Key Distribution Manager

Key Distribution Manager (KDM) is software intended for the centralization and synchronization of the authentication resources of Public Key Infrastructure in a Linux/UNIX environment. Users of these operation systems typically do not use a password to log into SSH; instead, they identify themselves using their private key, whose public part is uploaded to the server.

Users generate their private keys on their own; the keys can be, based on the users’ preferences, encrypted using a so‑called passphrase, i.e. a password, which needs to be entered during every single login. The existence or strength of the passphrase cannot be controlled by common tools, as the keys are stored by the client, so there is a threat of their partial misuse. The public part of the key is uploaded to the end server by an administrator, either manually or using a script.

In the KDM environment, private keys are generated and safely stored on the server. This location allows control of the minimum requirements for the strength of a private key and its passphrase (for example, the minimum required number of characters) using software tools.

The public parts of the key are automatically synchronized to the end servers accessed by users. At their end stations, users use the so‑called SSH Agent – a small application which downloads the key to its memory after the login to KDM. Then the user continues to access the end servers with the key stored in their agent; therefore, they do not have to enter the passphrase repeatedly during every login. The KDM solution can also be combined with account management. In this case, KDM also ensures, besides key distribution, the creation and modification of accounts within the end systems (provisioning).

Basic functions of KDM

  • Central storage and authority for the generation of user keys
  • Enforcement of passphrase strength according to a defined policy including time‑limited validity of the key
  • Automatic synchronization of the public part of the key to end servers based on KDM user rights. Withdrawal of the key in the event of its expiry or re‑generation.
  • User authentication to KDM with the use of PAM modules or a passphrase
  • Download of the private key to the user’s SSH Agent’s memory, not to the hard drive
  • Periodical control of settings of end servers - sshd_config, key storages, etc.
  • Support of shared keys and non-interactive tasks
  • Verification of the real identity of the user and logging of activity

Benefits of deployment of KDM

  • Reduction of costs of user key management in Linux/UNIX operation systems
  • Reduction of costs of authentication resources management – public keys
  • Faster work for users, who access OS servers using SSH or SCP
  • Control over generation of access keys and enforcement of passphrase strength
  • Enhanced security using central key registration with the option of prompt expiry of the key in the event that it is compromised
  • Account management based on authority information from a single source
  • Combination of account management and key distribution into a single process and interface
  • Active registration of accounts at a single location

Comparison of KDM and kerberos

The Kerberos protocol represents an alternative method of SSO authentication to Linux/UNIX servers. To a large extent the KDM and Kerberos technologies are similar, as both are based on the distribution of private keys resp. kerberos tickets from a central authority. The most popular Kerberos server is Microsoft Active Directory; however, there are also open‑source products.

Request form

Fields marked * are required

Přejít na začátek stránky


© Copyright 1998-2011 AMI Praha a.s., powered by AMIGO CMS