Connect to a Linux target
You can connect to your Linux assets from the command line window (CLI) using your preferred SSH client. The SSH gateway supports both single-factor authentication and multi-factor authentication (MFA).
Connection guidance page
To see the Connection guidance page, you must have the appropriate permission from your administrator. Your administrator must add Show Dynamic Privileged Access Tile administrative rights to one of your roles via Identity Administration. For more information, see How to give end users access to the Connection guidance page.
The Connection guidance page helps you connect to a target using DPA. Use of the Connection guidance page is optional, though you may find it easier as the page automatically provides some of the details needed for connection, such as the subdomain for the computer and username fields. If you don't want to use the Connection guidance page, see Connect to a Linux target.
To connect using the Connection guidance page, go to https://<subdomain>.cyberark.cloud/dpa, where <subdomain> is your organization's tenant subdomain, as provided to you by your administrator.
Connect to a Linux target
To log in to the environment and connect to a Linux target:
-
Open your SSH client.
-
Type your login command using the syntax
ssh <username>@<login_suffix>#<subdomain>@<target>[:target_port]@<DPA SSH gateway address>as detailed in the following table.Login command parameters Parameter
Description
user
Your user as it is defined in your organization's directory service
login_suffix
The domain of your organization as defined in Identity Administration, or any other login suffix that was defined for the users in this directory.
For more information about login suffixes, see Manage login suffixes.
subdomain
Your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).
target
The target can be one of the following:
-
The instance ID (for AWS EC2 instances)
-
Public IP address
-
Private IP address of the machine you want to access
target_port
The port on the target machine that's used to connect remotely (optional parameter with a default value of 22)
DPA SSH gateway address
The DPA SSH gateway address:
<subdomain>.ssh.cyberark.cloud. The<subdomain>parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).For example:
ssh <user@login_suffix>#<subdomain>@<target>[:target_port]@<subdomain>.ssh.cyberark.cloud -
-
At the prompt, type the personal identity password that you use to authenticate to your organizational resources.
The SSH gateway only supports password as the first authentication method in MFA.
-
If your organization uses MFA, select your second authentication type at the next prompt.
-
Follow the instructions to complete your authentication.
When connecting to DPA, before you click Yes and continue with the connection, it is important to check that the displayed fingerprint matches the following:
SHA256:/87ybXwC7YfK4KclfTKCM6md0mGkfgw9IRLCtvi5RTY (RSA)
After you successfully authenticate to your target, the client displays how much time you have left in your session.
Your session ends and gets disconnected either when you get to the end of the allotted session time or if it is inactive for more than the amount of time allowed by your organization. You are notified 10 seconds before the session ends and is disconnected.
Copy files securely
You can use native SFTP clients, such as WinSCP and FileZilla, or the SCP command to securely transfer files from and to the Linux targets, through DPA. The SSH gateway supports both single-factor authentication and multi-factor authentication (MFA).
Copy files with an SFTP client
Set the parameters to configure a SFTP client to securely transfer files through DPA on Linux as detailed in the following table.
|
Parameter |
Description |
|---|---|
|
File protocol |
SFTP |
|
Hostname |
The hostname of the DPA SSH gateway as provided to you by your organization |
|
Port number |
22 |
|
Username |
Set the username using the standard DPA syntax parameters according to the DPA syntax:
|
In the example below, an end user (username) connects to a Linux target through DPA's SSH gateway (host name) to securely transfer files:
Copy files with SCP
You can use the SCP command to securely transfer files through DPA on Linux:
How to give end users access to the Connection guidance page
This section is for administrators.
If you want your end users to be able to see the Connection guidance page, they must have a role which includes Show Dynamic Privileged Access Tile administrative rights.
To add Show Dynamic Privileged Access Tile administrative rights to a role:
-
In Identity Administration, go to Core Services > Roles.
-
Click the role you want to use. For example, DPA Users.
-
On the role page, click Administrative Rights, then click Add. The Add Rights search dialog is displayed.
-
In the search box, search for Show Dynamic Privileged Access tile, then select it and click Add. The right is added to the role.
To assign the role to an end user:
-
In Identity Administration, go to Core Services > Roles.
-
Search for and select the role you want to assign.
-
Click Members, then Add. The Add Members search dialog is displayed.
-
In the search box, search for the user, then select the user and click Add. The role is assigned to the user.
