PSM for SSH Administration
This topic describes the administration commands for managing the PSM for SSH server.
PSM for SSH service (psmpsrv)
PSM for SSH is installed as an automatic system service called psmpsrv. The psmpsrv service enables you to manage PSM for SSH
To manage only the PSM for SSH server, run the following command:
-
RHEL7, SUSE11, SUSE12
service psmpsrv {start|stop|restart|status} psmp -
RHEL8
systemctl {start|stop|restart|status} psmpsrv-psmpserver
To manage only the PSM for SSH AD Bridge server, run the following command:
-
RHEL7, SUSE11, SUSE12
service psmpsrv {start|stop|restart|status} psmpadb -
RHEL8
systemctl {start|stop|restart|status} psmpsrv-psmpadbserver
To manage both the PSM for SSH and the PSM for SSH AD Bridge server together, do not specify a server in the command, as shown below:
-
RHEL7, SUSE11, SUSE12
service psmpsrv {start|stop|restart|status} -
RHEL8
systemctl {start|stop|restart|status} psmpsrvTo check the status, use the following syntax:
systemctl status psmpsrv-*
RHEL/SUSE commands and RHEL configuration files
The configuration files and their location in RHEL systems differ between the different RHEL versions.
|
Server version |
Configuration file setup |
|---|---|
|
RHEL7 |
Integration is applied in one file, located in: /etc/init.d/psmpsrv The file controls both the psmpserver process and the psmpadbserver process |
|
RHEL8 |
Integration is applied in three files, located in: /usr/lib/system/systemd . psmpsrv-psmpserver.service - for psmpserver. . psmpsrv-psmpadbserver.service - for psmpadbserver. . psmpsrv.service - to manage both psmpserver and psmpadb The configuration files comply with system requirements and all standard system ctl commands can be applied to them. |
|
Server version |
Command |
|---|---|
|
RHEL7, SUSE11, SUSE12 |
service psmpsrv <action> service psmpsrv status service psmpsrv start service psmpsrv stop service psmpsrv restart |
|
RHEL8 |
systemctl <action> psmpsrv systemctl status psmpsrv-* systemctl start psmpsrv systemctl stop psmpsrv systemctl restart psmpsrv |
|
Server version |
Command |
|---|---|
|
RHEL7, SUSE11, SUSE12 |
service psmpsrv <action> psmp service psmpsrv status psmp service psmpsrv start psmp service psmpsrv stop psmp service psmpsrv restart psmp |
|
RHEL8 |
systemctl <action> psmpsrv-psmpserver systemctl status psmpsrv-psmpserver systemctl start psmpsrv-psmpserver systemctl stop psmpsrv-psmpserver systemctl restart psmpsrv-psmpserver |
|
Server version |
Command |
|---|---|
|
RHEL7, SUSE11, SUSE12 |
service psmpsrv <action> psmpadb service psmpsrv status psmpadb service psmpsrv start psmpadb service psmpsrv stop psmpadb service psmpsrv restart psmpadb |
|
RHEL8 |
systemctl <action> psmpsrv-psmpadbserver systemctl status psmpsrv-psmpadbserver systemctl start psmpsrv-psmpadbserver systemctl stop psmpsrv-psmpadbserver systemctl restart psmpsrv-psmpadbserver |
|
Query type |
Command |
|---|---|
| is psmpadbserver up or down | systemctl is-active psmpsrvpsmpadbserver |
| is psmpserver up or down | systemctl is-active psmpsrvpsmpserver |
| show status of all services, including name | systemctl show -p ActiveState -p Id psmpsrv-* |
Connect to the PSM for SSH machine for maintenance purposes
Maintenance users can connect to the PSM for SSH machine to perform management tasks and maintenance activities on the machine itself. The recommended secure practice for performing such maintenance activities on the PSM for SSH machine is to provision a maintenance user, protected by privilege access best practices. When a maintenance user needs to log in to the PSM for SSH machine, perform the following steps according to your environment architecture.
|
These users have high privileges on the PSM for SSH machine. Therefore, they should be given access according to least privilege principles and protected by storing and managing their credentials in the Vault and accessing their credentials through another PSM for SSH machine. |
-
If you have PSM installed, we recommend that you connect via the PSM to the PSM for SSH machine
-
If you do not have PSM installed, use the following command:
<ssh client> <administrative user>@<proxyaddress>
Connect from one PSM for SSH machine to the target PSM for SSH machine using a connection string, as described in Connect through PSM for SSH Connect through PSM for SSH.
Create a maintenance user
PSM for SSH identifies the following users as maintenance users when they connect to the PSM for SSH server:
- proxymng
- proxymng<number>
- Additional users that are specified in the PSMP_MaintenanceUsers parameter in the sshd_config configuration file.
The following describes how to create a maintenance user, based on your installed mode.
Create an extra maintenance user, in addition to the built-in root user, so that a maintenance user can always connect to the PSM for SSH server to perform maintenance, even when remote access is forbidden to the root user.
You can configure more maintenance user names by adding the PSMP_MaintenanceUsers parameter to the sshd_config configuration file.
|
Only local users can connect as maintenance users. |
-
In the /etc/ssh directory, open the sshd_config configuration file for editing.
-
Add the following parameter to the file:
PSMP_MaintenanceUsers <username>,<username>You can either set specific usernames or use '*' at the beginning and/or the end of the username string.
This example will allow the following administrative users: user1, all users that end with "user2", all users that starts with "user3" and all users that include "user4".
PSMP_MaintenanceUsers user1,*user2,user3*,*user4* -
Save the changes and close the sshd_config configuration file.
-
Restart the sshd service for these changes to take affect:
/etc/init.d/sshd restart
|
As part of hardening the PSM for SSH server and enforcing security best practices, after installing PSM for SSH, the root user will not be able to authenticate to the PSM for SSH server remotely using a password. If an administrative user for maintenance purposes is not created in advance, access for maintenance will only be possible either by console access or by authenticating the root user with an SSH key. |
-
In /etc/ssh/sshd_config, in the SSHD configuration file, add the following parameter:
AllowGroups PSMConnectUsers <MaintenanceGroupName1>..<MaintenanceGroupNameN>
