Create an SSH Service to Access a Device

An SSH Service invokes a local third-party SSH application on a client to connect to a device. The target device does not have to host the SSH application, and it must reside on the user client computer. This feature extends the access control to any native SSH client. This feature allows control to include session recording, socket filtering, command filtering, and automatic connection with the target account.
capam33
An SSH Service invokes a local third-party SSH application on a client to connect to a device. The target device does not have to host the SSH application, and it must reside on the user client computer. This feature extends the access control to any native SSH client. This feature allows control to include session recording, socket filtering, command filtering, and automatic connection with the target account.
When a native SSH client service policy is configured for session recording, select the
Bidirectional
checkbox for the recording to work.
  1. Select
    Services
    ,
    Manage TCP/UDP Services
    .
  2. Select
    Add
    for a new TCP/UDP service.
    • Service Name:
      Enter a name for the portal.
    • Local IP:
      Enter a valid local loopback address.
    • Ports:
      Enter
      22
      (for SSH) and a local port mapping or an asterisk. For example:
      22:12345 or 22:*
    • Select the
      Enable
      checkbox.
    • Select
      Show in Column
      to show the service as a button on the Access page. Otherwise, Services appear in a drop-down list, which is more compact.
    • For
      Application Protocol
      , select the
      SSH
      option from the drop-down list.
  3. Optionally, select
    SFTP
    or
    SCP
    . For more information, see Enable File Transfer in the next section.
  4. Optionally, select
    X11
    . For more information, see X11 Forwarding and Command Execution.
  5. Optionally, select Public Key Authentication. For more information, see Enable Public Key Authentication.
  6. For
    Client Application
    , enter the path if you want to invoke the client automatically.
  7. The Client application path that you specify here is launched when the enabled SSH service is accessed.
    Windows syntax:
    C:\[path]\[clientApp].exe [options] <User> <Local IP>
    <
    First Port> 
    For PuTTY:
    "C:\Program Files\PuTTY\putty.exe" -ssh -l <User> <Local IP>
    <
    First Port>
    Linux syntax:
    /usr/bin/putty -ssh -l <User> -P <First Port> <Local IP>
    Use these literal strings as variables that
    Privileged Access Manager
    substitutes:
    • <Local IP> is replaced with the IP address in the
      Local IP
      field. Do not repeat the local IP here.
    • <First Port> is replaced with the first local port (after the colon) that is defined in
      Ports
      . Do not repeat the first port here.
    • <User> is replaced with the account name that is used in the access method. Do not repeat the account name here.
    • <Second Port> is replaced with the second local port (if any) that is defined in
      Ports
      . Do not repeat the second port here.
    • <Device Name> is replaced with the Name of the Device. Some application connection arguments can use this variable. For example, in WinSCP, "/sessionname=<Device Name>" displays the device name instead of the IP address in the application title bar.
    • Privileged Access Manager
      automatically inserts the password, so there is no need to provide it.
  8. Select
    OK
    .
  9. Create a Device that corresponds to the SSH target you want to connect.
    1. In
      Devices
      ,
      Manage Devices
      , create a Device with the target IP address (do not use FQDN) in the
      Address
      field.
    2. On the
      Services
      tab, use the controls to move the service that you created from the Available Services to the Selected Services.
    3. Select
      OK
      .
  10. Create a
    Target Application
    using the target device as
    Host Name
    . See Add Target Applications for more information. 
  11. Create a
    Target Account
    using the target application as
    Application Name
    . The
    Account Name
    is substituted for <User> and the
    Password
    for <Password>. See Add Target Accounts for more information.
  12. Create a
    Policy
    linking the Target Device to a User or Group.
    1. On the
      Services
      tab, select the Service that you created.
    2. In the Target Account column, use the Edit magnifying glass icon to select the Account.
    The SSH Service appears on the Access page for the select User or Group.
Enable File Transfer
You can configure a TCP/UDP SSH Service to do the file transfer operations for a native SFTP or SCP application. Session recording is not activated when either of these features are invoked.
Administrator Setup
You can set up your native SSH Service to allow one of the following options: Automatic Invocation or Manual Invocation.
Prerequisites
To use the file transfer via SSH service, verify that the SSH server on the target Device is configured to provide SFTP sub-system or SCP execution.
Automatic Invocation
Automatically invoke the SSH application with options through the Privileged Access Manager Service command line specification (in the
Client Application
field) when selecting the service link.
Manual Invocation
Manual invocation of the SSH application by the user, who applies commands at execution. To invoke the application, select the service link on the Access page.
User Experience
Automatic Invocation
A user on a properly configured client invokes an Access page Service link. The SFTP or SCP client executes automatically with the specified switches or commands. After logging in or auto-connecting to the target device, the user can execute the file transfer operations such as uploading or downloading functions provided by the native SFTP or SCP client application.
Manual Invocation
If the Privileged Access Manager Service
Client Application
setting is empty, the User starts a local SFTP or SCP client application manually to execute the SFTP or SCP connections.
Log Entries
A session log entry is written each time a file transfer operation is executed. The operations written to a session log are the following:
  • Uploading a file to the target device
  • Downloading a file from the target device
  • Deleting a file on the target device (SFTP only)
  • Creating a folder on the target device (SFTP only)
  • Removing a folder on the target device (SFTP only)
Supported SFTP and SCP Client Software
  • Windows: WinSCP, FileZilla, Putty
  • Mac: FileZilla, OpenSSH (scp only)
  • Linux: OpenSSH (scp only)
For the FileZilla client, PAM supports the official release version and does not support the development version.
X11 Forwarding and Command Execution
You can configure a TCP/UDP Service to do X Window System (X11) forwarding and command execution for a native SSH application.
Session recording is not activated when either of these features are invoked.
Administrator Setup
You can set up your native SSH Service to allow one of the following options:
  • Automatically invoke the SSH application with options through the
    Privileged Access Manager
    Service command line specification (in the
    Client Application
    field)
  • Manual invocation of the SSH application by the user, who applies commands at execution. To invoke the application, select the service link on the Access page.
Prerequisites
To use X11 forwarding, verify that the target Device has X11 applications that are installed. Also confirm that the SSH server that is configured to provide X11 forwarding. The User workstation must run an X11 server to display the output.
When used on UNIX, Linux, and other UNIX-like systems, the SSH Access Method requires the
socat
relay utility.
Automatic Invocation
To configure an SSH session so that it automatically invokes a client application with X11 forwarding, set the X11 option.
Manual Invocation
If a TCP/UDP Service is configured to use SSH without specifying the
Client Application
, the user can manually invoke any installed application, such as PuTTY. The service can then use the X11 forwarding or command execution options available to that application.
User Experience
Automatic Invocation
A user on a properly configured client invokes an Access page Service link. The SSH client (PuTTY) executes automatically with the specified switches or commands.
  1. After logging in or auto-connecting to the target, the User can immediately run X11 applications on the target. The application output is forwarded to the workstation.
  2. If a command is specified, the session immediately closes when the command is finished executing.
Manual Invocation
If the
Privileged Access Manager
Service
Client Application
setting is empty, the User must start a local SSH client application manually to execute the SSH connection. The User uses that application X11 forwarding or command execution features. For example, after invoking PuTTY on a Windows workstation, you would use PuTTY
Connection
,
SSH
,
X11
,
Enable X11 forwarding
or
Connection
,
SSH
,
Remote
options, respectively. If a command is specified (using the latter option), the session immediately closes when the command is finished executing.
Log Entries
A session log entry is written each time an X11 forward occurs or a command is executed for this feature.
Enable Public Key Authentication
You can configure a TCP/UDP Service to connect to a target device using the Public Key Authentication method for a native SSH Application.
Administrator Setup
Prerequisites
On the native SSH Application: To use Public Key Authentication, verify that the native SSH application enabled
Public Key Authentication
and enabled
Agent Forwarding
.
On the Target Device: Confirm the SSH server is configured to authorize the user's public key in the user's authorized key file ($HOME/ ssh/authorized_key) or an equivalent file.
When authenticating using the user's public key, confirm that Privileged Access Manager has no auto-login configured under Policies.
You can set up the native SSH Service to allow one of the following options:
Automatic Invocation
Automatically invoke the SSH application with options through the Privileged Access Manager Service command line specification (in the Client Application field).
To configure an SSH session so that it automatically invokes a client application with agent forwarding, set the agent forwarding option.
For PuTTY: -A option  Example: C:\apps\putty72\putty.exe -ssh -A <Local IP> <First Port>
Manual Invocation
Manually invoke the SSH application by enabling agent forwarding. To invoke the application, select the service link on the Access page. Then, launch the native SSH application.
If a TCP/UDP Service is configured to use SSH without specifying the
Client Application
, the user can manually specify the public key authentication and agent forwarding in any installed application, such as PuTTY, and then open a connection. The service can use the public key authentication and agent forwarding options available to that application.
User Experience
Automatic Invocation
A user on a properly configured client invokes an Access page Service link. The SSH client executes automatically with the specified switches. The user can immediately connect to the target using the public key authentication method.
Manual Invocation
If the Privileged Access Manager Service
Client Application
setting is empty, the user must start a local SSH client application manually to execute the SSH connection. The user uses that application public key authentication and agent forwarding. For example, after invoking PuTTY on a Windows workstation, use the
PuTTY Private key file for authentication
and
Allow agent forwarding
settings.
Log Entries
A session log entry is written when trying to do a public key authentication without enabling this feature.
  • Public Key Authentication is not permitted via SSH TCP service. Please contact your system administrator.
  • Agent forwarding is required to connect using a public key via SSH TCP service.