Keyper system

Table of ContentsGeneralWhat is Keyper?Why Keyper?Why Certificate-based authenticationWhy should one use Keyper for certificate-based authenticationIs Keyper opensource?Where can I get Keyper?I have a question/suggestion/need to report a bug. How can I contact you?Where is the documentation?Do you have a Demo/Sandbox for Keyper?I have a question that is not answered.How can I help?TechnicalWhat is under the hood?What version of SSH Keyper supports?What is Podman?How to persist OpenLDAP data on restart?What is the purpose of a hostname as a parameter?I want to connect to Keyper on a different terminal to see its inside?What environment variables can I set?How can I see Debug messages for the REST API?Where is the auditlog for OpenLDAP locatedHow can I backup Keyper?How do I use a real X.509 SSL certificate with Keyper?What is SSH Key Revocation List (KRL)?How can I access the KRL File?GeneralWhat is Keyper?Keyper is an SSH Key and Certificate-Based Authentication ManagerWhy Keyper?We, as system administrators and developers, regularly use OpenSSH’s public key authentication (aka password-less login) on Linux servers or Certificate-based authentication (more secure). The mechanism works based on public-key cryptography. One adds his/her RSA/DSA key to the authorized_keys file on the server. The user with the corresponding private key can login without a password. It works great until the number of servers starts to grow. It becomes a pain to manage the authorized_keys file on all the servers. Account revocation becomes a pain as well. Keyper aims to centralize all such SSH Public Keys within an organization. With Keyper, one can force key rotation, easily revoke keys, and centrally lock accounts.Why Certificate-based authenticationSSH Key-based authentication does a great job. Certificate-based authentication eliminates a few limitations associated with Key-based authentication. When using certificates, both clients and servers use certificates signed by a trusted third party (e.g. Keyper). Certificates take care of long time known issue such as Trust-on-First-Use (TOFU). Instead of X.509 format, SSH uses its own, simpler, certificate format.Why should one use Keyper for certificate-based authenticationThere is one little inconvenience with certificates, and that is a user cannot sign their keys themselves as they do not have access to CA’s private key. A process must be put in place to sign the keys. Once the administrator sets up a user in the Keyper system, s/he can upload keys to be signed by the CA. Keyper system generates the certificate on the fly based on pre-defined rules (like duration of the certificate, and what servers/principals any given user has access to).Is Keyper opensource?Not yet. However, we are working to get it open-sourced under GPLv2 (pending permission from our corporate overlords).Yes! We Opensourced Keyper under GPLv3 license. The source repositories are located atkeyper-docker,keyper, andkeyper-fe.All of the following components of keyper are open-source:keyper frontend (Vue)keyper REST API (Python/Flask)keyper docker image builderAll artifacts related to OpenLDAP schemaThe above stack can also be administered using curl CLI.The web-based administration console for Keyper has not been open-sourced.The above arrangement should satisfy the needs of most of our users as smaller commercial customers can continue to use the web based

MX Key System from $9,850.00 Electronic Key SystemsIn any industry, protecting your assets should be a top priority. For those in need of higher levels of security and accountability, KEYper Systems' offers patented, industry-leading, electronic key management systems. Our custom cabinets are designed to accommodate a range of 68 to 288 keys, and can easily be expanded to manage over 2,000 keys. Systems come standard with integrated web-based software, allowing you to customize access parameters, check the real-time status of keys, and generate reports based on user or key activity. Know who took what key, when, and why!Why KEYper MX?Security: Only authorized users are able to access the electronic key management system. Customizable user access groups allow for tighter control of higher security keys. An unauthorized key removal triggers a permanent log entry, as well as an email notification.Convenience: Quick, easy-to-use web based software shows what keys are in, what keys are out, and to whom they are issued. Upon checkout, the appropriate key is indicated on the panel by flashing LEDs. In addition, the KEYper® system allows you to return any key to any location in the cabinet, and then learns the key’s new location.Productivity: No more searching for, or replacing lost keys! Always know who took which key, when.Reports: Electronic key management system reports can be generated and used to track business.Accountability: Complete audit trail and reporting, by user and key activity. User accountability reduces lost keys. Fewer lost keys leads to lower expenses and improved security.What’s New with KEYper MX?More Compact DesignIncreased CapacityBuilt in Speaker for Audible Alarms and Voice Prompts to Guide UsersMore Energy Efficient Size: 32 64 96 128 160 192 224 256 288

Admin console bundled with a docker image up to 20 servers. After which they have the option to purchase a license.Commercial Customers can purchase license to receive support.Where can I get Keyper?Keyper can be downloaded from the dockerregistry either using docker or podman.Thanks in advance. We love suggestions/bug reports. Please drop us a line at [email protected] is the documentation?All documentation is locatedhereDo you have a Demo/Sandbox for Keyper?Yes, we do. We have a demo system running on plus four containers running SSH for testing. Here are credentials to access the web console:User IDPasswordalicekeyperbobkeypercarolkeypererinkeyperfrankkeypergracekeyperBesides, you can test the following containers running SSH using the above user ids after you add your SSH public key to the web-console:ServerSSH Portmavrix2.dbsentry.com2022mavrix3.dbsentry.com3022mavrix4.dbsentry.com4022mavrix5.dbsentry.com5022So, if you want to access server mavrix4.dbsentry.com as user frank, you need to add your SSH public key (typically ~/.ssh/id_rsa.pub or ~/.ssh/id_dsa.pub) to user frank and then connect using ssh:$ ssh -l frank -p 4022 mavrix4.dbsentry.comAny issues, drop us a line at [email protected] demo system is limited and only allows you to upload/delete SSH public keys (Keyper User Role). You do not have admin access to add/modify users/hosts/groups (Keyper Admin Role). To see admin features in action, we suggest that you download and run the docker image either using docker or podman on your Linux system.You are sharing these demo systems with others. Please be respectful of others. We delete all uploaded keys every night.I have a question that is not answered.Send your question to [email protected], and we’ll try to address it. You can also hang out with us onDiscordHow can I help?Thanks in advance. We can use your help in frontend development (Vue), backend development (Python/Flask), or documentation maintenance. Please drop us a line at [email protected] and we’ll hook you up.TechnicalWhat is under the hood?Keyper is a Docker container, which can also be run using podman. The stack includes:Alpine LinuxOpenLDAP acting as a directory that stores all users, SSH Public Keys, and rulesPython Flask REST APIVueJS frontend app running on NginxAll the above services are managed using runitWhat version of SSH Keyper supports?Any Linux server running OpenSSH 6.8 or newer should be fine. An SSH server that supports AuthorizedKeysCommand is needed.What is Podman?Per podman project’s website: “Podman is a daemonless, open-source, Linux native tool designed to make it easy to find, run, build, share and deploy applications using Open Containers Initiative (OCI) Containers and Container Images. Podman provides a command-line interface (CLI) familiar to anyone who has used the Docker Container Engine. Most users can simply alias Docker to Podman (alias docker=podman) without any problems.”The best thing we liked about podman is that one need not be root to run a container. It comes bundled with RHEL (or any RHEL based distro) by default. If you do not have it install it using yum:# yum install podmanHow to persist OpenLDAP data on restart?By default, Keyper creates OpenLDAP database within container under /var/lib/openldap/openldap-data and /etc/openldap/slapd.d. For data to persist after a restart, we need to present local docker volumes as a parameter. Something

Systems is a privately-held, veteran-owned company with corporate facilities near Charlotte, North Carolina that has offered key management solutions for more than 25 years. Our Corporate Philosophy, fundamental to the values held by our founder, Mr. Bob Conder, directs us to offer a quality product at a fair price.Our electronic key management systems are the most advanced and affordable products on the market. KEYpers run on the current Windows 7 operating system, so you won't have to worry about upgrading equipment and software to accommodate the current industry standard soon after making such an important investment.KEYpers employ advanced technology to control access to the keys throughout your multifamily community. The built-in camera and biometric fingerprint reader produce a fail-safe audit trail of who touches what key, when and why the second the microchipped key fob is removed. You can set key quantity limits, restrict access to specific keys and set a time duration for the removed key. A KEYper will even send managers an instant text message alert should an employee mishandle a key.For more information, please visit our website at www.keypersystems.com or feel free to contact me directly (214/287.8111 or [email protected]) concerning your key management needs.Please consider KEYper Systems for your key management. There's no better, more affordable way to demonstrate the due diligence so vital to your property and its owners. Don't trust your reputation and investment to outdated technology or honor-based key management systems! Go with KEYper!Thank you. Roni Pick 10 years 1 month ago #14757 by Roni Pick Hi All,KeyLink is the Key Security System that was created by BuildingLink. www.keylinkusa.comYou need to be a BuildingLink customer in order to have KeyLink but the benefits will be apparent right away.KeyLink is an anonymous Key Security System that is web-based, competitively priced and whose software is updated frequently. www.keylinkusa.comBuildingLink is a web-based system that will help you to manage your property with greater efficiency and more cost effectively.With BuildingLink your Residents and Management sign into their own dashboards and/or download the BuildingLink free app to their SmartPhones in order to communicate with each other for:1. Package Tracking with automatic notifications to residents2. Maintenance Work Order management with automatic notifications to residents as work is performed on their requests3. Online Document Libraries4. Amenity Reservations on line and from the BuildingLink SmartPhone app5. NeighborNet6. Bulletin Boards7. Front Desk Instructions8. Parking management9. Pet Park10. Robust email communication with the

Like this:$ docker volume create slapd.d$ docker volume create openldap-data$ docker run -p 80:80 -p 443:443 -p 389:389 -p 636:636 --hostname --mount source=slapd.d,target=/etc/openldap/slapd.d --mount source=openldap-data,target=/var/lib/openldap/openldap-data -it dbsentry/keyperFor more information about docker data volume, please refer to: is the purpose of a hostname as a parameter?Keyper uses this hostname to generate a self-signed certificate. OpenLDAP and Nginx use this certificate for secure communication. Also, this hostname gets embedded in the auth.sh script, which you need to download and deploy on each Linux server.I want to connect to Keyper on a different terminal to see its inside?Great. First find the container id of the running container, and then use docker exec to connect. Something like this:$ docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES25b2869f1a71 dbsentry/keyper "/container/tools/run" 21 hours ago Up 21 hours 0.0.0.0:8080->80/tcp, 0.0.0.0:2389->389/tcp, 0.0.0.0:8443->443/tcp, 0.0.0.0:2636->636/tcp peaceful_lewin66d33bbdd32c jenkinsci/blueocean "/sbin/tini -- /usr/…" 13 days ago Up 13 days 0.0.0.0:50000->50000/tcp, 0.0.0.0:8000->8080/tcp jenkins-blueocean$ docker exec -it 25b2869f1a71 /bin/sh/ # lsbin dev home media opt root sbin sys usrcontainer etc lib mnt proc run srv tmp var/ # What environment variables can I set?Following environment variables can be set while starting the container:Environment VariableDescriptionDefaultLDAP_PORTldap bind port389LDAPS_PORTldaps bind port636LDAP_ORGANIZATION_NAMEName of the OrganizationExample Inc.LDAP_DOMAINLDAP Domainkeyper.example.orgLDAP_LDAP_ADMIN_PASSWORDAdmin password on LDAPsuperdupersecretLDAP_TLS_CA_CRT_FILENAMECA Cert File Nameca.crtLDAP_TLS_CRT_FILENAMECert File Nameserver.crtLDAP_TLS_KEY_FILENAMECert Key File Nameserver.keyLDAP_TLS_DH_PARAM_FILENAMEDH Param File Namedhparam.pemLDAP_TLS_CIPHER_SUITEDefault Cipher SuiteTLSv1.2:HIGH:!aNULL:!eNULLFLASK_CONFIGFlask Config (dev/prod)prodHOSTNAMEHostname{docker generated}NGINX_UIDlinux nginx user uid10080NGINX_UIDlinux nginx user uid10080SSH_CA_HOST_KEYCA Host Keyca_host_keySSH_CA_USER_KEYCA USER Keyca_user_keyHow can I see Debug messages for the REST API?Running a container with FLASK_CONFIG=dev would force Flask REST API to run in debug mode.Where is the auditlog for OpenLDAP located/var/log/openldap/auditlog.ldif. It may be a better idea to create docker volume for /var/log and mount it in the container to persist logsHow can I backup Keyper?As far as you have a backup for the OpenLDAP database, you are good to go. For the rest, as far as you specify the same CLI params, things should work fine.How do I use a real X.509 SSL certificate with Keyper?OpenLDAP and Nginx require the X.509 certificate. You can set custom certificate at run time by mounting a directory containing those files to /container/service/nginx/assets/certs and adjust their name per the environment variables defined above.What is SSH Key Revocation List (KRL)?A Key Revocation List (KRL) is a list identifying the revoked Keys and Certificates. In Keyper, a Key or Certificate once deleted, gets added to the KRL. Both Key-based and Certificate-based SSH authentication on Keyper uses KRL verification as the first step during authentication and prevents the use of revoked Keys/Certificates.How can I access the KRL File?The KRL file is located on the running container under /etc/sshca/ca_krl. It can also be downloaded using API call

#11220 by Sherri Donovan Topic Author 11 years 7 months ago - 11 years 7 months ago #11204 by Mark Juleen What are you doing to manage keys at your communities?Editor Note: This message was merged from a similar thread about key control systems. 11 years 7 months ago - 11 years 7 months ago #11204 by Mark Juleen Henry 11 years 7 months ago #12080 by Henry It sounds like KeyTrak and HandyTrac are the two I should focus on. Ian do you remember how much licensing fees were for KeyTrak versus what you are paying for HandyTrac? 11 years 7 months ago #12080 by Henry 11 years 7 months ago #12081 by Ian Mattingly It was roughly twice as much monthly, but it varies depending on how many drawers you need, whether it's a phone connection or Ethernet, etc. I hope that helps. Anonymous 11 years 7 months ago #12110 by Anonymous I really like KeyTrak but haven't used HandyTrac so can't make comparison. 11 years 7 months ago #12110 by Anonymous AJ Posts: 10 Thank you received: 2 11 years 7 months ago #12119 by AJ I love the Schlage key fobs. I would hate to go back to real keys! 11 years 7 months ago #12119 by AJ 11 years 7 months ago #12148 by Charles Harkness Morse-Watchman is our favorite key management system and we've tried the other two major players. Anonymous 10 years 10 months ago #13742 by Anonymous I saw this post from a few months ago.... I'm wondering if in general there is a size of building above which it is more likely to have an electronic key management system. For example: above 150 units is more likely than below 150 units. Or is building size irrelevant to the decision to make that investment?Thanks for any insights! 10 years 10 months ago #13742 by Anonymous 10 years 9 months ago #13970 by John Keiser Greetings!I usually don't comment/re-open older threads, as some topics can lose their relevance over time. It seems many of you were unfamiliar with KEYper when this thread started ten months ago, so allow me the opportunity to tell you a little bit about me and KEYper Systems.I represent KEYper Systems ( www.keypersystems.com), and we manufacture electronic and mechanical key management solutions for multifamily property management applications and for a variety of other industries including government, military, and automotive.KEYper