

US 20130117554A1
Time in Patent Office

2,006 Days
Field of Search

380282
US Class Current
CPC Class Codes

H04L 9/08   Key distribution or managem...

H04L 9/0891   Revocation or update of sec...

H04L 9/3268   using certificate validatio...

User key management for the secure shell (SSH)

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

66 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

User key management for the secure shell (SSH)

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links