Jump to content

SSH key rotation


Recommended Posts



Anyone that has added some sort of SSH key management with Passwordstate, maybe with the use of API's?

I've read in the user manual that it is possible to start a remote session via an SSH key in a password list, is it however also possible to do some sort of SSH key rotation? maybe via the use of a script that generates new keys on the hosts and pushes them to Passwordstate or something like it?

I'm curious wether someone here has done it or has thought about it.


Thanks for all the help so far, I'm loving both Passwordstate and the community!


Link to comment
Share on other sites

Hi Kevin,


We believe the only way this would be possible would be via our API, but unfortunately we've never tackled something like this. Hopefully someone in the community has strong linux scripting skills, to point you in the right direction.


Click Studios

Link to comment
Share on other sites

Aye, it should be possible to achieve, but it'll need some work on multiple ends of things.


The biggest problem is the distribution of the private key. @1527460Kevin suggests generating them on the Linux box and then pushing them out to PasswordState. Personally, that's not something I'd recommend because now you're transporting the literal key to your system, which either is not password protected, or your transporting along with its password. That could/would be not a problem, except that you're wanting to do it unattended. I mean, if you're doing it personally, you can immediately tell if something's gone wrong.


The prettiest solution I can think of is to:

  1. Generate the new keypair on the PasswordState box using puttygen.
  2. Import the private key into the appropriate account object into PasswordState using the API and remove the original file from the file system.
  3. Have the Linux/Unix hosts use AD for their authentication backend (through SSSD).
  4. Push the public key into the relevant user's altSecurityIdentities field in AD.

All this should be doable with Powershell, combined with API calls to PasswordState. It also takes care of the public key distribution, saving you the effort of sending the pubkey to X amount of servers.


Alternatively you could of course push the pubkey to each of the X servers that the account exists on, using pscp (the Putty CLI SCP client).


However, that brings me back to an issue I was having earlier last week: PasswordState does not have a way of linking one account to X amount of hosts. Unless it's an AD account, you'll find 1:1 - account:host relationships. That's not always ideal.



Link to comment
Share on other sites

Glad to hear that it's been of some help!


I have a setup where an AD-account is used as privileged Linux user for the password changes by PasswordState, it uses the SSH keys you can store in PState and does it exactly in the way I've explained: pubkey in AD. What's more, we even pull our SUDO commands for the account in question from AD, as explained on my blog. I'll have to look into automating the key rotation you've asked about, as that will up the security a bit more :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...