From the SSH access method applet, you configure a device to permit execution of sudo or pbrun commands using the login password for the device.
From the SSH access method applet, you configure a device to permit execution of
pbruncommands using the login password for the device.
You cannot apply transparent login to Device Groups
Transparent login supports the following items at the target device:
- OS versions: UNIX and Linux
- Shell types: bash, csh, tcsh, and kshThe following restrictions apply to thekshshell type:
- Vi command line history is not supported.
- Emacs command line history does not support recalling commands. Example: If a command has one or more carriage returns in it, the command runs but cannot be recalled properly in emacs mode.
- Using Ctrl-C to break a looping command is not supported.
- Applications: sudo and BeyondTrust PowerBroker pbrun
Configure sudo or pbrun on the target so that each execution requires a password from the client. Otherwise, security can be compromised
pbrunfor target devices to request a password every time that it is invoked.
Privileged Access Managerresponds transparently to the request. For example, set timestamp_timeout=0 so that a password is always required. The sudo execution must always require a password or security is compromised.
Configure Transparent Login for a Device
To configure a Device to allow secondary transparent login, follow these steps:
- Create or open an existing Device record on theDevices,Manage Devicespage.If this device record is new, populate at least the required attributes (entitled inred).
- In theAccess Methodspanel, selectSSH.
- Scroll to theTransparent Loginpanel. Complete the following fields to configure sudo or pbrun (or both):
- Full Path to- Identify the directory location of the sudo or pbrun executable on the target Device.
- Password Prompt- Specify a prompt (or a fully static substring) for user password input that is presented immediately upon executing sudo/pbrun.The full prompt that is experienced by the user might be "[sudo] password foruser: ", where "user" represents the dynamically applied actual username. The maximum string that can be applied here is then: "[sudo] password for ", so use that string.
- Complete configuring of other device fields as needed, and select Save.
- Create or open an existing policy record on thePolicy,Manage Policiespage.
- Scroll to the Transparent Login panel and select the checkbox to turn on transparent login. Clear it to turn it off for a particular User/User Group.
- Complete the provisioning of other Policy fields as needed, and select Save.Transparent login is now ready for Access use to this Device.
You can configure only a
singleaccount in the transparent login policy for a CISCO device. Multiple accounts are
notsupported in the transparent login policy.
The User logs in as usual to the target Device using the SSH Access Method applet. When sudo or pbrun is enabled, the normal response (prompting the user to enter a password) is not displayed. The product supplies the password for the auto-connection, and sudo/pbrun continues to execute the sudo commands.
In some uncommon scenarios, transparent login does not behave as intended, and the user experiences unexpected behavior. For example, a token ("XGK####") is visible or a password prompt might appear. In these cases, exit the application by entering a return, or if necessary Control-C. Retry the command, taking care to apply the correct syntax.
You can use a configured privileged command (sudo or pbrun) anywhere, and multiple times, on a command line while
Privileged Access Managerprovides the login password for uninterrupted completion.
$ for i in $(cat newusers.txt); do sudo useradd $i; done $ sudo vi /etc/ssh/sshd_config && sudo /etc/init.d/ssh restart
You can also use a configured privileged command (sudo or pbrun) on multiple lines while
Privileged Access Managerprovides the login user password for uninterrupted completion.
$ *for i in $(cat a_remote_location/deep_in_some_subdirectory/* > newusers.txt); do sudo useradd $i;\
Transparent login does not support the following command uses:
- Sending a sudo command argument to the background, such as:$ sudo updatedb &
- Stringing a sudo command after a vi exit command, such as::wq sudo updatedbExit the vi window with the Enter key first.
If a password prompt appears during execution of a sudo or pbrun command in a Windows device, exit using Ctrl-C. Any other response might trigger a password lockout, such as pressing Enter or another key entry
Following each invocation of or pbrun, an audit log entry like the following example is written:
2016-03-11 01:16:27 user xsso ubuntu Executed "sudo pwd" using transparent login as username