Skip to main content

Secure Shell (SSHD Host)

Connector name

agtssh

Connector type

Executable with script

Type (UI field value)

SSHD Host target system

Target system versions supported / tested

Systems that are accessed using SSH (Secure Shell). The SSH protocol is available on most Unix systems; however, the connector is not limited to Unix – any SSH-enabled system can be targeted as long as the passwords can be managed from the command line. Both SSH1 and SSH2 protocols are supported.

Connector status / support

Customer-Verified

Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system.

Installation / setup

For Bravura Security Fabric to be able to successfully execute a particular operation on a specific SSH-enabled system, the operation must be defined in a PSLang script that is used by agtssh when communicating with the SSH-enabled system.

Using the connector for Secure Shell (agtssh) is more secure than using Telnet; it connects to the sshd service (usually on port 22) and uses strong encryption as opposed to telnetd which uses none. And unlike the Unix Listener, agtssh does not require any Bravura Security software to be installed on the target system.

The following Bravura Security Fabric operations are supported by the connector for Secure Shell (agtssh):

  • user verify password

  • get server information

  • user change password

  • administrator reset password

  • administrator reset+expire password

  • expire password

  • unexpire password

  • administrator verify password

  • verify+reset password

  • enable account

  • disable account

  • check account enabled

  • lock account

  • unlock account

  • check account lock

  • expire account

  • check account expiry

  • unexpire account

  • create account

  • delete account

  • add user to group

  • delete user from group

  • add group to group

  • remove group from group

  • create group

  • delete group

  • move contexts

  • rename account

  • update attributes

  • run command

  • list account attributes

  • List:

    • accounts

    • attributes

    • groups

    • groups SID

    • members

    • computer objects

    • service accounts

    • members of built-in administrators group

    Note

    The SSH target script supports listing workstations, servers, and accounts (admin, IIS, DCOM, Com+, SCM, TASK). See the Win32 Console Script chapter, Listing computer objects and Listing iis, dcom, com+, scm, task, and custom accounts to learn how to write scripts for these operations.

For a full list and explanation of each connector operation, see Connector operations.

Preparation

Before Bravura Security Fabric can perform operations on an SSH target, you must:

  • Configure a target system administrator

  • Write a PSLang script

You may also need to create manual lock files when targeting SSH systems that are slow to respond, or in case of issues with requests containing multiple operations, where only one operation is failing.

Configuring a target system administrator

Bravura Security Fabric requires a designated account (for example, psadmin) on the SSH-enabled target system in order to perform operations.

You must ensure that the designated account can log into the SSH-enabled system from the Bravura Security Fabric server, and that the account has the necessary privileges to set passwords and manage accounts.

Ensure that you note the account’s login ID and password. You will be required to enter the login ID and password when you add the target system to Bravura Security Fabric .

Writing a script

The connector for Secure Shell (agtssh) supports all Bravura Security Fabric account management operations. These operations are implemented using a PSLANG script, which provides the details necessary for agtssh to interact with the SSH-enabled target system. You can write custom scripts which must be added in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\script\. Official, shipped scripts are included in the agent directory, and use a scripted platform definition file (.con) to call one of the binary agents. The official scripts are designed to work "out of the box", but can be modified to suit your requirements.

See more information about writing a PSLang script or modifying a sample script.

The agtssh-simple.psl sample file is intended to be used as a starting point to build a customized connector.

The sample script’s default shell is bash. You can change this by modifying the credentialoverride function in the script.

If you cannot find the sample file, try re-running setup to modify your installation. Sample files are automatically installed with complete (typical) installations. You can select them in custom installations.

Caution

Any sample script should be modified to fit your environment and prevent security exploits.

Targeting an SSH-enabled system

For each system, add a target (Manage the system >Resources >Target systems):

  • Type is SSHD Host target system .

  • Address uses options described in the table below.

  • Set the administrator ID and Password to the login ID and password for the target system administrator you configured in Configuring a target system administrator .

    Table 1. SSHD Host target address configuration

    Option

    Description

    Options marked with a redstar.png are required.

    Script file redstar.png

    Must be set to the name of the file described in Writing a script .

    (key: script)

    Server redstar.png

    The IP address/domain name of the server

    (key: server)

    Advanced

    Port

    TCP Port number. Default is 22.

    (key: port)

    Compression

    Select to enable data compression for SSH connections. Default is false.

    (key: compression)

    Action for host keys

    Select AllowAppend (default) or DenyUnmatch. For new targets, AllowAppend is recommended.

    • AllowAppend connects to SSH hosts whose public host keys have been previously recorded and have not been changed, and to SSH hosts whose keys have not been previously recorded. It will reject SSH hosts whose keys were previously recorded but have changed.

    • DenyUnmatch only connects to SSH hosts whose public host keys have been previously recorded and have not been changed. It will reject SSH hosts whose keys have not been previously recorded or were previously recorded but have changed.

      (key: hostkeys)

    Host keys file

    Specify the name of the public host key file. It must be located in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory. Otherwise host keys are stored in the registry. It is recommended to keep this option unspecified.

    The file consists of a KVGroup with an entry that contains the host information as the key and the hostkey as the value. This information can be extracted from the PuTTY registry entries (HKEY_CURRENT_USER \Software\SimonTatham\PuTTY\SshHostKeys) where "Name" corresponds to the key and "Data" corresponds to the value.

    (key: file)

    Authentication key file

    Specify the file containing the client key to authenticate to the server if public key authentication is desired or required. It must be located in the <instancedir> directory.

    The SSH connector supports key files in the following formats:

    • The KVG or PuTTY format used by the sshkeygen utility and sshkeyconvert utility.

    • The private key format used by OpenSSH (a client and server suite, mostly encountered on UNIX systems)

    • The key file format used by PuTTY (a popular graphical SSH client for Windows, also available on UNIX)

      In order to connect to an SSH server using public key authentication, the public key given by an SSH key generator (like the supplied sshkeygen ), inside the KVG output under PublicKey, or the OpenSSH ssh-keygen in the id_*sa.pub file) needs to be installed on the SSH server for the account to be targeted.

      (key: authkey)

    Timeout for connection

    Amount of time the connector will wait for a response.

    (key: timeout)

    Other settings

    Enter additional data to be passed into the script, in KVGroup format; for example {hostname=SSHHOST;} .



The SSH target system address syntax is entered as:

{[script=<ScriptFileName>;]server=<server>;[port=<port>;][compression=<true|false>;][hostKeys=<DenyUnmatch|AllowAppend>;][file=<FilePath>;][authkey=<AuthKeyPath>;]} 

Note

You can extend the address wizard by adding address line elements using the addressattrs function, as explained in PSLang Scripts for agtdos, agttelnet, and agtssh. This is useful when creating a scripted target system with a scripted platform definition file.

Creating a template account

Consult the documentation included with your specific application to learn how to create an account to use as a template in Bravura Identity . You can then add account attributes to determine how new accounts should be created based on the template account’s parameters.

Bravura Security Fabric still requires a template account, even though attributes may or may not be copied from the template account, for example, if the configured action for all account attributes is Set.

Creating account attributes

The attributes that define accounts are unique to specific applications; you must therefore create your own set of account attributes. You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using in the Manage the system (PSA) module account attributes menu. See Account attributes for more information.

Managing groups

If group management functions are supported by your application, you can configure Bravura Security Fabric’s workflow engine to manage group membership on your targets. You can also map profile attributes to group attributes on the target so that users can select groups when making a request; however, this method is currently incompatible with group management through Bravura Security Fabric ’s workflow configuration. Changes made in one method are not updated in the other.

For more information about account attributes and managed groups, see Groups.

Managing keys

When managing SSH keys for authentication keys and host keys for SSH targets, use the appropriate programs (sshkeygen for user keys and sshhostkey for host keys). Ensure that SSH keys are properly stored and managed to maintain security and prevent authentication issues.

For authentication keys, If you do not have a SSH key pair for the Bravura Security Fabric server, you need to manually create one using the sshkeygen program. The public key must be manually copied to the correct location on the target SSH system.

For host keys, the first time that agtssh connects to an SSH target, agtssh stores that target’s public key. On subsequent connections to the same target, agtssh validates the target’s public key against the previously stored value. In the event that a target’s public key has changed, agtssh does not update the stored value, but instead indicates that the value has changed. This behavior is intentional and is used to indicate that there might be a security issue. You must manually remove the old public key using the sshhostkey program and then reconnect to the target; the new value will then be stored. Host file keys are either stored in the registry or in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory. Storing host keys in the registry is preferred, but if you do opt to store the host keys in a kvg file using the “Host keys file” option, you should not need to manually modify this file. Rather, see the sshhostkey -f option.

To manage public host keys for SSH targets, use the sshhostkey program. See usage information for sshhostkey .

To manage the public/private authentication keys for SSH targets, use the sshkeygen program. See usage information for sshkeygen .

Keys for users are also either stored in the registry or in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory.

The agtssh program does not allow empty administrator passwords for password-based authentication, and it does not allow empty passphrases for public key authentication. Also, agtssh does not fall back on password authentication when using a private key file.

When public key authentication is used, the passphrase has to be provided. You must enter it in the target system’s administrator ID password field. If public key authentication is unavailable, agtssh will automatically use that field as the password for a target that does not recognize your public key or passphrase.

sshhostkey

The sshhostkey program is used to manage host keys in the Windows registry or a KVGroup-based database.

This program is installed with Connector Pack . It may be located in the util directory under either the Connector Pack\global\ directory or the IDM Suite\<instance> directory.

Usage
sshhostkey print|delete|verify|update -s <Server>:<Port> [-v] [-f <filename>] [--instance <instance>]

The arguments are described in the following table:

Argument

Description

print

Prints the public key for the specified <server>:<port> or for the servers specified by the server pattern.

delete

Deletes the public key for the specified <server>:<port> or for the servers specified by the server pattern.

verify

Verifies the public key for the specified <server>:<port>.

update

Updates the public key for the specified <server>:<port>, if it doesn’t match the stored key.

-s <server>:<port>

The DNS name or IP address of the target system. You can use a regular expression to match more than one server.

-l

Displays verbose messaging for verify and update arguments.

-f <filename>

Uses the host key KVG file, or the registry if a file isn’t specified.

--instance <instance>

The name of the Bravura Security Fabric instance on which to run this utility to get log information. If not specified, the program looks for the default instance.

It is recommended that you perform a print before using delete with extended regular expression patterns.

Examples

  1. To print the public keys stored in the registry, type:

    sshhostkey print

  2. To connect to an SSH target and verify whether the locally stored public key is correct, type:

    sshhostkey verify <server>:<port>

sshkeygen

The sshkeygen program is used to generate SSH public/private keys. The key pairs can be created in KVGroup or PuTTY format, and can be either saved to a file or sent to stdout.

Requirements

To enable logging for this program, you must add a system environment variable, IDM_SUITE_INSTANCE, to define the instance to log; for example: IDM_SUITE_INSTANCE = default. See your operating system documentation to learn how to do this. The program will be logged in:

Bravura Security\Bravura Security Fabric\Logs\<instance name>\idmsuite.log

Usage
sshkeygen [options]

The arguments are described in the following table:

Argument

Description

-b <bits>

The length of the key in bits. If omitted, the default values will be used:

  • 2048 for rsa, dsa and sshv1

  • 256 for ed25519

-c <comment>

The comment used in the private and public key files.

-f <file name>

The name of the key file. If omitted, the stream is written to stdout.

-t <type>

The key type. The acceptable values are rsa, dsa, ed25519, and sshv1. Default type is rsa.

-r <format>

The key format: putty or kvg. Default format is kvg.

Keys generated by sshkeygen in Connector Pack 4.1.x are compatible with Connector Pack 4.2 and above, while the reverse is not compatible.

Warning

Refrain from using SSHv1 keys for systems that support newer protocols. SSHv1 does not meet current security standards; use only for legacy systems that support nothing else.

Conditions

  • A passphrase must be specified when creating keys.

  • The minimum of 256 bits is required for rsa and dsa key types. sshkeygen will not generate a key otherwise.

  • The acceptable key length for ed25519 is 256 bits. Any other key length will be ignored.

  • A file name must be provided if the key type is sshv1 and key format is putty.

  • Key files will not be created if there is already a file with the same name.

KVGroup format for the key pair

The KVGroup format for the user’s key pair is as follows:

# KVGROUP-V1.0
"" "" = {
    "Comment" = " "
    "Encrypted" = " "
    "KeyFingerprint" = " "
    "KeyType" = " "
    "PrivateKey" = " "
    "PrivateMAC" = " "
    "PublicKey" = " "
}

The KVGroup format for the user’s key pair for SSHv1 is as follows:

# KVGROUP-V1.0
"" "" = {
    "A1-RSA-Signature" = "SSH PRIVATE KEY FILE FORMAT 1.1\n"
    "Comment" = " "
    "KeyFingerprint" = " "
    "RSA-SSH1-Key" = " "
    "authorized_keys" = " "
}
Examples

  1. To use sshkeygen to create a KVGroup format key and write to stdout, type:

    sshkeygen.exe -r kvg

    The output looks like:

    # KVGROUP-V1.0 
"" "" = { 
  "Comment" = "Public/Private Key Generated by sshkeygen at 2021-01-12 15:44:42 (UTC-07:00)" 
  "Encrypted" = "yes" 
  "KeyFingerprint" = "ssh-rsa 2048 45:2e:38:a4:99:50:ad:10:61:8a:33:da:df:c4:32:e0" 
  "KeyType" = "ssh-rsa" 
  "PrivateKey" = "Vc52v4mvaqyWer+f2roNluuxCcvpAorvAKcgS/dWpW8Pwzf6twJ1eLhfiQ0QrhfMWZTzM9kMdErEHWH+/av0GEfYqMloli74Au+ihOpn0F+ChIwDU/lSheIwGCcEU/3cyH8bBAGFMX7PUhl58FEoO0K0WtM7ROJjEzyO1WswIIDkM2hSvGINpm6jAlxPZUdUwNkhcFh17odSpUgRFVaKRU03BUxMARxNyA4dTzg50uzSOoEyF1sxDSMQUsiNpvlep4m/87xFTt0+h0cvv9yvFMAaRsegXOUu2oug5aBKMGYgiEvZKH0v0LIFcL3OQfp+1h07c01XlA8Bl4REhBqcIRYd9AN+Hwru5Cn99Gg9ygrxAJ1M2ra2+DG3j+NZeqowgbDax2yphFZgytOmbawnWxxICBB+Yp3eZyCsiT78QGGYB2r12ucpTSV8+dR/zqwhg8M6CM6riptdlGjtID7N7cxlbcTw2Cj8b4UbJ+rEXw1ViiwKcOkuBVZsBNkN9Ei1yQublZwIrdsCrRdeRDC9nXQuK02e0P8ZQdhUZA8wGAEu9FSflka7sLdCZ3wxhJip22KMvbVJFrGv9jyyJzaGXSJ3xY/jaUgES6Tz2CJpQZ483D9tPF60pek3AlOUG9JtjaHUzn3svOVNEIuEq/REffKhBtd3q4URX74Qc+kZC0Raw89v7mW+zDhL+h0IDX+LsZMy1x6IV0uJBj5ottBpSKmC/kRZuCDOIBnfRdXIktP5tldXmoctAhh7h8eZBLCHCCV6CnxuxtaWI3ajWNzSVH/CxWmE57brDf2wmIEEr/qkjQbFMMu7NLOSnrFr89AzmnECB6b36FWi0BK5hGpMAXl8QD25n48qheeqfYL4T88+DjFpe3AKEeNge51gYCrW" 
  "PrivateMAC" = "bd5693d9b9c59064a35a3f70ecf397f5b346e50c" 
  "PublicKey" = "AAAAB3NzaC1yc2EAAAABJQAAAQEAy+2xdnaBaHjxqwSUOo+gtIaX3ztLLoB4lYzs+YrcMP5uP3thjGBTOry3JXL4sV2PCL3Gl5pXH6m5t2YyKywGnTHy0SsPs+XqA+JTREYgWihHBILrb16DmdOUo0G3+pQRcnKgxf0xLzKyM/Yv+Rtq3lt/qo0OxBCIJP2Kpl76lggGe+J8JNhbW530DgFw/soqBUNHJ52sdVscvYQNky+tptTrE5xN/bw/OB9gN2uzKMOjWkcZQ6i3yfbpTwjsT4h1b3WhHvHDeYI0y/rc+CyCPqx076u8d0mPKWudJuXyTBkXktQYrO2A0foo/q30idrCNjxniF7iHpimd/EwO0qHgQ==" 
}

  2. To use sshkeygen to create a PuTTY format key and write to stdout, type:

    sshkeygen.exe -r putty

    The output looks like:

    PuTTY-User-Key-File-2: ssh-rsa 
Encryption: aes256-cbc 
Comment: Public/Private Key Generated by sshkeygen at 2021-01-12 15:56:04 (UTC-07:00) 
Public-Lines: 6 
AAAAB3NzaC1yc2EAAAABJQAAAQEA/XhhGFeZOxU99kV7s43wk4VY9PIeJAHQ+uon 
Gc2KwFU1Ad288I1kdrZDPWDxZTQfv1KZEIaVWvLO7qSjqOO64TrPXa4ZabLc39JO 
OaUZxB2BjDnQG3xsRzjPLphp8G63s1xavSLpVdDBtyT+tJzm+VYgYBW1+CWLMFLS 
RxzpmNrN8P69dJo5cVVcusMLqw7PzlyQt7SdqDzdMJIj8QPv1J3YfZJznnGedTao 
EC4lWp7ve18utjpy1EOXIPPJShcV5f9hLnVyXKVvnhzT5slaXGJtzP/LvSGCmj3s 
D3AL7aHfCDvepVeTvsyseC41xoLrzJbHJk/Il5ksn8vSWLWr8Q== 
Private-Lines: 14 
STmae6fZ2+7T7Ji2I3Zp9/J+oiG/F7qGub3t3oWSZ3rvN3UYjWSVXokiSgFjMmg3 
bubIeNIGCJDG37PbbFpaLPQv66Zc636EdFxUSAGWQU7LMNN8ALKVXui5yDef+kz+ 
gw7pL+VLOtHac27ztVKyIPp0HR+zIS1Z9aObVIeuMLxhFk9iUOlrch1dLX6dbaME 
bBSWFT+a72tOgx+//bbNAhBKcM8W3nDV26Bumr45KZDgsBPiSWxJcffKUcUPwVWh 
Ou94NCrDvqQyYDmLGnuxvVnJPNMibHVrTIguWj3f8UxpWZ03tIkd12URB/b9BQI4 
UOxcXEPayau2u287WwgM1pTb6jvk2fUACu6YdZDcBZYS1IUV3dZyytdIZM/HDd8g 
JPuKt49s2gL9P9dJpmxbO6Jp38Bv3kxsP5KHneauin48soV0A7ACmIg5zONQOFTC 
jDlL6XdHeu9bG7b2BOz9XRGG8k4H98gqOQt6AcwBW4/LwXhHIpObKF6h42o9b2iy 
JnJ2niii5+XmaCGr1O7zEm2G1csQMEAYzRBSYZ4tk7F2qBw6p+JGuOou/NDPo5ec 
G63TfUAQHPzghjS/sYT44lgAcluIiUq6QhQCO30jMcrSkqtgUlVQALiAmezjEv2v 
QgofiXJ15q+Ljo2wFHmCwXJzY7u6iV5qhULsjLCBC7s3akjhJWBCp+kd9be6pAz9 
5QesvZeRH21yPmGuTiGVjShDkCfvzIV+Sa06E6fuJ1K9ER4TvXxtZRnN4Zv569Pp 
vVJXScUW5B67JIb9YwSUEjQAefnxrHiS58mvnU09m6BpXN+UI6LeQNKNTq3yp6Qq 
RzLUTS+oWvnmC2fJz3aasuaShyafSRXxOJ9cRA3iMl5VcwYxWSpbd5byi7/Q/d09 
Private-MAC: f81dd3f7a7e0ce4b22dd5ae279ec7bc02c9a9b3d

  3. To use sshkeygen to create a key file using KVGroup format (test.kvg):

    sshkeygen.exe -r kvg -f "\Program Files\Bravura Security\Bravura Security Fabric\default\script\test.kvg"

Using agtssh with Public/Private Authentication Key Management

When configuring SSH connections, there are two general scenarios. The first involves generating a public/private key pair, then adding the public key to the authorized key file of the target SSH system. The second scenario entails using a pre-existing public/private key pair, typically in PEM/PPK format, such as when authenticating to an AWS UNIX instance.

To facilitate these processes,

Bravura Security Fabric provides two utilities, located in the utils directory, to facilitate this process:

Generate a public/private key pair

This scenario is suitable when creating a key pair from a self-signed certificate not certified by a CA signing authority.

  1. Use sshkeygen to create an encrypted public/private key file:

    sshkeygen -p mypass > user_ppk.kvg

    The resulting user_ppk.kvg file contains details such as the key type, encryption status, and creation timestamp.

  2. Add the public key to the user's authorized_keys file; for exampe:

    cat ~/.ssh/authorized_keys

    After logging in the user, append "KeyType" [space] "PublickKey" into ~/.ssh/authorized_keys. It should look like:

    rsa AAAAB3NzaC1yc2EAVAABJQAAAIEAqJQh1F6dyZcrUNWmvRtcuItLXsTDZqBjuw9vRMS2/9oalMEiKSu1T/ZlHdoQSxRDL8Utz+n5s08Xx/oYp/BbP\
te6vnbo0muL94aw0rf//jyWLsztVsXsiH+GbNXARt2H/v/ZYH0Bt1US3bXt5C2mV/I30nplDbdhEm1n6HtDSNU=

  3. Configure agtssh to use the public/private key for authentication. Change the target address line to add the authkey option to user_ppk.kvg and copy the file into the script folder.

    For public key authentication, the adminid is used to decrypt the authentication key file and systempw isused to authenticate for sudo (if sudo is set in privileged escalation mode).

Convert a PEM/PPK to KVG Format Authentication Key

This scenario is appropriate when importing a key pair from a signed certificate certified by a CA signing authority.

  1. Conversion of an encrypted PPK requires a password, whereas an unencrypted PEM file does not:

    sshkeyconvert.exe -i user_ppk.pem -o user_ppk.kvg -p mypass

  2. Configure agtssh to use the public/private key for authentication. Change the target address line to add the authkey option to user_ppk.kvg and copy the file into the script folder.

    For public key authentication, the adminid is used to decrypt the authentication key file and systempw is used to authenticate for sudo (if sudo is set in privileged escalation mode).

See usage information for sshkeyconvert .

Common error

Unable to find or validate private SSH authentication key [<path>] - [fall through/unknown key type.]. Falling back to username+password login.

Indicates that the format of the authentication key provides is unrecognized. It's important to understand that agtssh does not take PEM/PPK format keys. They need to be converted into the kvg format.

sshkeyconvert

The sshkeyconvert program is used to convert SSH public/private keys. The key pairs can be converted into KVGroup or PuTTY format, and can be either saved to a file or sent to stdout.

Keys generated by sshkeyconvert or PuTTY’s puttygen utility are supported by this program.

Usage
sshkeyconvert [options]

The arguments are described in the following table:

Argument

Description

-i <filename>

The name of the key file to convert.

-o <filename>

The name of the key output file. If omitted, the stream is written to stdout, with the exception of SSHv1 KVGroup format keys.

Conditions

  • A passphrase must be specified when converting keys. Keys will not be converted if the wrong passphase is given.

  • A key output file must be provided if the key input file format is SSHv1 and the key format is KVGroup.

  • Keys not generated from a recent PuTTY version (ie. older than v0.72) cannot be converted by this program.

Examples

  1. To use sshkeyconvert to to convert a KVGroup format key file (non-SSHv1) called testkvg.kvg into PuTTY format and write to stdout, type:

    sshkeyconvert.exe -i "\Program Files\Bravura Security\Bravura Security Fabric\default\script\testkvg.kvg"

  2. To use sshkeyconvert to to convert a PuTTY format key file (non-SSHv1) called testputty.ppk into KVGroup format and write to stdout, type:

    sshkeyconvert.exe -i "\Program Files\Bravura Security\Bravura Security Fabric\default\script\testputty.ppk"

  3. To use sshkeyconvert to convert a KVGroup format key file called testkvg.kvg into a PuTTY format key file called kvg2ppk.ppk, type:

    sshkeyconvert.exe -i "\Program Files\Bravura Security\Bravura Security Fabric\default\script\testkvg.kvg" -o "\Program Files\Bravura Security\Bravura Security Fabric\default\script\kvg2ppk.ppk"

  4. To use sshkeyconvert to convert a PuTTY format key file called testputty.ppk into a KVGroup format key file called ppk2kvg.kvg, type:

    sshkeyconvert.exe -i "\Program Files\Bravura Security\Bravura Security Fabric\default\script\testputty.ppk" -o "\Program Files\Bravura Security\Bravura Security Fabric\default\script\ppk2kvg.kvg"
In this section: