PSM for SSH pre-installation tasks

This topic describes prerequisites to the PSM for SSH installation.


Before installing or upgrading, ensure that your system still complies with security requirements. To learn more, see Security Fundamentals.

Verify the Operating System

Make sure the operating system installed on your server is supported by PSM for SSH. These are listed in Privileged Session Manager for SSH.


PSM for SSH support on SUSE does not include the installation of the CyberArk SSHD service component. If you install PSM for SSH with InstallCyberArkSSHD = Integrated, after the installation you must follow the procedure described in Enable Integrated mode on SUSE.



Installations on SUSE Linux Enterprise Server 12 might fail due to a SUSE bug on Intel CPU servers. If you encounter this bug, follow the solution provided by SUSE:

Verify the installation package digital signature

The RPM installation packages for Red Hat operating system are digitally signed, to protect them from alteration after publication. To verify the digital signature of an RPM package, do the following:

  1. Import the RPM-GPG-KEY-CyberArk public key that is provided with the installation package, by running the following command:


    rpm --import RPM-GPG-KEY-CyberArk

  2. Verify the signature of the RPM package, by running the following command:


    rpm -K -v <package_name.rpm>

Review compatibility of PAM - Self-Hosted components

Make sure the components you will install are compatible.

The compatible versions of the PAM - Self-Hosted Suite components are listed in the Privileged Session Manager for SSH.

Customer license

The CyberArk license defines the number of PSM for SSH servers that you can use. Your CyberArk license will specify the following user type and interface:

User Type Description Allowed Interface
PSMPServer PSM for SSH Server PSMPApp

In addition, your license must allow your end users to use the PSM for SSH interface in order to be able to use PSM for SSH.

Your CyberArk support representative will supply the license file that you need for installation.


Until you receive your Customer license, you will not be able to install PSM for SSH.

(Optional) AD Bridge integration with LDAP

Configure LDAP integration so that users and groups will be provisioned in the Vault automatically. For more information about integrating PSM for SSH with LDAP, refer to Integrate PSM for SSH with LDAP authentication.

Install PSM for SSH

The user who will create the environment for PSM for SSH in the Vault during the installation process must have the following permissions in the Vault:

Add Safes
Audit Users
Add/Update Users
Manage Server File Categories

This user must be an owner of the PVWAConfig Safe with the following permissions:

List accounts
Retrieve accounts
View Owners
Manage Safe Owners

Create an administrative user on the PSM for SSH server

Administrative users can connect to the PSM for SSH machine to perform management tasks on the machine itself without being forwarded to a target machine.

For details, see PSM for SSH Administration.

Enable SELinux on the PSM for SSH server

PSM for SSH can be installed in environments where SELinux is enabled. To enable SELinux, it is recommended to enable it on your server before installing PSM for SSH so that the changes required to support SELinux are made automatically during the PSM for SSH installation. It is also possible to enable SELinux at a later stage. For more information, refer to PSM for SSH post-installation tasks.

Prepare the installation environment

  1. On the PSM for SSH machine, create a new directory for the installation files. This directory is where the installation files will be located, for example /opt/CARKpsmp.

  2. From the PSM for SSH installation package, copy the Privileged Session Manager for SSH installation package to the new directory. Make sure you copy the folder and all its contents, including its subfolders.

For a full list of the folders and files in the PSM for SSH installation package, refer to Privileged Session Manager for SSH installation file.

Configure the Vault.ini File for Installation

  1. Open the vault.ini file and specify the parameters of the Vault that will be accessed by PSM for SSH, as shown in the following example.


    vi vault.ini

    In the following example, the Address parameter is set to Vault IP

  2. During installation, the vault.ini file is copied to the PSM for SSH environment and will be used by PSM for SSH to access the Vault. For more information, refer to Vault Parameter File.

  3. For high availability implementations and DR, you can specify more than one Vault IP address, separated by commas, as shown in the following example:


The first Vault IP address that is specified is used when creating the PSM for SSH environment during installation.

When PSM for SSH is running, if it cannot access the first Vault IP address, it automatically tries to access the next Vault IP address transparently, and no human intervention is required.

Create the Credentials File for Installation

  1. If you need to add execute permission for the CreateCredFile file, first run the following command:

    chmod 755 CreateCredFile
  2. Then, run CreateCredFile to create a credentials file for the user that will create the Vault environment during installation. This file must be called user.cred.

    ./CreateCredFile user.cred

    You will be prompted for the user name and password. For versions 12.1.1 and later, you will also be prompted to use the Entropy file.

    Rotate the password use in this command.

    We recommend that you clean the history by using the history -c command.

    The user credential file must be placed in a folder that is accessible only for the machine or domain administrator who runs the PSM for SSH installation. We recommend that you delete the credential file after completing the registration.

Create the PSM for SSH parameters file for installation

InstallCyberArkSSHD parameter

When you install PSM for SSH, you configure how to handle the installation of the SSHD service. You can select from one of the following options:

As of version 13.2 support for custom SSHD (InstallCyberArkSSHD = Yes) is deprecated and will be removed entirely in a future version.

Value Description


The local SSHD service is configured to work thorough the PAM (Pluggable Authentication Module). The PAM module is deployed as part of the PSM for SSH installation. A few limitations apply, as described in Limitations.

This is the default value.

To use SSH Key or Smart card with MFA caching in Integrated mode, you must have SSH 7.8 or higher installed on the PSM for SSH machine. In RHEL 8, SSH 7.8 is included by default.


Override the local SSHD service with a CyberArk customized SSHD service to benefit from full PSM for SSH functionality.

Note: PSM for SSH support on SUSE does not include the installation of or integration with the SSHD service when set to Yes.

No Do not install the CyberArk SSHD service. Significant functional limitations apply, as described in Limitations.

Parameter changes

If you select Yes, the following parameters are valued as shown:

After installation and hardening, in the sshd_config file:

Parameter Description
Subsytem sftp

Commented out

The sftp protocol is disabled



Remote hosts cannot connect to ports forwarded from the client







Enable users to connect with an empty password.

RHEL and CentOS users must ensure that the /etc/pam.d/password-auth file includes the nullok parameter in the auth sufficient line.

SUSE users must ensure that the /etc/pam.d/common-auth-pc file includes the nullok parameter in the auth sufficient line.

auth sufficient nullok try_first_pass



Do not enable connections with a DNS name instead of an IP



PAM flow is mandatory



PAM-conversation is not enabled

In the etc/profile and etc/bashrc files:

Parameter Description
umask 027

By default, files created by users have the 750 permissions

These files can be read only by users in the same group

Disable NSCD

On all Linux-based operating systems, NSCD is a daemon that provides a cache for the most common name service requests. Disable it to prevent unexpected behavior.

  1. Run the following command to stop NSCD:

    systemctl stop nscd.service nscd.socket
  2. Run the following command to disable NSCD:

    systemctl disable nscd.service nscd.socket

Some unexpected behavior may occur if you do not disable NSCD. For details, see Using NSCD with SSSD.