Connect to a Linux target

You can connect to your Linux assets from the command line window (CLI) using your preferred SSH client. The SSH gateway supports both single-factor authentication and multi-factor authentication (MFA).

Connection guidance page

To see the Connection guidance page, you must have the appropriate permission from your administrator. Your administrator must add Show Dynamic Privileged Access Tile administrative rights to one of your roles via Identity Administration. For more information, see How to give end users access to the Connection guidance page.

The Connection guidance page helps you connect to a target using DPA. Use of the Connection guidance page is optional, though you may find it easier as the page automatically provides some of the details needed for connection, such as the subdomain for the computer and username fields. If you don't want to use the Connection guidance page, see Connect to a Linux target.

To connect using the Connection guidance page, go to https://<subdomain>.cyberark.cloud/dpa, where <subdomain> is your organization's tenant subdomain, as provided to you by your administrator.

Connect to a Linux target

To log in to the environment and connect to a Linux target:

  1. Open your SSH client.

  2. Type your login command using the syntax ssh <username>@<login_suffix>#<subdomain>@<target>[:target_port]@<DPA SSH gateway address> as detailed in the following table. 

    Login command parameters

    Parameter

    Description

    user

    Your user as it is defined in your organization's directory service

    login_suffix

    The domain of your organization as defined in Identity Administration, or any other login suffix that was defined for the users in this directory.

     

    For more information about login suffixes, see Manage login suffixes.

    subdomain

    Your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

    target

    The target can be one of the following:

    • The instance ID (for AWS EC2 instances)

    • Public IP address

    • Private IP address of the machine you want to access

    target_port

    The port on the target machine that's used to connect remotely (optional parameter with a default value of 22)

    DPA SSH gateway address

    The DPA SSH gateway address: <subdomain>.ssh.cyberark.cloud. The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

    For example:

    ssh <user@login_suffix>#<subdomain>@<target>[:target_port]@<subdomain>.ssh.cyberark.cloud
  3. At the prompt, type the personal identity password that you use to authenticate to your organizational resources.

    The SSH gateway only supports password as the first authentication method in MFA.

  4. If your organization uses MFA, select your second authentication type at the next prompt.

  5. Follow the instructions to complete your authentication.

    When connecting to DPA, before you click Yes and continue with the connection, it is important to check that the displayed fingerprint matches the following:

    SHA256:/87ybXwC7YfK4KclfTKCM6md0mGkfgw9IRLCtvi5RTY (RSA)

After you successfully authenticate to your target, the client displays how much time you have left in your session.

Your session ends and gets disconnected either when you get to the end of the allotted session time or if it is inactive for more than the amount of time allowed by your organization. You are notified 10 seconds before the session ends and is disconnected.

Copy files securely

You can use native SFTP clients, such as WinSCP and FileZilla, or the SCP command to securely transfer files from and to the Linux targets, through DPA. The SSH gateway supports both single-factor authentication and multi-factor authentication (MFA).

Copy files with an SFTP client

Set the parameters to configure a SFTP client to securely transfer files through DPA on Linux as detailed in the following table.

SFTP client parameters

Parameter

Description

File protocol

SFTP

Hostname

The hostname of the DPA SSH gateway as provided to you by your organization

Port number

22

Username

Set the username using the standard DPA syntax parameters according to the DPA syntax:

<user@login_suffix>@<target>[:target_port]@<subdomain>.ssh.cyberark.cloud. The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

In the example below, an end user (username) connects to a Linux target through DPA's SSH gateway (host name) to securely transfer files:

Copy files with SCP

You can use the SCP command to securely transfer files through DPA on Linux:

Copy files to a remote machine

Use the following syntax to copy files securely from your local machine to a target machine:

scp <path-on-end-user-machine> <user@login_suffix>#<subdomain>@<target>@<subdomain>.ssh.cyberark.cloud:<path-on-target-machine>

Copy files from a remote machine

On your local machine, use the following syntax to copy files securely from a remote machine to your local machine:

scp <user@login_suffix>#<subdomain>@<target>@<subdomain>.ssh.cyberark.cloud:<path-on-target-machine> <path-on-end-user-machine{}

How to give end users access to the Connection guidance page

This section is for administrators.

If you want your end users to be able to see the Connection guidance page, they must have a role which includes Show Dynamic Privileged Access Tile administrative rights.

 

To add Show Dynamic Privileged Access Tile administrative rights to a role:

  1. In Identity Administration, go to Core Services > Roles.

  2. Click the role you want to use. For example, DPA Users.

  3. On the role page, click Administrative Rights, then click Add. The Add Rights search dialog is displayed.

  4. In the search box, search for Show Dynamic Privileged Access tile, then select it and click Add. The right is added to the role.

 

To assign the role to an end user:

  1. In Identity Administration, go to Core Services > Roles.

  2. Search for and select the role you want to assign.

  3. Click Members, then Add. The Add Members search dialog is displayed.

  4. In the search box, search for the user, then select the user and click Add. The role is assigned to the user.