SSH Tunneling for PSM for SSH

This topic describes how to configure SSH tunneling for PSM for SSH.


PSM for SSH enables authorized users to initiate and use an SSH tunnel to access a target SSH server, while providing start/end tunnel session audit capabilities. Through this tunnel, users can launch GUI applications such as Web or SQL from their workstation, maintaining their existing workflow.

Using PSM for SSH, Security Managers can control access by determining which users can access different target systems. PSM for SSH’s flexible configuration also enables them to enable and disable tunneling for specify systems, according to access and security needs.

All access through PSM for SSH is monitored and stored as a full audit trail in the Vault, where authorized auditors can access it at any time.

Enable SSH tunneling

To enable SSH tunneling you must enable SSH tunneling in PVWA, enable access using SSH tunneling in Integrated mode, and configure parameters in the sshd_config file.

Step 1: Enable SSH tunneling in PVWA

To enable users to use accounts to access remote machines through an SSH Tunnel, configure the associated platform through the PVWA

Step 2: Enable access through an SSH tunnel in Integrated mode

If you are working in Integrated mode (InstallCyberArkSSHD = Integrated), you must set the appropriate parameters to use SSH tunneling through the PVWA or through the PSM for SSH machine. The values in the PSM for SSH machine override the values in the PVWA.

Perform one of the following procedures:

Step 3: Configure parameters in the sshd_config file

On the PSM for SSH machine, in /etc/ssh, edit the sshd_config file:

  • AllowTcpForwarding– Value to local
  • DisableForwarding– Value to No

Enable SSH tunneling on command

To enable users to run a command on the remote machine through an SSH Tunnel, perform one of the following procedures.

Disable SSH tunneling

This procedure describes how to disable SSH tunneling after you have specified ports in the TunnelingPorts parameter.

  1. In the SSH Proxy parameter, set EnableSSHTunneling to No.

  2. Right-click TunnelingPorts and, from the pop-up menu, select Revert to Default.

  3. For integrated mode only: Set TunnelingServerEnable to No.