SSH Tunneling for PSM for SSH

This topic describes how to configure SSH tunneling for PSM for SSH.

Overview

PSM for SSH enables authorized users to initiate and use an SSH tunnel to access a target SSH server, while providing start/end tunnel session audit capabilities. Through this tunnel, users can launch GUI applications such as Web or SQL from their workstation, maintaining their existing workflow.

Using PSM for SSH, Security Managers can control access by determining which users can access different target systems. PSM for SSH’s flexible configuration also enables them to enable and disable tunneling for specify systems, according to access and security needs.

All access through PSM for SSH is monitored and stored as a full audit trail in the Vault, where authorized auditors can access it at any time.

Enable SSH tunneling

To enable SSH tunneling you must enable SSH tunneling in PVWA, enable access using SSH tunneling in Integrated mode, and configure parameters in the sshd_config file.

Step 1: Enable SSH tunneling in PVWA

To enable users to use accounts to access remote machines through an SSH Tunnel, configure the associated platform through the PVWA

  1. Log onto the PVWA as an administrator user.

  2. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  3. Select the platform to configure for PSM for SSH, then click Edit; the settings page for the selected platform appears.

  4. Expand UI & Workflows, then expand Privileged Session Management, and then select SSH Proxy; the SSH tunneling parameters are displayed in the Properties list.

     

    If SSH Proxy does not exist (after an upgrade of PVWA or when using platforms that are not are configured with SSH Proxy), add it manually:

    Right-click Privileged Session Management and then, from the pop-up menu, select Add SSH Proxy.

  5. Specify the following parameters:

    • EnableSSHTunneling – Whether SSH tunneling is enabled for accounts associated with this platform. The default value is No. Change it to Yes.

    • TunnelingPorts – The list of ports on the target machine that are enabled for SSH tunneling. You must specify at least one target port.

  6. Click Apply to save the configuration changes.

Step 2: Enable access through an SSH tunnel in Integrated mode

If you are working in Integrated mode (InstallCyberArkSSHD = Integrated), you must set the appropriate parameters to use SSH tunneling through the PVWA or through the PSM for SSH machine. The values in the PSM for SSH machine override the values in the PVWA.

Perform one of the following procedures:

for Integrated mode

  1. Log onto the PVWA as an administrator.

  2. Click Administration > Configuration Options > Connection Components > PSMP-SSH > Component Parameters.

  3. Add the following parameters:

    • TunnelingServerEnable – Default value is No. Value with Yes to enable SSH tunneling for Integrated mode.

    • TunnelingServerPort – Default value is 55555. Value with the port on the PSM for SSH machine that is enabled for SSH tunneling.

  4. Click Apply to save the configuration changes.

for Integrated mode
  1. In /etc/opt/CARKpsmp/conf/ edit the basic_psmpserver.conf file.

  2. Add the following parameters:

    • TunnelingServerEnable – Default value is No. Value with Yes to enable SSH tunneling for Integrated mode.

    • TunnelingServerPort – Default value is 55555. Value with the port on the PSM for SSH machine that is enabled for SSH tunneling.

  3. Save the file and close it.

Step 3: Configure parameters in the sshd_config file

On the PSM for SSH machine, in /etc/ssh, edit the sshd_config file:

  • AllowTcpForwarding– Value to local
  • DisableForwarding– Value to No

Enable SSH tunneling on command

To enable users to run a command on the remote machine through an SSH Tunnel, perform one of the following procedures.

  1. Log onto the PVWA as an administrator user.

  2. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  3. Select the platform to configure for PSM for SSH, then click Edit; the settings page for the selected platform appears.

  4. Click UI & Workflows > Connection Components > PSMP-SSH > Component Parameters.

  5. Specify the following parameter:

    • AllowTunnelOnSSHCommand – Default value is No. Change Value to Yes.

  6. Click Apply to save the configuration changes.

  1. Log onto the PVWA as an administrator user.

  2. Click Administration > Configuration Options > Connection Components > PSMP-SSH > Component Parameters.

  3. Add the following parameter:

    • AllowTunnelOnSSHCommand – Default value is No. Change Value to Yes.

  4. Click Apply to save the configuration changes.

Disable SSH tunneling

This procedure describes how to disable SSH tunneling after you have specified ports in the TunnelingPorts parameter.

  1. In the SSH Proxy parameter, set EnableSSHTunneling to No.

  2. Right-click TunnelingPorts and, from the pop-up menu, select Revert to Default.

  3. For integrated mode only: Set TunnelingServerEnable to No.