SECURE SHELL PUBLIC KEY AUDIT SYSTEM

US 20180176199A1
Filed: 12/05/2017
Published: 06/21/2018
Est. Priority Date: 01/22/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more communication interfaces to communicate with one or more client devices;

one or more processors; and

computer-readable storage media storing computer-executable instructions, which when executed by the one or more processors, cause the one or more processors to perform operations comprising;

receive a request to open a secure communication channel from a client device associated with an individual, the request including information generated based at least in part on a private key associated with the individual;

authenticate the request based at least in part on a public key associated with the individual;

receive a registration code from the client device corresponding to the individual;

attempt to validate the registration code by determining whether the registration code is valid for the individual; and

mark the public key for further investigation responsive to determining that the registration code is invalid for the individual.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for auditing authorized key files associated with secure shell (SSH) servers is disclosed. In an example, the system may include a purpose-built SSH audit server. The SSH audit server may be configured to receive an authorized key file and a list of users. The SSH audit sever may generate and provide unique registration codes for each of the users in the list. The SSH audit server may associate particular users with particular public keys as each of the users accesses the SSH audit server using a public key and inputs a registration code.

5 Citations

20 Claims

1. A system, comprising:
- one or more communication interfaces to communicate with one or more client devices;
  
  one or more processors; and
  
  computer-readable storage media storing computer-executable instructions, which when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  receive a request to open a secure communication channel from a client device associated with an individual, the request including information generated based at least in part on a private key associated with the individual;
  
  authenticate the request based at least in part on a public key associated with the individual;
  
  receive a registration code from the client device corresponding to the individual;
  
  attempt to validate the registration code by determining whether the registration code is valid for the individual; and
  
  mark the public key for further investigation responsive to determining that the registration code is invalid for the individual.
- View Dependent Claims (2, 3, 5)
- - 2. The system of claim 1, the request includesa request to open a secure communication channel from the client device, the operations further comprising:
    - open the secure communication channel;
      
      request input of one of a plurality of registration codes;
      
      in response to requesting input of the one of the plurality of registration codes, receiving the registration code from the client device; and
      
      associate the individual with the public key.
  - 3. The system of claim 2, the operations further comprising identify the registration code as valid by matching the registration code with a registration code of the plurality of registration codes.
  - 5. The system of claim 2, the operations further comprisingidentify the registration code as invalid by failing to match the particular registration code with any of the plurality of registration codes;
    - andremove the public key from an authorized key file.

4. (canceled)

6. (canceled)

7. A method, comprising:
- generating, at an audit server, a unique registration code;
  
  associating the unique registration code with a user;
  
  sending the unique registration code to a client device of the user;
  
  receiving a public key and a request to open a communication channel from the client device;
  
  establishing the communication channel based at least in part on the public key;
  
  receiving an input of a registration code from the client device;
  
  attempt to validate the registration code by determining whether the registration code corresponds to the unique registration code; and
  
  mark the public key for further investigation responsive to determining that the registration code does not correspond to the unique registration code.
- View Dependent Claims (8, 10, 11, 12)
- - 8. The method of claim 7, further comprising:
    - generating a second unique registration code;
      
      associating the second unique registration code with a second user;
      
      sending the second unique registration code to a second client device of the second user;
      
      receiving a second request to open a second communication channel from the second client device;
      
      establishing the second communication channel based at least in part on a second public key;
      
      receiving a second input of the second unique registration code from the second client device; and
      
      associating the second user with the second public key based at least in part on receiving the second unique registration code via the second communication channel.
  - 10. The method of claim 7, further comprising sending a login credential to the client device to establish the communication channel with the audit server.
  - 11. The method of claim 7, wherein the communication channel includes a secure shell.
  - 12. The method of claim 7, further comprising:
    - receiving, prior to generating the unique registration code, an authorized key file associated with a server being audited, the authorized key file including the public key; and
      
      receiving, prior to generating the unique registration code, contact information associated with a plurality of individuals authorized to access the server, the plurality of individuals including the user.

9. (canceled)

13. One or more non-transitory computer-readable storage media configured to store computer-executable instructions, which when executed by one or more processors, cause a system to perform operations comprising:
- generate a plurality of registration codes, a registration code of the plurality of registration codes associated with a user;
  
  send the registration code to a client device of the user;
  
  receive an input of a registration code over a communication channel established based in part on a public key;
  
  attempt to validate the registration code by determining whether the registration code is valid for the user; and
  
  mark the public key for further investigation responsive to determining that the registration code is invalid for the user.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The one or more non-transitory computer-readable storage media of claim 13, wherein execution of the instructions further cause the system to receive, prior to generating the registration code, contact information associated with a plurality of individuals authorized to access a server being audited, the plurality of individuals including the user.
  - 16. The one or more non-transitory computer-readable storage media of claim 13, wherein execution of the instructions further cause the system to receive, prior to generating the plurality of registration codes, an authorized key file associated with a server being audited, the authorized key file including the public key.
  - 17. The one or more non-transitory computer-readable storage media of claim 13, wherein execution of the instructions further cause the system to:
    - receive a request to open the communication channel from the client device; and
      
      establish the communication channel based at least in part on the public key.
  - 18. The one or more non-transitory computer-readable storage media of claim 13, wherein the computer-readable storage media is a resource associated with a secure shell audit server.
  - 19. The one or more non-transitory computer-readable storage media as recited in claim 13, wherein execution of the instructions further cause the system to generate a list of registered public keys, the list of registered public keys including the public key and an indication of the user as an owner of the public key.
  - 20. The one or more non-transitory computer-readable storage media as recited in claim 19, wherein execution of the instructions further cause the system to provide the list of registered public keys to an administrator system after a predetermined period of time has elapsed.

14. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Quest Software, Inc.
Inventors
Peterson, Matthew Todd

Granted Patent

US 10,681,026 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/065   for group communications cr...

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04L 63/168   above the transport layer

SECURE SHELL PUBLIC KEY AUDIT SYSTEM

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

5 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE SHELL PUBLIC KEY AUDIT SYSTEM

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links