Managing credentials in a computer system

US 9,832,177 B2
Filed: 02/24/2017
Issued: 11/28/2017
Est. Priority Date: 12/21/2011
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a management host comprising a first processor and a first memory storing instructions that, when executed, manage credentials, said credentials being utilized between a first managed host comprising a second memory storing instructions that perform functions of a client and a second managed host comprising a third memory storing instructions that perform functions of the server, and storage of credentials for at least one of the first managed host and the second managed host being arranged externally from the first managed host and the second managed host,wherein the instructions stored in the first memory, when executed, cause information to be discovered about the first managed host and the second managed host by collecting the information about the first managed host and the second managed host and automatic management of the credentials for at least one of the first managed host and the second managed host based on the collected information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

Citations

21 Claims

1. An apparatus, comprising:
- a management host comprising a first processor and a first memory storing instructions that, when executed, manage credentials, said credentials being utilized between a first managed host comprising a second memory storing instructions that perform functions of a client and a second managed host comprising a third memory storing instructions that perform functions of the server, and storage of credentials for at least one of the first managed host and the second managed host being arranged externally from the first managed host and the second managed host,wherein the instructions stored in the first memory, when executed, cause information to be discovered about the first managed host and the second managed host by collecting the information about the first managed host and the second managed host and automatic management of the credentials for at least one of the first managed host and the second managed host based on the collected information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus according to claim 1, wherein the instructions stored in the first memory, when executed, cause to be discovered information about at least one of trust relationships, keys, credentials, certificates, and configurations associated with at least one of the managed hosts.
  - 3. The apparatus according to claim 1, wherein the external storage of credentials comprises one of a vault, an active directory, a home directory, a Lightweight Directory Access Protocol (LDAP) based directory, a network file system (NFS), Network Information System (NIS), and a virtual directory service.
  - 4. The apparatus according to claim 1, wherein the external storage of credentials comprises a virtual storage.
  - 5. The apparatus according to claim 1, wherein the external storage of credentials comprises a shared directory provided in a virtualization environment.
  - 6. The apparatus according to claim 5, wherein in the virtualization environment parts of a kernel are shared by a multiple of instances.
  - 7. The apparatus according to claim 1, wherein at least one of the hosts comprises a virtual host.
  - 8. The apparatus according to claim 1, wherein the instructions stored in the first memory comprise at least one of:
    - a key installer configured to install an authorized key on at least one of the managed hosts;
      
      a key remover configured to remove an authorized key from at least one of the managed hosts;
      
      a key rotator configured to rotate existing key pairs;
      
      a trust relationship installer configured to install a trust relationship between the managed hosts;
      
      a trust relationship remover configured to remove a trust relationship from between the managed hosts;
      
      a trust relationship converter configured to convert an existing trust relationship of a first type to a trust relationship of a second type; and
      
      a command restriction enforcer configured to add a command restriction to an existing trust relationship.
  - 9. The apparatus according to claim 1, wherein the credentials comprise user authentication keys.
  - 10. The apparatus according to claim 9, wherein the user authentication keys comprise user authentication keys according to secure shell protocol (SSH), and the first managed host comprises an SSH client and the second managed host comprises an SSH server.
  - 11. The apparatus of claim 1, wherein the first memory stores instructions that, when executed, cause the information to be collected by reading one or more configuration files and parsing the configuration files.

12. A method, comprising:
- managing credentials utilized between a first managed host comprising a first memory storing instructions that perform functions of a client and a second managed host comprising a second memory storing instructions that perform functions of a server, said credentials for at least one of said managed hosts being stored externally from said managed hosts, wherein said managing is performed by a management host comprising a processor and third memory storing instructions that perform functions of the managing comprising;
  
  discovering information about said managed hosts by collecting the information about the first managed host and the second managed host; and
  
  managing automatically said credentials stored externally from said managed hosts based on the discovered information.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method according to claim 12, comprising collecting information from at least one of a vault, an active directory, a home directory, a Lightweight Directory Access Protocol (LDAP) based directory, a network file system (NFS), Network Information System (NIS), and a virtual directory.
  - 14. The method according to claim 12, comprising collecting information from a shared directory provided in a virtualization environment.
  - 15. The method according to claim 12, wherein at least one of the hosts comprises a virtual host.
  - 16. The method according to claim 12, wherein the discovering comprises discovering information about at least one of trust relationships, keys, credentials, certificates, and configurations on at least one of the managed hosts.
  - 17. The method according to claim 12, wherein the managing further comprises at least one of:
    - installing an authorized key on at least one of the managed hosts;
      
      removing an authorized key from at least one of the managed hosts;
      
      installing a trust relationship between the managed hosts;
      
      removing a trust relationship from between the managed hosts;
      
      rotating existing key pairs;
      
      converting an existing trust relationship of a first type to a trust relationship of a second type; and
      
      adding a command restriction to an existing trust relationship.
  - 18. The method according to claim 12, wherein the credentials comprise user authentication keys according to secure shell protocol (SSH), and the first managed host comprises an SSH client and the second managed host comprises an SSH server.
  - 19. The method of claim 12, wherein the discovering comprises reading one or more configuration files.

20. A non-transitory computer program comprising computer readable program code embodied therein, operable to cause a management host comprising a processor and a first memory storing instructions therein to manage credentials utilized between a first managed host comprising a second memory storing instructions that perform functions of a client and a second managed host comprising a third memory storing instructions that perform functions of the server, wherein said credentials are stored externally from managed hosts, further operable todiscover information about said managed hosts by collecting the information about the first managed host and the second managed host;
- andmanage automatically said credentials based on the discovered information.

21. A system, comprising at least a manager apparatus comprising a processor and a first memory storing instructions that perform management functions, a first managed host comprising a second memory storing instructions that perform functions of a client, and a second managed host comprising a third memory storing instructions that perform functions of a server, wherein the manager apparatus is external to the first managed host and the second managed host, and wherein the instructions stored in the first memory, when executed:
- manage credentials utilized between the first managed host and the second managed host, said keys for at least one of the managed hosts being stored externally from said at least one managed host,discover information about said managed hosts by collecting the information about the first managed host and the second managed host, andautomatically manage said credentials based on the discovered information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Oyj
Original Assignee
SSH Communications Security Corporation
Inventors
Ylonen, Tatu J.
Primary Examiner(s)
BAYOU, YONAS A

Application Number

US15/441,339
Publication Number

US 20170171175A1
Time in Patent Office

277 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/575   Secure boot

H04L 61/4523   using lightweight directory...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/321 : involving a third party or ...

H04L 9/3263 : involving certificates, e.g...

H04L 9/3268 : using certificate validatio...

View All

Managing credentials in a computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Managing credentials in a computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links