SSH Key Management
TigerTrust provides comprehensive SSH key lifecycle management alongside certificate management.
Overview
| Feature | Description |
|---|---|
| Discovery | Scan hosts for SSH keys and authorized_keys |
| Inventory | Central visibility of all SSH keys |
| Rotation | Automated key rotation with zero downtime |
| Deployment | Deploy public keys to authorized_keys |
| Audit | Track all SSH key operations |
SSH Key Discovery
The agent discovers SSH keys from:
- */home/\/.ssh/ - User SSH directories
- /root/.ssh/ - Root user keys
- /etc/ssh/ - Host keys
- authorized_keys - Authorized public keys
Configuration
ssh:
enabled: true
scan_paths:
- /home
- /root/.ssh
- /etc/ssh
scan_authorized_keys: true
scan_known_hosts: false
key_types:
- rsa
- ecdsa
- ed25519Discovered Key Information
For each discovered key:
{
"fingerprint": "SHA256:abc123...",
"keyType": "ssh-ed25519",
"keyBits": 256,
"keyPath": "/home/deploy/.ssh/id_ed25519",
"publicKeyPath": "/home/deploy/.ssh/id_ed25519.pub",
"hasPassphrase": true,
"isHostKey": false,
"isUserKey": true,
"publicKeyOnly": false,
"hostname": "web-server-1",
"username": "deploy",
"createdAt": "2024-01-15T10:30:00Z",
"lastModified": "2024-01-15T10:30:00Z"
}Authorized Keys Discovery
TigerTrust tracks authorized_keys entries:
{
"fingerprint": "SHA256:xyz789...",
"keyType": "ssh-rsa",
"publicKey": "ssh-rsa AAAA...",
"comment": "[email protected]",
"filePath": "/home/deploy/.ssh/authorized_keys",
"lineNumber": 3,
"username": "deploy",
"hostname": "web-server-1",
"isActive": true,
"addedBy": "[email protected]",
"expiresAt": null
}SSH Key Operations
Generate New Key Pair
Via API:
curl -X POST "https://api.tigertrust.io/api/ssh-keys/generate" \
-H "X-Agent-API-Key: ak_your_key" \
-H "Content-Type: application/json" \
-d '{
"keyType": "ed25519",
"comment": "deploy@production",
"passphrase": "optional_passphrase"
}'Deploy Public Key
Deploy a public key to authorized_keys:
curl -X POST "https://api.tigertrust.io/api/ssh-keys/deploy" \
-H "X-Agent-API-Key: ak_your_key" \
-H "Content-Type: application/json" \
-d '{
"publicKey": "ssh-ed25519 AAAA... [email protected]",
"targetHosts": ["web-server-1", "web-server-2"],
"targetUser": "deploy",
"agentId": "agent-prod-01"
}'Remove Key from Authorized Keys
curl -X POST "https://api.tigertrust.io/api/ssh-keys/remove" \
-H "X-Agent-API-Key: ak_your_key" \
-H "Content-Type: application/json" \
-d '{
"fingerprint": "SHA256:xyz789...",
"targetHosts": ["web-server-1"],
"targetUser": "deploy"
}'Rotate SSH Key
Generate new key pair and replace existing key:
curl -X POST "https://api.tigertrust.io/api/ssh-keys/:id/rotate" \
-H "X-Agent-API-Key: ak_your_key" \
-H "Content-Type: application/json" \
-d '{
"keyType": "ed25519",
"updateAuthorizedKeys": true,
"retainOldKeyDays": 7
}'Agent Task Types
The agent handles these SSH-related tasks:
| Task Type | Description |
|---|---|
ssh_discovery | Scan for SSH keys |
ssh_key_generate | Generate new key pair |
ssh_key_deploy | Add key to authorized_keys |
ssh_key_remove | Remove key from authorized_keys |
ssh_key_rotate | Rotate existing key |
Dashboard Features
SSH Key Inventory
View all discovered SSH keys with:
- Key type and fingerprint
- Location (host, user, path)
- Associated authorized_keys entries
- Last rotation date
- Compliance status
Key Rotation Policies
Configure automatic rotation:
- Navigate to SSH Keys → Policies
- Create rotation policy:
- Key type requirements (ed25519 preferred)
- Notification settings
- Approval workflow (optional)
API Reference
List SSH Keys
GET /api/ssh-keyskeyType- Filter by type (rsa, ecdsa, ed25519)hostname- Filter by hostnameisHostKey- Filter host keys onlyhasAuthorizedEntries- Filter keys with authorized_keys presence
Get SSH Key Details
GET /api/ssh-keys/:idSSH Key Statistics
GET /api/ssh-keys/stats{
"data": {
"total": 250,
"byType": {
"rsa": 100,
"ecdsa": 50,
"ed25519": 100
},
"hostKeys": 30,
"userKeys": 220,
"rotationDue": 15,
"withoutPassphrase": 80
}
}