SpanKey SSH Keys Management solution

Overview

SpanKey Server is a centralized SSH key management solution for OpenSSH that stores and maintains SSH public keys in a central directory. The identity source can be any LDAP or cloud directory integrated with the WebADM framework, including Active Directory, OpenLDAP, Entra ID, Okta, and similar.

With SpanKey, there is no need to manually distribute, maintain, or expire SSH public keys on individual servers. Instead, the SpanKey client is deployed on Linux or FreeBSD systems running the OpenSSH server component and provides users’ public keys on-demand during authentication.

Any SSH key revoked through the WebADM Administrator portal is instantly revoked on all SpanKey clients, ensuring consistent access control across all managed servers.

Key Features

Centralized Access Control
- Supports LDAP or cloud users and groups as the identity source
- Server tagging for fine-grained access control
- Shared accounts and privileged users (master keys)
- Recovery keys for emergency access
Key Lifecycle Management
- Automatic public key expiration
- Automated SSH key renewal workflows via WebADM Self-Services
SUDO & Audit Integration
- Centralized SUDO definitions per group, user, and client system
- Auditd rules can be centrally managed and forwarded to the SpanKey server or a SIEM
Session Recording & Replay
- SSH sessions can be graphically recorded and replayed through the WebADM Administrator portal
Multi-Factor Authentication Support
- User password, OTP, and U2F validation after SSH key validation
- SSH keys can be stored on smartcards for additional security

Requirements

WebADM installed and configured (refer to the WebADM Installation Guide)
SpanKey server installed on the WebADM server(s)

Packages Installation

General Notes

The spankey (server) package must be installed on the WebADM server(s).
The SpanKey client package:
- spankey_client on RPM-based systems
- spankey-client on DEB-based systems
  must be installed on Linux or FreeBSD systems where SSH key management via SpanKey is required.

System Requirements

SpanKey Client version 2.2.0 is designed to run on Linux x86_64 with GLIBC ≥ 2.12.

OpenSSH 6.2 or later is required to support the AuthorizedKeysCommand directive, which allows fetching authorized_keys from an external command instead of the filesystem.

SpanKey Server Installation (WebADM Server)

In repository-based installation mode, it is assumed that the RCDevs repositories are configured and accessible from your Linux systems.

Debian / Ubuntu (DEB)

apt install spankey

Restart WebADM services:

/opt/webadm/bin/webadm restart

systemctl restart webadm

Enable the service in WebADM GUI:

Applications → Authentication
Register SSH Public Key Server (SpanKey)

RHEL / CentOS / Rocky / Alma (RPM)

dnf install spankey

Restart WebADM services:

/opt/webadm/bin/webadm restart

systemctl restart webadm

Enable the service in WebADM GUI:

Applications → Authentication
Register SSH Public Key Server (SpanKey)

Self-Installer

gunzip spankey-2.0.x-x.sh.gz
bash spankey-2.0.x-x.sh

Restart WebADM services:

/opt/webadm/bin/webadm restart

Enable the service in WebADM GUI:

Applications → Authentication
Register SSH Public Key Server (SpanKey)

SpanKey Client Installation (Linux / FreeBSD)

Debian / Ubuntu (DEB)

apt install spankey-client

RHEL / CentOS / Rocky / Alma (RPM)

dnf install spankey_client

Self-Installer

gunzip spankey_client-2.1.x.sh.gz
bash spankey_client-2.1.x.sh

Configurations

SpanKey Server

Once the SpanKey server package is installed, you need to enable the SpanKey service in WebADM. In the WebADM Administrator console, go to the Applications tab → Authentication, and click the Register button for SSH Public Key Server.
The default configuration is suitable for most Linux environments, but for initial testing, it is recommended to click the Configure button and set the following options in the SSH Public Key Server (SpanKey server):

This will disable server-side caching, which is generally helpful during the configuration and testing phases.

For production environments, caching must be enabled to ensure optimal performance. Keeping caching disabled can significantly degrade performance.

The SSH Key format can be defined here.
RSA Key Length can also be settled here.
The SSH Key Lifetime can be adjusted too.
Send Self-Registration: This option can be enabled if you want to have a new self-registration request when the SSH key has expired.
Enable Offline Mode: Offline mode can be enabled in case of the SpanKey server is unavailable.
Require Extra Login Factors: An OTP validation can be added during the authentication workflow.

Some other settings can be enabled on Spankey server:

Create Home Directory: If enabled, the user home directory will be automatically created during the first login if not present.
Max Session Time: This setting can be settled if you want to define a maximum session time.
Record Session Data: This is a new feature of SpanKey! This setting allows you to record and store in SQL database, terminal sessions, SFTP sessions. Sessions are replayable video which can be found in Databases tab > Recorded Sessions under WebADM Admin Console.

Under SSH Public Key Server configuration, you can find various configurations options to set access controls to your SSH key-based logins, such as Master Group, Backup Keys, Authorized Group, Tagging... Some of these settings are described in the chapter "Advanced Configuration".

Require client certificate or API Key for SpanKey client is highly recommended for production use!

If you enable this option, every SpanKey client who actually works without a client certificate will stop working. To solve this, you can generate a client certificate through WebADM Admin GUI > Admin tab > Create Server or Client Certificate and import the generated certificate in /opt/spankey/conf/ folder of your SpanKey client.

SpanKey Client

The SpanKey client consists of two components activated at setup time.

SSH component - provides a user login with public keys stored within a directory server (Active Directory, OpenLDAP, Open Directory…).
NSS component - provides a native mapping of your directory users and groups to those in Linux.

SpanKey Client Setup Script

At the end of the installation of the SpanKey package, run the following command to launch setup wizard: /opt/spankey/bin/setup. The wizard will prompt you for the details similar to below:

root@spankey_client.rcdevsdocs.com:~# /opt/spankey/bin/setup 
Setup has already been run for this installation. Overwrite (y/n)?: y
Overwriting...
Enter one of your running WebADM node IP or hostname []: webadm1.rcdevsdocs.com
Do you want to enable SpanKey Client for OpenSSH server (y/n)? [N]: y
Do you want to enable SpanKey Client NSS plugin (y/n)? [Y]: y
Do you want to register SpanKey Client logrotate script (y/n)? [Y]: y
Do you want SpanKey Client to be automatically started at boot (y/n)? [Y]: y

    Primary OpenOTP service URL is: 'https://webadm1.rcdevsdocs.com:8443/spankey/'
    Secondary OpenOTP service URL is: 'NONE'
    Enable SpanKey Client for OpenSSH server: 'YES'
    Enable SpanKey Client NSS plugin: 'YES'
    Register SpanKey Client logrotate script: 'YES'
    SpanKey Client must be automatically started at boot: 'YES'

Do you confirm (y/n)?: y

Applying SpanKey Client settings from default configuration files... Ok
Retrieving WebADM CA certificate from host 'webadm1.rcdevsdocs.com'... Ok
The setup needs now to request a signed 'SpanKey' client certificate.
This request should show up as pending in your WebADM interface and an administrator must accept it.
Waiting for approbation...

At this step, you have to log in on the WebADM Administration GUI to approve the SSL certificate request.

Click on the red button at the end of the home page.
On the next screen, you can show the SSL certificate request is pending:

Click on the Accept button and the Spankey-client setup will continue.

Waiting for approbation... Ok
Updating entry 'client_id' in file '/opt/spankey/conf/spankey.conf'... Ok
Updating file '/etc/ssh/sshd_config'... Ok
Updating file '/etc/nsswitch.conf'... Ok
Updating file '/etc/pam.d/common-account'... Ok
Registering SpanKey Client service...
Registering SpanKey Client service... Ok
Adding logrotate script... Ok

SpanKey Client has successfully been setup.

IMPORTANT: Do not forget to perform the following actions before you exit this session:
 - Start SpanKey (/opt/spankey/bin/spankey start)
 - Restart 'sshd'
 - Restart 'nscd'

root@spankey_client.rcdevsdocs.com:~#

The configuration of the SpanKey client is done, you have to restart sshd, nscd and spankey-client:

root@spankey_client.rcdevsdocs.com:~# systemctl restart sshd 
root@spankey_client.rcdevsdocs.com:~# systemctl restart nscd  
root@spankey_client.rcdevsdocs.com:~# systemctl start spankey

SpanKey client setup is done.

SpanKey Client silent installation

Since WebADM 1.7.1, a new feature is now available for the automatic certificate approval. This setting can be useful when you massively deploy SpanKey Client. To enable this feature, log in on the WebADM Admin GUI > Admin tab > Runtime Actions > Issue Server or Client SSL Certificate > Auto Confirm Mode.

In the Auto Confirm mode, you can specify the time, application and the clients IPs where auto confirms will work. On the previous screenshot, I have configured the auto confirm valid 30 minutes for every Spankey clients coming from the network 192.168.3.0/24. To enable the auto-confirm, switch the Enable Auto Confirm button to Yes. The auto confirm is now enabled.

The SpanKey client can now be installed silently. Once the package is installed, run the following command to run the SpanKey Client setup with your parameters.

192.168.4.160 is my WebADM/SpanKey server IP,
my_client_id is the client_id value configured in /otp/spankey/conf/spankey.conf
ENABLE_SSH__DEFAULT=Y is to enable SpanKey_client for OpenSSH (by default, this setting is set to No for other scenarios)

root@spankey_client.rcdevsdocs.com:~# /opt/spankey/bin/spankey stop
Stopping SpanKey Client.... Ok
root@spankey_client.rcdevsdocs.com:~# ENABLE_SSH__DEFAULT=Y ENABLE_SUDO__DEFAULT=Y /opt/spankey/bin/setup silent webadm1.rcdevsdocs.com my_client_id
    Primary OpenOTP service URL is: 'https://webadm1.rcdevsdocs.com:8443/spankey/'
    Secondary OpenOTP service URL is: 'NONE'
    Enable SpanKey Client for OpenSSH server: 'YES'
    Enable SpanKey Client NSS plugin: 'YES'
    Register SpanKey Client logrotate script: 'YES'
    SpanKey Client must be automatically started at boot: 'YES'

Applying SpanKey Client settings from default configuration files... Ok
Retrieving WebADM CA certificate from host 'webadm1.rcdevsdocs.com'... Ok
The setup needs now to request a signed 'SpanKey' client certificate.
This request should show up as pending in your WebADM interface and an administrator must accept it.
Waiting for approbation... Ok
Updating entry 'client_id' in file '/opt/spankey/conf/spankey.conf'... Ok
Updating file '/etc/ssh/sshd_config'... Ok
Updating file '/etc/nsswitch.conf'... Ok
Updating file '/etc/pam.d/common-account'... Ok
Registering SpanKey Client service...
Registering SpanKey Client service... Ok
Adding logrotate script... Ok

SpanKey Client has successfully been setup.

IMPORTANT: Do not forget to perform the following actions before you exit this session:
 - Start SpanKey (/opt/spankey/bin/spankey start)
 - Restart 'sshd'
 - Restart 'nscd'

root@spankey_client.rcdevsdocs.com:~#

The configuration of the SpanKey client is done, you have to restart sshd, nscd and Spankey client:

root@spankey_client.rcdevsdocs.com:~# /opt/spankey/bin/spankey start;systemctl restart sshd;systemctl restart nscd
Starting SpanKey Client...
Starting daemon 'rcdevs-spankeyd'... Ok
root@spankey_client.rcdevsdocs.com:~#

Advanced Configurations

SpanKey Client

Files and Folders

SpanKey client is installed under /opt/spankey/ folder.

Find below the SpanKey client software installation file structure and important files.

/opt/spankey/bin/: Location for SpanKey service binaries and startup scripts.
- spankey : SpanKey executable control script for starting and stopping the service process.
  To start SpanKey from the command line, issue ./spankey start. To stop SpanKey, issue ./spankey stop.
- setup: Initial SpanKey setup script run by the self-installer. The setup can be re-run manually at any time.
/opt/spankey/doc/: Location for spankey documentation resources.
/opt/spankey/conf/: Location for SpanKey configuration files.
- spankey.conf: Main configuration file. Defines the basic SpanKey client parameters.

#-#-#-#
#
#  SpanKey main configuration file.
#
	#-#-#-#
	#
	#  The entry below tells the daemon where the log file must be.
	#  At the very early stage (when the daemon started but did not read yet this configuration file),
	#  logs are sent to the standard output. Anyway, since the launcher script uses a redirection, you won't even see them.
	#
		log_file             /opt/spankey/logs/spankeyd.log
	#
	#  When log level is set to 'Normal', SpanKey components will log both errors and warnings only.
	#  'Verbose' will make all these components just log everything.
	#
		log_level            Normal
	#
	#
	#-#-#-#


	#-#-#-#
	#
	#  Where to produce the SpanKey daemon's pid file.
	#
		#pid_file             /opt/spankey/temp/spankeyd.pid
	#
	#
	#-#-#-#


	#-#-#-#
	#
	#  A CA file is required in order to trust SpanKey servers the daemon will send requests to.
	#
		ca_file              /opt/spankey/conf/ca.crt
	#
	#
	#-#-#-#


	#-#-#-#
	#
	#  An optional client certificate and password spankeyd will use to communicate whith SpanKey servers
	#  when these are configured with 'Required Client Certificate or API Key'.
	#  This setting is exclusive to the 'api_key' setting.
	#
		client_cert_file     /opt/spankey/conf/spankey.pem
		#client_cert_password PaSsWoRd
	#
	#
	#-#-#-#


	#-#-#-#
	#
	#  An optional client API key spankeyd will use to communicate whith SpanKey servers
	#  when these are configured with 'Required Client Certificate or API Key'.
	#  This setting is exclusive to the 'client_cert_file' setting.
	#
		#api_key              ""
	#
	#
	#-#-#-#


	#-#-#-#
	#
	#  The section below contains a list of backend servers the daemon should connect to.
	#  It must contain one or two target OTP server.
	#  Any additional server in the list will just be ignored.
	#
		server_urls {
			url1 https://webadm1.rcdevsdocs.com:8443/spankey/
			url2 https://webadm2.rcdevsdocs.com:8443/spankey/

		}
	#
	#
	#  How spankeyd will relay request to the spankey backend server set.
	#   - "balanced" means the request will be balanced between server 1 and server 2 in a round-robin fashion.
	#   - "ordered" means server 2 is kept as a hot spare in case the primary server stops answering requests properly.
	#
		#server_policy       BaLaNcEd
	#
	#
	#  When two servers are configured, spankeyd can check the server statuses
	#  at regular intervals by trying TCP socket connections. The status_cache is the polling interval
	#  between 10 and 600 seconds.
	#
		status_cache         30
	#
	#
	#-#-#-#


	#-#-#-#
	#
	#  The default domain name passed to the targeted spankey backend server when the client entered a username only.
	#  This prevents that backend server to apply any default domain configured on its own side.
	#
		#default_domain_name Default
	#
	#
	#  Tells spankeyd how to extract 'domain' and 'username' from the username string entered
	#  in order to send them both separately to the targeted spankey backend server.
	#
		#domain_separator    \\
	#
	#
	#-#-#-#


	#-#-#-#
	#
	#  A comma separated list of tags from which boolean expressions attached to policies will be checked on backends.
	#  Further details about such boolean expressions on the servers side can be found at the following URL:
	#
	#  https://docs.rcdevs.com/howtos/spankey/spankey/
	#
		#requested_tags       TAG1,TAG2
	#
	#
	#-#-#-#


	#-#-#-#
	#
	#  User settings (better configure settings in client policies).
	#  Fixed list of SpanKey policy settings to be passed via the SpanKey API.
	#
		#user_settings        SpanKey.KeyExpire=10
	#
	#
	#-#-#-#


	#-#-#-#
	#
	#  The client identifier to be sent to the targeted spankey backend server along with authentication requests.
	#  This allows to apply per client contextual policies on that backend server while running an authentication workflow.
	#
		client_id            SpanKey
	#
	#
	#-#-#-#


	#-#-#-#
	#
	#  TCP timeout for SOAP requests is by default 30.
	#  Just keep it as it unless you really understand all the possible consequences a change could have.
	#
		#soap_timeout         30
	#
	#
	#-#-#-#
#
#
#-#-#-#

/opt/spankey/lib/: Location for SpanKey system libraries.
/opt/spankey/libexec/: Location for SpanKey system executables.
/opt/spankey/logs/: Location for log files produced by SpanKey client.
/opt/spankey/temp/: Location for SpanKey temporary data files. Under this directory, you will find service PID files.

SpanKey Client and Auditd

Since Spankey client v2.1.0 and SpanKey server v2.0.4-1, you can use Auditd with SpanKey. Auditd will allow you to record executed commands, SCP actions (copy, remote execution) in WebADM record database. To enable Auditd with SpanKey client, the auditd packages must be installed and running on the target machine. On some operating systems, SELinux may prevent the Spankey Auditd plugin from working, resulting in empty AUDIT logs in WebADM SQL records. In this case, you must either disable SELinux or create an SELinux rule to allow the Spankey Auditd plugin.

If this is not installed yet, you can install it with these commands:

for CentOS/RHEL OS: dnf install audit
for Debian OS: apt install auditd

If you install auditd after the installation of Spankey Client, you can copy the configuration file needed by auditd to activate audit for SpanKey Client. This file is available in /opt/spankey/lib/audisp_plugin.conf and must be copied in:

/etc/audisp/plugins.d/spankey.conf for Debian based OS.
/etc/audit/plugins.d/spankey.conf for CentOS/RHEL based OS.

By default, Auditd for SpanKey client is disabled. To enable it, after the Spankey client installation and configuration, edit the following file:

/etc/audisp/plugins.d/spankey.conf

# This file controls the configuration of the SpanKey Client plugin.
# It simply takes events and forwards them to the SpanKey daemon.

active = no
direction = out
path = /opt/spankey/libexec/audisp_plugin
type = always
#args = 
format = string

Change the active setting from no to yes:

# This file controls the configuration of the SpanKey Client plugin.
# It simply takes events and forwards them to the SpanKey daemon.

active = yes
direction = out
path = /opt/spankey/libexec/audisp_plugin
type = always
#args = 
format = string

To changes takes effect, a restart of spankey client is required. Logs are now sent to auditd and auditd forwards logs to SpanKey client daemon. The daemon will forward logs to SpanKey server.

systemctl restart spankey

Be aware, if you enable Auditd with SpanKey then all Auditd rules that have been set before on that machine will be erased. Therefore, if you are using your own Auditd rules for monitoring your machine then you can not use SpanKey with the Record Audit Logs feature.

Please refer to step Audit logs and SSH Sessions recording section of this documentation to enable auditd logs on the SpanKey server side and to know how to consult recorded logs.

SpanKey Server

Below are described some of the most relevant SSH Public Key Server configuration options.

Master Group

In SpanKey you can define master groups where the members of the group are considered as super users and can use their SSH key to access any other SpanKey account. A master group can be configured in SpanKey global configuration or in a client policy. To configure a master group, go on SpanKey global configuration or client policy and configure your Master Group.

For example, my master group is CN=Administrator,CN=Users,DC=rcdevsdocs,DC=com and one member of this group is administrator account, who has a public key enrolled on his account:

This means that the administrator account can log in to every user account using its own private key.
The administrator's public key is returned by the Spankey authorized_key command of each user account.

Below, the authorized_keys command used with Administrator account:

[root@spankey_client.rcdevsdocs.com ~]# /opt/spankey/libexec/authorized_keys administrator
environment="ONE_TIME_AUTHENTICATION_TOKEN=3D749711B6019742755496B880DDADB2",command="/opt/spankey/libexec/command_wrapper",environment="SPANKEY_USERNAME=administrator",environment="SPANKEY_DOMAIN=rcdevsdocs" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC716ckpNHzlfamEPgjelVYRZ0GXZqSl+d09Cefd6C2/CZXOMP7vAETSdBs84MsEl4A25YMAGu2h0ObEF+1RgBcGzAj/B9MTMmWyu2YkQ2eA/sSwRBef7sXBuXkchzTe22HVHxlmt0KDLvgJwsVlwNGUAHirCtNNM3ywq2QwZGpZzs1rQZG0pole855aL0Gz+6NfAPrOzXeAqiy8avLTfCB2esR7+m+EpuEwR1+M30tr6IBml9wOPJC2h4b1J+M2VEP2762ulElO7RCoOuoouUPnSlZ6ckPo9ybW8yLUn39tuhoB3MZ9WazM/DG3VvdaUaUkcMw3uQ8x2dj/T9XZopb administrator@rcdevsdocs
root@spankey_client.rcdevsdocs.com:~#

We can see 1 public keys returned for the administrator account.

Now, the authorized_keys command used with John Doe account:

root@spankey_client.rcdevsdocs.com:~# /opt/spankey/libexec/authorized_keys john.doe
environment="ONE_TIME_AUTHENTICATION_TOKEN=81777D5AED315AACC2BA263FB820D63D",command="/opt/spankey/libexec/command_wrapper",environment="SPANKEY_USERNAME=john.doe",environment="SPANKEY_DOMAIN=rcdevsdocs" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCJOJMIuocEeJfa01iJpDSeEW+06WDeh9fIl2SVnigPo3yo/XhG6+I5ZFhjr/takRk5AKRbPJdtqSPGU8BvXBRSjjDkGsZU98sVokngR9HAfcBVfP2gVEVQxi12lOmJrp5OZg66U5aZTQc7Gl9soBiDIvocW6ZJKx+W4ns1vOJj+6I8uAJjtomsaiuptA/09x3npCJWVC/ASKHNC5Vzv+TXBEgZ90T/T04jkV4AASkFZIYtn/PYfH36THf+Lelrntni8dG5NZDPBnqutwOHYbPHWGa+zn0/6M1xeqtJ+/sWhWDq//NpgBNV2xh4uKkm+IFl21BLocgLfLvCSHIDHx4f john.doe@rcdevsdocs

environment="ONE_TIME_AUTHENTICATION_TOKEN=81777D5AED315AACC2BA263FB820D63D",command="/opt/spankey/libexec/command_wrapper",environment="SPANKEY_USERNAME=Administrator",environment="SPANKEY_DOMAIN=rcdevsdocs" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC716ckpNHzlfamEPgjelVYRZ0GXZqSl+d09Cefd6C2/CZXOMP7vAETSdBs84MsEl4A25YMAGu2h0ObEF+1RgBcGzAj/B9MTMmWyu2YkQ2eA/sSwRBef7sXBuXkchzTe22HVHxlmt0KDLvgJwsVlwNGUAHirCtNNM3ywq2QwZGpZzs1rQZG0pole855aL0Gz+6NfAPrOzXeAqiy8avLTfCB2esR7+m+EpuEwR1+M30tr6IBml9wOPJC2h4b1J+M2VEP2762ulElO7RCoOuoouUPnSlZ6ckPo9ybW8yLUn39tuhoB3MZ9WazM/DG3VvdaUaUkcMw3uQ8x2dj/T9XZopb Administrator@rcdevsdocs

We can see 2 public keys returned.

Let's now try to log in on john.doe account and with the SSH key of the administrator account:

$ ssh -i administrator.pem john.doe@192.168.3.104

Welcome, SpanKey Tester!

Session recording is enabled.
Audit logs recording is enabled.
Session lock idle time is 5 minutes.
Session's max duration is 30 minutes.

john.doe@spankey_client.rcdevsdocs.com:~$ whoami
john.doe
john.doe@spankey_client.rcdevsdocs.com:~$ pwd
/home/johndoe
john.doe@spankey_client.rcdevsdocs.com:~$ exit
exit

>>>> Session's duration was aprox 11 seconds <<<<

Connection to 192.168.3.104 closed.

Backup/Recovery Keys

By default, the SpanKey agents will erase users’ authorized_keys file at runtime to prevent users from adding rogue public keys. If recovery keys are configured, then these keys are automatically written to the user’s authorized_keys file, for recovery purposes (to be used in the event where SpanKey client cannot communicate with the SpanKey server).

To configure a backup key, go on the WebADM Admin GUI, click on Applications tab, in Authentication category, you can find SSH Public Key Server, click on CONFIGURE button. You are now in SpanKey server configuration. Find the Power Users & Recovery section, check the box Backup Keys and put the public key to have an access on the target server even if SpanKey client or SpanKey server is down.
Put the public key in the authorized key format here:

That means the private key associated with this public key will be able to log in on the target server even if SpanKey server or SpanKey client is down.

Now, we will do a test to see if the backup key is returned by the authorized key command for the john user on a SpanKey client:

root@spankey_client.rcdevsdocs.com:~# /opt/spankey/libexec/authorized_keys john.doe
environment="ONE_TIME_AUTHENTICATION_TOKEN=B3A9640B8CE1EC2768D49A75E56B9A1F",command="/opt/spankey/libexec/command_wrapper",environment="SPANKEY_USERNAME=john.doe",environment="SPANKEY_DOMAIN=rcdevsdocs" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCJOJMIuocEeJfa01iJpDSeEW+06WDeh9fIl2SVnigPo3yo/XhG6+I5ZFhjr/takRk5AKRbPJdtqSPGU8BvXBRSjjDkGsZU98sVokngR9HAfcBVfP2gVEVQxi12lOmJrp5OZg66U5aZTQc7Gl9soBiDIvocW6ZJKx+W4ns1vOJj+6I8uAJjtomsaiuptA/09x3npCJWVC/ASKHNC5Vzv+TXBEgZ90T/T04jkV4AASkFZIYtn/PYfH36THf+Lelrntni8dG5NZDPBnqutwOHYbPHWGa+zn0/6M1xeqtJ+/sWhWDq//NpgBNV2xh4uKkm+IFl21BLocgLfLvCSHIDHx4f john.doe@rcdevsdocs

environment="ONE_TIME_AUTHENTICATION_TOKEN=B3A9640B8CE1EC2768D49A75E56B9A1F",command="/opt/spankey/libexec/command_wrapper",environment="SPANKEY_USERNAME=Administrator",environment="SPANKEY_DOMAIN=rcdevsdocs" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC716ckpNHzlfamEPgjelVYRZ0GXZqSl+d09Cefd6C2/CZXOMP7vAETSdBs84MsEl4A25YMAGu2h0ObEF+1RgBcGzAj/B9MTMmWyu2YkQ2eA/sSwRBef7sXBuXkchzTe22HVHxlmt0KDLvgJwsVlwNGUAHirCtNNM3ywq2QwZGpZzs1rQZG0pole855aL0Gz+6NfAPrOzXeAqiy8avLTfCB2esR7+m+EpuEwR1+M30tr6IBml9wOPJC2h4b1J+M2VEP2762ulElO7RCoOuoouUPnSlZ6ckPo9ybW8yLUn39tuhoB3MZ9WazM/DG3VvdaUaUkcMw3uQ8x2dj/T9XZopb Administrator@rcdevsdocs

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQCz4atjV0R0zPr8yiklRcwTVRrIt0pq5jYj1cRYnHtaA4PCZA8rDNWmqCEOGZelxV25l3So5eqP1KXAQQPIGr1J/j6ujQxWu1V19jXSfx3/8fKuKJZ7ckHnbBSvt1m6a+YPyRs2eyyxtGk9L+H5LI+SotlNzsnvsFIjLzpyL2PtA627PtJUs25RG0dIaqq9rxbhqxQydX0dDg103dYR46GKKeSCKwAnnPrwQZF7oSUqlh83vn6bmkqN1KMJNpAqp8XAon6BsejmfBv7R5VoAFV5wTarVysY5nvfbbtK0OC51wxjI/aZABv78QjLV2xOHillTzDu69Y0lC6KCH8BnnmTF9iaNz64cWPRsTrwL+quRK1nPvBwh7xbwJM0TtK5Em2wi4ZhqHshSjlSY/L2S/iT2ofRXfIf/4tKTVMwwWwaU56sVFyuiRVWPSMUY0LR2V5iq6EmzpyuZpxJ8zsWOMZ7XyBCCDPvSVdBsfVL13hxBuSkrSG9pw1EYnm4STT/MCVyeF7qSVEAmfAIOu6DIMk3AQgg/e1YKmMiYNxgdhzOhpFoC1vGRQVvcBvXdxCPKhRkovghvHgNZYv3beui1JAHvk0BmKzmkBUnLqeqm5Gz0BR37Nn6uZLCmnXz13XNHFDog8KzcVRUnqDB/TiwYEeQODWyyGH8o81JzRfSEze3dKCgyZlfyDRpXJnCWGCmG00s13t6hqdT1uKHqB+gLktf8BsNHsLEnPTX+CCJ6SPbK9uy5A9301HRd1xb6cYpzKgL2CI8+gnVZBEhcVArmq5sg8vhprYQAn9qS3TBBhjDlEte1GR4zPU0Cr8R4jdaz8g0UcJtaG95SVuXb8WYm/DJSnvoIUM5tqZ9bFxIGT8CMFRgEA65kqAfAs+4oUOZblDEHgP1AGaD3FPuiIRqif2QIMH7Bva8hUH8FAxwJmVTQZtI6Xkmwd/NnmM8uxKSzRNVue+xoONZ01X8SBKKBR1hGE8nacbbpj6xvlDBmfxLhzHnTfhmNwRdUhvV+MRWjLQKsnLtlXqPqLKUwoMKsED5zSp0zO/J2fnMT1o00896/bVEivL9+LoDsyrRTxT0IDFuVZKo4j9WIY7Kv7lkD2sesr+nafvwwAszeujPoDl4w7l51zyUol/Nu4hs9XVVjMelMf9tOn2xw92ibX2baFKKbEla6Mi+u4Zj/IogkDDz+h+AcVtXlfBYlNprtytLW+bXmvsqxF1s0INjKqrx91bsFKdh5LCrAnR3JeohJL3OMQWX9DvGwkjR+Gj4SlBdaYPDn5t2CdjcO/N9VveUwbODnqbn5eDYnfRhTw2sTGBMgK0jBiaa3j2yN5QqSc+BVluiYqwvxah1CjmXvbjQBxej Backup_key

As you can see, john.doe user has his own public key returned by SpanKey server, and the Administrator key confitured in the previous section and thr recovery key previously configured in Spankey Server configuration.

Let's try a login with the backup key configured and john.doe account:

$ ssh -i backup_key.pem john.doe@192.168.3.104

Welcome, SpanKey Tester!

Session recording is enabled.
Audit logs recording is enabled.
Session lock idle time is 5 minutes.
Session's max duration is 30 minutes.

john.doe@spankey_client.rcdevsdocs.com:~$ whoami
john.doe
john.doe@spankey_client.rcdevsdocs.com:~$ pwd
/home/johndoe
john.doe@spankey_client.rcdevsdocs.com:~$ exit
exit

>>>> Session's duration was aprox 11 seconds <<<<

Connection to 192.168.3.104 closed.

Below are the logs from the SpanKey server side for the authorized key request:

[2019-11-07 13:02:19] [192.168.3.104] [SpanKey:DDVPRKKE] New spankeyAutorizedKeys SOAP request
[2019-11-07 13:02:19] [192.168.3.104] [SpanKey:DDVPRKKE] > Username: john.doe
[2019-11-07 13:02:19] [192.168.3.104] [SpanKey:DDVPRKKE] > Client ID: my_client_id
[2019-11-07 13:02:19] [192.168.3.104] [SpanKey:DDVPRKKE] Registered spankeyAutorizedKeys request
[2019-11-07 13:02:19] [192.168.3.104] [SpanKey:DDVPRKKE] Resolved LDAP user: cn=john,o=Root (cached)
[2019-11-07 13:02:19] [192.168.3.104] [SpanKey:DDVPRKKE] Found user fullname: john
[2019-11-07 13:02:19] [192.168.3.104] [SpanKey:DDVPRKKE] Found 25 user settings: EnableLogin=Yes,X11Forwarding=Yes,PortForwarding=Yes,AgentForwarding=Yes,PTYAllocation=Yes,BackupKeys=[1 Items],AllowKeyFiles=No,KeyFiles=.ssh/authorized_keys,MinUID=500,MinGID=100,MailSubject=SSH Access Notification
[2019-11-07 13:02:19] [192.168.3.104] [SpanKey:DDVPRKKE] Found 1 user data: PublicKey
[2019-11-07 13:02:19] [192.168.3.104] [SpanKey:DDVPRKKE] Found 2048 bits RSA public key
[2019-11-07 13:02:19] [192.168.3.104] [SpanKey:DDVPRKKE] Returning 2 authorized public key
[2019-11-07 13:02:19] [192.168.3.104] [SpanKey:DDVPRKKE] Returning 1 backup public key
[2019-11-07 13:02:19] [192.168.3.104] [SpanKey:DDVPRKKE] Sent success response

Shared Account/Authorized Group

Authorized Groups operate on the principle of a shared account. Shared accounts are a common practice in Enterprise use of SSH. A shared account (i.e. ‘webmaster’ user) is a system account which is used concurrently by several administrators. In SpanKey you can transform any generic LDAP user into a shared SSH account simply by linking this account to a ‘shared access LDAP group’. Then all the members of that group can gain access to the shared account with their own SSH key.
For example, my shared account is webmaster and I want to allow access to webmaster account by IT group members.

Member of this group is john.doe account:

After that, I click on my webmaster account on the left tree. In Object Details box, I click on CONFIGURE button.

Choose SpanKey application and in Shared Account section, I configure my IT group like below:

Now, I'm able to log into my SpanKey client with john private key on the shared account webmaster:

$ ssh -i johndoe.pem webmaster@192.168.3.104

Welcome, SpanKey Tester!

Session recording is enabled.
Audit logs recording is enabled.
Session lock idle time is 5 minutes.
Session's max duration is 30 minutes.

webmaster@spankey_client.rcdevsdocs.com:~$ whoami;pwd;exit
webmaster
/home/webmaster
exit

>>>> Session's duration was aprox 11 seconds <<<<

Connection to 192.168.3.104 closed.
$

Logs on the SpanKey server side:

 New spankeyNSSInfo SOAP request
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:VAWOC62C] > Database: user
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:VAWOC62C] > Name: webmaster
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:VAWOC62C] > Client ID: my_client_id
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:VAWOC62C] Registered spankeyNSSInfo request
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:VAWOC62C] Found posix user 'CN=webmaster,CN=Users,DC=rcdevsdocs,DC=com'
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:VAWOC62C] Sent success response
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:YFNR98A0] New spankeyAutorizedKeys SOAP request
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:YFNR98A0] > Username: webmaster
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:YFNR98A0] > Client ID: my_client_id
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:YFNR98A0] Registered spankeyAutorizedKeys request
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:YFNR98A0] Resolved LDAP user: CN=webmaster,CN=Users,DC=rcdevsdocs,DC=com
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:YFNR98A0] Found user fullname: webmaster
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:YFNR98A0] Found 25 user settings: EnableLogin=Yes,X11Forwarding=Yes,PortForwarding=Yes,AgentForwarding=Yes,PTYAllocation=Yes,AllowedGroup=cn=IT,o=Root,BackupKeys=[1 Items],AllowKeyFiles=No,KeyFiles=.ssh/authorized_keys,MinUID=500,MinGID=100,MailSubject=SSH Access Notification
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:YFNR98A0] Allowed group 'IT' with 2 member public keys
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:YFNR98A0] Returning 2 authorized public keys
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:YFNR98A0] Returning 1 backup public key
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:YFNR98A0] Sent success response
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:P38WICLQ] New spankeyNSSList SOAP request
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:P38WICLQ] > Database: group
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:P38WICLQ] > Client ID: my_client_id
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:P38WICLQ] Registered spankeyNSSList request
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:P38WICLQ] Could not find any NSS group
[2019-11-07 15:15:55] [192.168.3.104] [SpanKey:P38WICLQ] Sent success response
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] New spankeySessionStart SOAP request
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] > Username: webmaster
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] > Identity: john
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] > Server: spankey_client.rcdevsdocs.com
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] > Command: /bin/bash
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] > Terminal: Yes
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] > Client ID: my_client_id
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] > Source IP: 192.168.3.233
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] Registered spankeySessionStart request
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] Resolved LDAP user: cn=john,o=Root
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] Resolved LDAP groups: it
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] Started transaction lock for user
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] Found user fullname: john
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] Found 21 user settings: WelcomeText=Welcome, SpanKey Tester!,MaxSessionTime=30,LockSessionTime=5,RecordSessions=Yes,RecordAuditLogs=Yes,CreateHomedir=Yes,MailSubject=SSH Access Notification,TermAuditRule=-a always,exit -S execve,FileAuditRule=-a always,exit -S all -F dir=/ -F perm=rwa,EnableLogin=Yes
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] Found 1 user data: LoginCount
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] Updated user data
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] Started interactive terminal session of ID xPSH6AylY58fEc6S on spankey_client.rcdevsdocs.com valid for 600 seconds
[2019-11-07 15:15:56] [192.168.3.104] [SpanKey:8NJGQVC2] Sent success response

Allow local users and local Authorized Keys File(s) usage

The SpanKey server allows you to configure local users who will be able to use the local authorized keys file(s) configured. In the SpanKey server configuration, you will find the following setting under Server Policy:

Configure your users who are able to use the local authorized keys file(s) first. After that, configure the authorized keys file(s) that your users will be able to use for local login.

User Certificates and Smartcard PIV Keys

In the Spankey Server configuration, you can enable the Allow User Certificates setting. When this option is enabled, a derived public key from the X.509 certificate(s) registered to a user account are returned to Spankey clients as SSH public keys. The certificate must be available and valid on the user account.

Example command to retrieve authorized keys:

[root@spankey_client.rcdevsdocs.com ~]# /opt/spankey/libexec/authorized_keys john.doe
environment="ONE_TIME_AUTHENTICATION_TOKEN=45F3AA29CC8F2F10D503E0AC7EAA665A",command="/opt/spankey/libexec/command_wrapper",environment="SPANKEY_USERNAME=john.doe",environment="SPANKEY_DOMAIN=SUPPORT" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1dGPEPSqmWzq3D8CAzFzypRahtvltIwZKYuQE5eWgnkuBQm6qBLPn+uWBdRPuIwxuh6HWHfE1QM6o33HDI0pYTmQu2gSUteiadWtJM4WzHdBC23y48mKna55QHhKSzTKqSJwnAWCuVks7CiwBiY/ySDr9LHYBl8apKZ8qXl7nXts2v7uygJOeU8BB3FT2Exk1izDvPkK7tOKvhPVxOvjqTHk07RwqPl2BFmfFegf4/yhjWRdvNF/lLS6mHbBluk0WNHmpQvi+UiNrENy1snU89mUrQqjsDMoW/BJt1SxHPBbugTklJFLB8lElrqBOxfuPv/qwSdbe2/oipdxkxLxd john.doe@RCDEVSDOCS

This Authorized Key is derived from the certificate stored on the john.doe user account.

To authenticate using a smartcard, you must install a PKCS#11 library on the client system. The smartcard must also store that certificate.

If your Smartcard is protected by a PIN, you will be invited to provide it during the authentication process.

Example SSH login using a smartcard:

John@MBP ~ ssh -I /opt/homebrew/lib/opensc-pkcs11.so john.doe@spankey_client.rcdevsdocs.com

Enter PIN for 'John Doe': 

Welcome to spankey_client.rcdevsdocs.com Server

Session recording is disabled.
Audit logs recording is enabled.
Session lock is disabled.
Session's max duration is unlimited.

bash-5.1$ whoami
bash-5.1$ john.doe

Audit logs and SSH Sessions recording

For security audit, Spankey provide 2 kinds of audit logs.

The first one is the graphical session recording. All SSH sessions can be recorded and that allow you to replay every SSH sessions at any moment through the WebADM Admin interface.
The Record Session Data setting must be enabled for session recording.

Another kind of audit is the Record Audit Logs. The setting will allow you to store audit event (commands and file events) in the WebADM Record databases.

These 2 settings can be enabled under SpanKey Server configuration:

Recorded sessions and audit logs can be replayed under WebADM Administrator Portal > Databases > Recorded Sessions & Transactions

Under the Recorded Sessions databases, 2 types of record are available:

TERM : This is a graphical session record
AUDIT : This is the command and file events record

Click on view button to see the recorded sessions/logs

Other information like client, Session duration, User DN, User IP, Host IP and Session ID are also useful here.

This is an example of auditd logs available through WebADM Admin GUI under databases > Recorded Sessions. Click on View button on an AUDIT log type to consult auditd logs:

[2019-11-07 15:26:25] [3385] Executed command '/bin/bash' (pid 82610) in '/home/john.doe' as 500:100
[2019-11-07 15:26:25] [3385] > Event 'execve' returned success with code 0
[2019-11-07 15:26:25] [3386] Executed command 'groups' (pid 82618) in '/home/john.doe' as 500:100
[2019-11-07 15:26:25] [3386] > Event 'execve' returned success with code 0
[2019-11-07 15:26:25] [3387] Executed command '/bin/sh /usr/bin/lesspipe' (pid 82620) in '/home/johndoe' as 500:100
[2019-11-07 15:26:25] [3387] > Event 'execve' returned success with code 0
[2019-11-07 15:26:25] [3388] Executed command 'basename /usr/bin/lesspipe' (pid 82621) in '/home/johndoe' as 500:100
[2019-11-07 15:26:25] [3388] > Event 'execve' returned success with code 0
[2019-11-07 15:26:25] [3389] Executed command 'dirname /usr/bin/lesspipe' (pid 82623) in '/home/johndoe' as 500:100
[2019-11-07 15:26:25] [3389] > Event 'execve' returned success with code 0
[2019-11-07 15:26:25] [3390] Executed command 'dircolors -b' (pid 82625) in '/home/johndoe' as 500:100
[2019-11-07 15:26:25] [3390] > Event 'execve' returned success with code 0
[2019-11-07 15:26:32] [3391] Executed command 'whoami' (pid 82628) in '/home/john.doe' as 500:100
[2019-11-07 15:26:32] [3391] > Event 'execve' returned success with code 0

Sudoers Policy Plugin

Since SpanKey Client for Linux v2.2.0 and SpanKey Server v2.0.5-1, you can use sudo commands with SpanKey. Sudo rules can be defined at various levels in WebADM, following the framework's policy concepts of inheritance and overriding:

Level/Weight 1: SpanKey Server Configuration. When defined at this level, the sudo rules are inherited by all SpanKey clients.
Level/Weight 2: Group Settings. When defined here, sudo rules are inherited by all members of the group. Additionally, rules can be set to apply to a specific client policy that matches a SpanKey client.
Level/Weight 3: User Settings. When defined here, sudo rules apply only to the individual user. Additionally, rules can be set to a specific client policy matching a SpanKey client.
Level/Weight 4: Client Policy. When defined here, sudo rules apply to all users logging in with SpanKey, where the SpanKey client matches the specified client policy.

Once you authenticated with Spankey, you can run the sudo -V command to check if SpanKey sudoers policy plugin has been successfully loaded:

$ ssh -i centos7 centos7@192.168.3.120

Welcome to SpanKey SSH Server.
This is a demonstration by RCDEVS SA.

Session recording is enabled.
Audit logs recording is enabled.
Session lock idle time is 10 minutes.
Session's max duration is 30 minutes.

[centos7@centos7-client ~]$ sudo -V
Sudo version 1.8.23

SpanKey sudoers policy plugin version 2.3.0
Copyright 2010-2019 RCDevs SA, All rights reserved.

Sudoers file grammar version 46
Sudoers I/O plugin version 2.3.0
[centos7@centos7-client ~]$ exit
exit

>>>> Session's duration was aprox 6 seconds <<<<

Connection to 192.168.3.120 closed.
$

In the below example, the sudo rules are defined on a specific group for all Spankey clients.

In WebADM GUI> <USER_GROUP> > Object Details > Group Settings > SSH Public Key Server > Privilege Elevation, click on the checkbox then click Edit:

Define the desired sudo rules as needed:

In the Client column, you can set the sudo rule for each Spankey client if you have defined a specific client policy for the client system. In this example, we haven't assigned rules to an individual client system, so the rules will apply to all Spankey clients for all members within that group.

Click Apply to save your configuration. You can then perform an SSH login to verify that the rules have been applied correctly. Note that it may take a few minutes for WebADM to refresh its cache and distribute updates to the clients.

Once authenticated with Spankey, you can run the following command sudo -l to check the rights and the set of rules:

$ ssh -i centos7 centos7@192.168.3.120

Welcome to SpanKey SSH Server.
This is a demonstration by RCDEVS SA.

Session recording is enabled.
Audit logs recording is enabled.
Session lock idle time is 10 minutes.
Session's max duration is 30 minutes.

[centos7@centos7-client ~]$ sudo -l
User centos7 may run the following commands on centos7-client:
    (ALL) /bin/ls
    (ALL) /usr/bin/dnf
    (ALL) /usr/bin/apt
    (ALL) /sbin/reboot
    (ALL) /sbin/shutdown
    
[centos7@centos7-client ~]$ exit
exit

>>>> Session's duration was aprox 14 seconds <<<<

Connection to 192.168.3.120 closed.

As we can see, the sudo rules are returned as expected.

Change Password Remotely

In a Spankey installation, Users can now change their LDAP account password with the passwd command when the option is enabled in Spankey Server configuration. The setting is named Allow Password Change and must be set to Yes to benefit that feature from Spankey Clients :

ubuntu20.04:~$ passwd

Changing password for john.doe
Old password:*******
New password: ***********
Retype new password: ***********

passwd: Password changed.

The new password provided must meet the LDAP password policies. No other password policies are applied.

OpenSSH

The SpanKey client setup script asks us during the setup if we want to enable SpanKey for OpenSSH and we reply Yes to this question.

This action involves changing /etc/ssh/sshd_config configuration file. The script edit the following parameters:

AuthorizedKeysCommand /opt/spankey/libexec/authorized_keys
AuthorizedKeysCommandUser root
PermitUserEnvironment yes
UsePAM yes

Depending on the SSHd version, you might need to use AuthorizedKeysCommandRunAs instead of AuthorizedKeysCommandUser.
Restart SSHd if you change the configuration.

service sshd restart

NSS (Name Service Switch) Configuration

Here is a tighter, more precise version with improved technical accuracy, consistent terminology, and no unnecessary emphasis:

NSS (Name Service Switch) is a glibc mechanism that defines how system databases such as users, groups, and hostnames are resolved. It specifies both the order and the sources used for lookups via /etc/nsswitch.conf, allowing applications to retrieve identity and naming information transparently through standard libc functions, regardless of whether the data originates from local files, DNS, LDAP, or other backends.

During the SpanKey client installation, the setup script prompts whether to enable the SpanKey Client NSS plugin. This option was enabled.

Enabling the plugin results in modifications to the /etc/nsswitch.conf configuration file to integrate the SpanKey NSS module into the resolution process.

On RHEL, Rocky, and CentOS distributions, the installer updates the following entries:

passwd: files spankey nscd
shadow: files nscd
group:  files spankey nscd

On Debian and Ubuntu distributions, the installer updates the following entries:

passwd: compat spankey
shadow: compat
group:  compat spankey

getent passwd/group tests

To verify that LDAP users are correctly returned on a SpanKey client, use the following command:

[root@spankey_client.rcdevsdocs.com tmp]# getent passwd

This command should return all LDAP accounts which are posix extended on WebADM side. Please refer to step Users/Groups Management section to know how to activate/extend an LDAP account for SpanKey usage.

[root@spankey_client.rcdevsdocs.com temp]# getent passwd

#### The following accounts are local accounts 

bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used for TPM access:/dev/null:/sbin/nologin
sssd:x:997:994:User for sssd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/usr/share/empty.sshd:/sbin/nologin
chrony:x:996:993::/var/lib/chrony:/sbin/nologin
systemd-oom:x:991:991:systemd Userspace OOM Killer:/:/usr/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin

#### The following accounts are LDAP accounts returned by Spankey server

administrator:x:501:100::/home/administrator:/bin/bash
john.doe:x:500:100:John Doe:/home/johndoe:/bin/bash
jane.doe:x:502:100: Jane Doe:/home/janedoe:/bin/bash
webmaster:x:503:100::/home/webmaster:/bin/bash

The getent passwd command may take a few seconds to return results, depending on network latency and server response time. If the lookup is successful, the following entries should appear in /opt/webadm/logs/webadm.log on the WebADM server:

[2018-05-22 17:11:25] [192.168.3.104] [SpanKey:AFA5ES1I] New spankeyNSSList SOAP request
[2018-05-22 17:11:25] [192.168.3.104] [SpanKey:AFA5ES1I] > Database: user
[2018-05-22 17:11:25] [192.168.3.104] [SpanKey:AFA5ES1I] > Client ID: my_client_id
[2018-05-22 17:11:25] [192.168.3.104] [SpanKey:AFA5ES1I] Registered spankeyNSSList request
[2018-05-22 17:11:25] [192.168.3.104] [SpanKey:AFA5ES1I] Found 4 posix users
[2018-05-22 17:11:25] [192.168.3.104] [SpanKey:AFA5ES1I] Sent success response

To verify that LDAP groups are correctly returned on the SpanKey client, use the following command:

[root@spankey_client.rcdevsdocs.com tmp]# getent group

Only LDAP groups that have been activated or extended for SpanKey usage will be returned. Refer to section Users/Groups Management for instructions on enabling POSIX attributes for LDAP groups.

[root@spankey_client.rcdevsdocs.com tmp]# getent group

#### The following groups are local groups

root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:webadm
floppy:x:19:
games:x:20:
tape:x:30:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
avahi-autoipd:x:170:
utmp:x:22:
utempter:x:35:
ssh_keys:x:999:
input:x:998:
systemd-journal:x:190:
systemd-bus-proxy:x:997:
systemd-network:x:996:
dbus:x:81:
polkitd:x:995:
dip:x:40:
tss:x:59:
postdrop:x:90:
postfix:x:89:
chrony:x:994:
sshd:x:74:
mysql:x:993:
webadm:x:1000:
ldap:x:55:
slocate:x:21:
nscd:x:28:
tcpdump:x:72:
cgred:x:992:
docker:x:991:
radiusd:x:990:
toto:x:1003:
apache:x:48:
stapusr:x:156:
stapsys:x:157:
stapdev:x:158:

#### The following groups are LDAP groups returned by Spankey server
 
domain admins:x:103:administrator
enterprise admins:x:100:administrator,john.doe,webmaster
it:x:101:john.doe
support_admins:x:102:

If the group lookup is successful, the following entries should appear in /opt/webadm/logs/webadm.log on the WebADM server:

[2024-08-08 13:07:01] [192.168.4.160:47268] [SpanKey:CXF63CUA] New spankeyNSSList SOAP request
[2024-08-08 13:07:01] [192.168.4.160:47268] [SpanKey:CXF63CUA] > Database: group
[2024-08-08 13:07:01] [192.168.4.160:47268] [SpanKey:CXF63CUA] > Client ID: SpanKey
[2024-08-08 13:07:01] [192.168.4.160:47268] [SpanKey:CXF63CUA] Registered spankeyNSSList request
[2024-08-08 13:07:01] [192.168.4.160:47268] [SpanKey:CXF63CUA] Found 4 NSS groups
[2024-08-08 13:07:01] [192.168.4.160:47268] [SpanKey:CXF63CUA] Sent success response

Here is a revised version with clearer structure, corrected grammar, and a more neutral, technical tone. Content is unchanged; wording and flow are improved.

Users / Groups Management

User Management (Activation)

To propagate LDAP users as Linux accounts and enable SpanKey usage, accounts must be extended with the posixAccount (UNIX Account) object class. This operation is performed through the WebADM graphical interface and can also be executed as a batch job.

Extending an LDAP Account

Select the LDAP account to extend.
Verify that the account is already a WebADM account.
- If not, first extend it with the WebADM object class.
In Add Selector, select WebADM Account and click Add.
In Add Extension, select UNIX Account and click Add.

Fill in the required information and click Proceed, then Extend Object.

Once extended, the LDAP account becomes POSIX-enabled and can be used with SpanKey and PAM OpenOTP.

Any identity source supported by WebADM (e.g. Entra ID, Google Workspace, or synchronized external directories) can be POSIX-extended and used on Linux systems via SpanKey or PAM OpenOTP.

SSH Key Generation with SpanKey

From the extended LDAP account, use the SSH Public Key Server action to generate an SSH key pair.

In the Application Actions panel, select
SSH Public Key Server (3 actions) → Register / Unregister SSH Public Key.

Select the key format and key length.
Optionally configure a key expiration.
Click Register.

The SSH key pair is generated by the SpanKey server. Select the private key format (OpenSSH or PuTTY) and download it.

SSH key registration and removal can also be performed via the WebADM, User Self-Service or API interfaces.

SSH Access Using SpanKey

The generated private key can now be used with standard SSH clients (OpenSSH or PuTTY) to access any server where the SpanKey Client is installed.

No deployment of user public keys into authorized_keys files is required.

Example connection:

$ ssh -i johndoe.pem john.doe@spankey_client.rcdevsdocs.com

Welcome to SpanKey SSH Server.
This is a demonstration by RCDEVS SA.

Session recording is enabled.
Audit logs recording is enabled.
Session lock idle time is 5 minutes.
Session's max duration is 30 minutes.

john.doe@spankey_client:~$ exit
exit

>>>> Session's duration was approx. 8 seconds <<<<

Connection to 192.168.3.104 closed.
$

Groups Management (Activation)

To propagate LDAP groups as Linux groups and enable their use with SpanKey, the group must be extended with the POSIX (UNIX Group) object class. This operation is performed through the WebADM graphical interface and can also be executed as a batch job.

Extending an LDAP Group

Select the LDAP group to extend.
In the Add Extension selector, choose UNIX Group and click Add.
Enter the required information, then click Proceed and Extend Object.

Once extended, the LDAP group is POSIX-enabled and can be used as a Linux group with SpanKey.

Active Directory Permissions

If you are working with Active Directory and during the UNIX extension you have a failure, it's probably due to rights permissions. That means your super_admin doesn't have enough rights to add the UNIX objectclass to the user and/or to write values on UNIX attributes. To fix it, login on the Active Directory server and run the following command through Powershell:

dsacls "CN=Users,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;objectClass'
dsacls "cn=users,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;gidnumber'
dsacls "cn=users,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;uidnumber'
dsacls "cn=users,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;unixhomedirectory'
dsacls "cn=users,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;loginshell'
dsacls "cn=users,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;description'
dsacls "cn=users,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;gecos'

Note that cn=users,dc=rcdevsdocs,dc=com is the user search base defined in WebADM Local Domain, RCDEVSDOCS is my NetBIOS domain name and webadmadmin is my super_admin account.

For writting on AD administrators, rights previously settled are not enough because AdminSDHolder overwrites these rights every hour. So we need also to apply these rules on AdminSDHolder object and wait one hour that it’s applied on all admin users and groups of the domain:

dsacls "CN=AdminSDHolder,CN=System,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;objectClass'
dsacls "CN=AdminSDHolder,CN=System,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;gidnumber'
dsacls "CN=AdminSDHolder,CN=System,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;uidnumber'
dsacls "CN=AdminSDHolder,CN=System,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;unixhomedirectory'
dsacls "CN=AdminSDHolder,CN=System,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;loginshell'
dsacls "CN=AdminSDHolder,CN=System,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;description'
dsacls "CN=AdminSDHolder,CN=System,dc=rcdevsdocs,dc=com" /I:T /G 'RCDEVSDOCS\super_admins:WPRP;gecos'

Overview

Key Features

Requirements

Packages Installation

General Notes

System Requirements

SpanKey Server Installation (WebADM Server)

Debian / Ubuntu (DEB)

RHEL / CentOS / Rocky / Alma (RPM)

Self-Installer

SpanKey Client Installation (Linux / FreeBSD)

Debian / Ubuntu (DEB)

RHEL / CentOS / Rocky / Alma (RPM)

Self-Installer

Configurations

SpanKey Server

SpanKey Client

SpanKey Client Setup Script

SpanKey Client silent installation

Advanced Configurations

SpanKey Client

Files and Folders

SpanKey Client and Auditd

SpanKey Server

Master Group

Backup/Recovery Keys

Shared Account/Authorized Group

TAGs

Allow local users and local Authorized Keys File(s) usage

User Certificates and Smartcard PIV Keys

Audit logs and SSH Sessions recording

Sudoers Policy Plugin

Change Password Remotely

OpenSSH

NSS (Name Service Switch) Configuration

getent passwd/group tests

Users / Groups Management

User Management (Activation)

Extending an LDAP Account

SSH Key Generation with SpanKey

SSH Access Using SpanKey

Groups Management (Activation)

Extending an LDAP Group

Active Directory Permissions