Crowd track ssh public keys across applications

Problem Definition

Crowd should track ssh public keys and relevant meta data for all Atlassian products. Many organizations consider SSH Key Sprawl Poses Security & Operational Risks. This requires admin to Discover all SSH Keys and Bring Under Active Management. Atlassian applications have many locations where the SSH keys can be created and stored. It also can create a situation where SSH keys can be reused, that is used improperly.

Suggested Solution

Bitbucket, Bamboo, and Fisheye all create ssh keys and track public keys. Embedded Crowd should track the SSH public key and relevant metadata, like creation time and usage. Then sync this data back to Crowd. This would assist admin in many of the SSH keys best practices, like discovery.  This would also allow Crowd to possibly integrate with SSH key managers and ldap.

Bamboo creates keys or stores keys for:

• Shared Credentials have public and private ssh keys.
• Builds can store private keys.
• SSH task can have have public and private keys
• Linked repositories can have have public and private keys

Bitbucket Tracks and creates keys:

• Public keys associated with users to connect to the ssh server.
• Private key to run as SSH server for git connections. Bitbucket hosts a internal SSH server.
• Public keys for Automated Systems to connect to Bitbucket per repository.

Fisheye Tracks and Creates keys:

• For Mercurial and Git repositories, Fisheye supports Generating a key pair and Uploading a key pair.

The private key should stay in place on each app.

Workaround

Currently SSH keys need to be tracked per application.