SSH Connections

From the SSH access method applet, you configure a device to permit execution of sudo or pbrun commands using the login password for the device. 
capam33
From the SSH access method applet, you configure a device to permit execution of 
sudo
or
pbrun
 commands using the login password for the device. 
You cannot apply transparent login to Device Groups
Transparent login supports the following items at the target device:
  • OS versions: UNIX and Linux
  • Shell types: bash, csh, tcsh, and ksh
    The following restrictions apply to the 
    ksh 
    shell type:
    • Vi command line history is not supported.
    • Emacs command line history does not support recalling commands. Example: If a command has one or more carriage returns in it, the command runs but cannot be recalled properly in emacs mode.
    • Using Ctrl-C to break a looping command is not supported.
  • Applications: sudo and BeyondTrust PowerBroker pbrun
Configure sudo or pbrun on the target so that each execution requires a password from the client. Otherwise, security can be compromised
Unix/Linux Configuration
Configure
sudo
or
pbrun
for target devices to request a password every time that it is invoked.
Privileged Access Manager
 responds transparently to the request. For example, set timestamp_timeout=0 so that a password is always required. The sudo execution must always require a password or security is compromised.
Configure Transparent Login for a Device
To configure a Device to allow secondary transparent login, follow these steps:
  1. Create or open an existing Device record on the
    Devices
    ,
    Manage Devices
    page.
    If this device record is new, populate at least the required attributes (entitled in
    red
    ).
  2. In the
    Access Methods
    panel, select
    SSH
    .
  3. Scroll to the
    Transparent Login
    panel. Complete the following fields to configure sudo or pbrun (or both):
    • Full Path to
      - Identify the directory location of the sudo or pbrun executable on the target Device.
    • Password Prompt 
      - Specify a prompt (or a fully static substring) for user password input that is presented immediately upon executing sudo/pbrun.
      The full prompt that is experienced by the user might be "[sudo] password for
      user
      : ", where "
      user
      " represents the dynamically applied actual username. The maximum string that can be applied here is then: "[sudo] password for ", so use that string.
  4. Complete configuring of other device fields as needed, and select Save.
  5. Create or open an existing policy record on the
    Policy
    ,
    Manage Policies
    page.
  6. Scroll to the Transparent Login panel and select the checkbox to turn on transparent login. Clear it to turn it off for a particular User/User Group.
  7. Complete the provisioning of other Policy fields as needed, and select Save.
    Transparent login is now ready for Access use to this Device.
You can configure only a
single
account in the transparent login policy for a CISCO device. Multiple accounts are
not
supported in the transparent login policy.
User Experience
The User logs in as usual to the target Device using the SSH Access Method applet. When sudo or pbrun is enabled, the normal response (prompting the user to enter a password) is not displayed. The product supplies the password for the auto-connection, and sudo/pbrun continues to execute the sudo commands.
In some uncommon scenarios, transparent login does not behave as intended, and the user experiences unexpected behavior. For example, a token ("XGK####") is visible or a password prompt might appear. In these cases, exit the application by entering a return, or if necessary Control-C. Retry the command, taking care to apply the correct syntax.
Complex Commands
You can use a configured privileged command (sudo or pbrun) anywhere, and multiple times, on a command line while
Privileged Access Manager
provides the login password for uninterrupted completion.
Examples:
$ for i in $(cat newusers.txt); do sudo useradd $i; done $ sudo vi /etc/ssh/sshd_config && sudo /etc/init.d/ssh restart
You can also use a configured privileged command (sudo or pbrun) on multiple lines while
Privileged Access Manager
provides the login user password for uninterrupted completion.
Example:
$ *for i in $(cat a_remote_location/deep_in_some_subdirectory/* > newusers.txt); do sudo useradd $i;\
> done
Unsupported Syntax
Transparent login does not support the following command uses:
  • Sending a sudo command argument to the background, such as:
    $ sudo updatedb &
  • Stringing a sudo command after a vi exit command, such as:
    :wq sudo updatedb
    Exit the vi window with the Enter key first.
If a password prompt appears during execution of a sudo or pbrun command in a Windows device, exit using Ctrl-C. Any other response might trigger a password lockout, such as pressing Enter or another key entry
Audit Logs
Following each invocation of or pbrun, an audit log entry like the following example is written:
2016-03-11 01:16:27 user xsso ubuntu Executed "sudo pwd" using transparent login as username