Introduction to PSM for SSH

The Privileged Session Manager for SSH (PSM for SSH)  enables organizations to secure, control and monitor privileged access to network devices.

How it works

Vaulting technology enables access to privileged accounts at a centralized point and facilitates a control point to initiate privileged sessions.

PSM for SSH pinpoints users who are entitled to use privileged accounts and initiate a privileged session, when, and for what purpose.

PSM for SSH can record all activities that occur in the privileged session in a compact format. Text recordings are stored and protected in the Vault server and are accessible to authorized auditors. PSM for SSH also provides privileged Single Sign-On capabilities and allows users to connect to target devices without being exposed to the privileged connection password.

PSM for SSH separates end users from target machines and initiates privileged sessions without divulging passwords, maintaining the highest level of security that is typical to all CyberArk components.

In addition, PSM for SSH can display a broad overview of all activity performed on every privileged account, without exception. All activities are fully monitored and meet strict auditing standards.

PSM for SSH enables end users to connect transparently to target UNIX systems that use the SSH or Telnet protocol, including SSH tunneling.

Users can also copy files to and from remote machines through PSM for SSH using native SFTP clients or the SCP command. These accounts include the user name and password, SSH Key, or SSH Certificate that authenticate the user on the target system, providing a privileged SSO session.

Alternatively, when privileged passwords are not managed in the Vault, accounts may be stored in the Vault without a password, which enables a non-privileged SSO session. Users authenticating to target systems with a non-privileged SSO session are required to supply the target system password manually to enable PSM for SSH to create a connection to the remote system.

The end user connects to PSM for SSH using an intuitive command line, which includes the target device, target user, Vault user, and Vault password. PSM for SSH prompts for any missing parameters. Users authenticate once to the Vault and do not need to specify additional connection passwords.

End users can launch a session to a target system from their own workstation without interrupting their workflow, and work efficiently in the same way as they would without PSM for SSH.

PSM for SSH is also able to restrict unauthorized commands that are executed by a privileged user on a network device or any SSH-based target system. Users can connect directly to a target system or device through PSM for SSH, and run specific commands on the target system according to the users' permissions and the allowed commands as defined by the organization's security policy in the Vault. Unauthorized commands will be blocked and will not be sent to the target.

PSM for SSH ensures that only authorized users can connect to the target systems by first authenticating them to the Vault. The CyberArk or LDAP password authentication can be used, as well as stronger methods like RADIUS or SSH key authentication. With SSH key authentication, users’ authorized public SSH keys can be managed through LDAP or in the Vault, and the private SSH keys can be stored on smart card devices, facilitating an even stronger authentication policy.

PSM for SSH secures the CI/CD pipeline by providing isolation for direct SSH access between CI/CD tools and *NIX machines, without divulging credentials. Direct SSH access between CI/CD tools and *NIX machines extends the attack surface and puts the entire pipeline at risk.

PSM for SSH can also be configured to integrate with Microsoft Active Directory (AD) to provision users transparently on UNIX systems, streamlining user management and reducing administrative overhead. In addition to automatic user provisioning, this CyberArk solution benefits from all standard CyberArk security and management features, including access control and auditing. Users can log onto a UNIX machine using their AD credentials as their user is automatically synchronized with a corresponding user in the Vault. Likewise, existing groups in AD directories are automatically synchronized with a corresponding group in the Vault. Users have immediate access to UNIX machines based on their AD permissions and groups, facilitating an uninterrupted workflow and maintaining productivity. For more information, refer to AD bridging through PSM for SSH.

The combination of user authentication that uses the SSH keys residing on smart card devices with Active Directory integration allows transparent user provisioning on UNIX systems, based on their strong authentication to the Vault. For information about configuring authentication methods for PSM for SSH, refer to Authentication Methods.

Workflow and architecture

The following diagram shows the different components of the PSM for SSH solution and how they interact.

Users connect to the remote target system from their native client through the PSM for SSH using a standard SSH port. (1)

The PSM for SSH machine authenticates the user to the Vault and retrieves the privileged credentials, according to the user’s permissions in the Safe (2) that are required to connect to the target system (3).

The session to the target system can be an SSH session or a Telnet session based on the platform definitions. During the session, each keystroke and command is recorded in the Vault for immediate auditing.

At the end of the session, a text recording of the entire session is stored in the Vault (4).

Monitor privileged sessions

PSM for SSH enables organizations to secure, control and monitor privileged access to network devices by using Vaulting technology to manage privileged accounts and record all IT administrator privileged sessions on remote machines.

PSM for SSH provides the following features:

Recorded Privileged Sessions All the activities in each privileged session can be recorded in text format, and stored in the Vault, compressed for future auditing. These recordings are transparent to users and cannot be bypassed. 
View a risk score for each privileged session

PSM for SSH integrates with PTA to enable users to identify high risk privileged sessions and understand their risk score.

In addition, auditors can view details about the security incidents in each session and understand the reason for the risk score of the session. This enables them to focus their review on the high risk sessions and mitigate potential security issues.

For more information, refer to Privileged Session Management Interface.

Privileged Remote Access Only authorized users can initiate privileged sessions to the PSM for SSH machine using the SSH protocol. This meets standards for secure remote access by ensuring encrypted sessions and by not requiring the corporate firewall to be opened to additional native protocols.
Privileged Single Sign-On Users connect transparently to remote target applications and systems via PSM for SSH.
Centralized Management In the PVWA, users can see all recording archives. Auditors can retrieve and view comprehensive recordings of privileged sessions. Search features enable auditors to locate specific recordings.
Transparent Integration PSM for SSH can be integrated transparently and seamlessly into existing enterprise infrastructures, including a variety of authentication, monitoring, ticketing, and workflow systems.