What is Key Distribution Manager
Benefits of Key Distribution Manager
- Decreases expenses for the administration of privileged user accounts within the operating systems of the UNIX and Linux types.
- Decreases costs for the administration of authentication facilities – public keys. The manual administration of administrators is replaced with a fully or partly automated system of administration.
- The single sign-on (SSO) principle – speeds up the work of users who access OS servers through SSH or SCP.
- Strengthens security through the central registration of keys with the option of the fast termination of a key in the event of it being compromised or lost.
- Enables supervision over the generation of access keys and enforces the use of strong passphrases for keys. A user can obtain a key provided he or she knows the passphrase for the key and another stipulated factor to log in.
- Manages the allocation of users to UNIX groups and the process of root accounts administration (UID = 0).
- Ensures the dependence on a central element is lower than, for example, logging in through central Lightweight Directory Access Protocol (LDAP). A user can work even when KDM is unavailable because his or her key is saved in the SSH-agent.
- Enables the active registration of accounts in one location.
- Enables the option to interconnect with identity management applications – time-limited access for consultants, interconnection with HR processes, and the option for users to ask independently for access to end systems.
Introducing the software
Key Distribution Manager (KDM) is a software solution that brings the single sign-on principal into the UNIX environment through SSH key distribution and which provides the central administration of users in such systems.
The KDM server generates and securely saves private keys for logging into UNIX systems. On their computers, users use a small application known as an SSH-agent, through which they download a key onto their computers after logging into KDM. Then they access the end servers with a key saved in the agent, and therefore they do not have to enter a passphrase for their key repeatedly, every time they log in (single sign-on). When using KDM, users do not acquire direct access to their private keys; each one remains only in the memory of the agent.
The KDM solution also offers the central administration of privileged accounts. It enables the setting up and modification of accounts in UNIX end systems (known as provisioning) and the invalidation and deletion of user accounts, including the removal of the public parts of the keys of such users.
KDM is an application that uses existing security standards, such as RSA, AES, and PKI.
The typical situation prior to implementing KDM
The typical situation regarding the administration of accounts and authentication tools in UNIX/Linux operating systems prior to applying KDM is as follows:
- The administration of accounts in an OS is either manual or managed by proprietary scripts. Administration is not carried out with the maximum possible effectiveness and is not carried out automatically.
- Authentication is based on the 'name + password' principle; a second factor related to logging in is not required. Users log in using keys that are generated by the users themselves. If they do not use a passphrase for their key, they expose their accounts to the risk of misuse in the event of their keys being stolen or lost.
- If a user uses a passphrase, it is not possible to supervise or enforce its strength. A user must enter a passphrase upon every individual SSH log in, which wastes their working time.
- There is no uniform central registration that can remove access to a server from a user if necessary or ensure its automatic expiry by a certain date.
- The creation of a user account in a UNIX/Linux system is not interconnected in an automated manner with the generation of a key and the distribution of the public part thereof to end servers.
End solution for applying KDM
- All UNIX and Linux systems are connected to KDM. Ideally, the setup includes integration with identity management or HR processes.
- Users log into KDM through passphrases for keys and through a second factor (RSA SecurID, Active Directory, LDAP, UNIX password, or a general PAM module).
- Users log into all UNIX systems through keys that are generated by a KDM server on the basis of the given security policy. The strength of a passphrase and its expiry are in compliance with the requirements of the organization.
- Users of UNIX systems do not have to log in repeatedly; they use single sign-on.
- UNIX administrators obtain one interface for the administration of accounts and for the allocation of keys and users' allocation to groups.
- The central registration of user and program accounts is active.
- It is possible to certify each user's identity in shared technical accounts.
The infrastructure and interface of the KDM application
- KDM requires at least one server with Linux OS (such as RHEL). The server can be virtualized.
- KDM does not need any relational database or LDAP.
- A requirement for high accessibility (HA) can be resolved by implementing KDM into a cluster, along with the synchronization of the KDM file system in which user data is located.
- It is an administrator tool, and therefore the user interface is a command-line user interface. KDM is able to connect easily with identity management systems and their processes and graphic user environments through a ready-prepared connector.