Connect through PSM for SSH

This topic describes transparent connections to SSH target systems through PSM for SSH.

Overview

The Privileged Session Manager for SSH (PSM for SSH) enables you to connect to remote SSH systems and devices with a native user experience through any SSH client, such as plink, PuTTY, SecureCrt.

You require the Use accounts and List accounts permissions in the Safe to connect transparently to remote machines.

You can authenticate to the Vault through PSM for SSH using the following methods:

  • CyberArk password
  • LDAP
  • RADIUS including Challenge-Response
  • SSH Key
  • Smart card authentication

For information about configuring authentication methods that will be available for PSM for SSH connections in your environment, refer to Authentication Methods.

 

To use SSH Key or Smart card with MFA caching in Integrated mode, you must have SSH 7.8 or higher installed on the PSM for SSH machine.

PSM for SSH Command

This section describes how to access target machines using the PSM for SSH commands.

PSM for SSH can be used by any ssh client using one of the following syntaxes:

For a full description of the parameters used in this syntax, see PSM for SSH Parameters.

Authenticate to the Vault

Authenticate to the Vault through PSM for SSH using a password

Examples

Authenticate to the Vault through PSM for SSH using a Private SSH Key

You can connect to target systems through PSM for SSH by authenticating to the Vault with  a private SSH key file. This key can be provided with any standard SSH tool or client configuration. A corresponding public SSH key must be assigned to your user in the Vault to allow authentication.

Users can be assigned one or more public SSH keys that are kept for them in the Vault or in the LDAP directory. If one of these keys matches the private SSH key provided by the user during authentication, the connection through PSM for SSH will be approved and the user will be able to access their target system.

Public SSH keys can be managed either in LDAP, or in the Vault. For further information, see Managing Users' Public SSH Keys for Vault Authentication.

Authenticate to the Vault through PSM for SSH using a Smart Card

You can connect to target systems through PSM for SSH by authenticating to the Vault with a certificate. The certificate can be stored on a smart card such as CAC or PIV cards, or another form factor that will hold the certificate. Alternatively, soft certificates may also be used.

To use smart card authentication, connect with a client that supports migrating certificates to SSH keys, such as Putty CAC.

As with regular SSH key authentication, a public SSH key that corresponds to your certificate must be assigned to your user in the Vault to enable authentication.

For details, see Managing Users' Public SSH Keys for Vault Authentication.

Remote SSH Command Execution through PSM for SSH

In many work environments, it is preferable to give users limited permissions to sensitive servers, for both security reasons and automation purposes.

With remote SSH command execution, administrators can execute specific commands through PSM for SSH without opening an interactive session on the target system. The session is automatically closed after the command's execution.

You can execute commands remotely on target machines over SSH from your local machine through PSM for SSH, using the standard SSH command in the following syntax:

 
<ssh client>
 [-t] <VaultUser>@<TargetUser>#<DomainAddress>@<TargetAddress>#<TargetPort>@<TargetPassword>@<ProxyAddress>
 <Command>

Run SSH tunneling on Command

With the SSH tunneling on command feature, you can open a secure tunnel and run a specific command on a single line.

To run a command on a remote machine through an SSH tunnel.

ssh -L <LocalPort>:localhost:<ForwardPort> <VaultUser>@<TargetUser>@<TargetAddress>#sshPort#<ForwardPort> command

The following is an example of the SSH tunnel command.

ssh -L 8000:127.0.0.1:55555 PSMPTestUser@root@10.20.67.37#22#[8000@10.20.66.248|mailto:8000@10.20.66.248] nc -l 8000

Automation Tools Access to *NIX machines through PSM for SSH

With remote SSH commands, you can automate command execution through PSM for SSH on a single target or multiple targets using scripts or automation tools. You can run scripts authenticating with your private SSH keys stored in the Vault (which in turn can be protected and stored securely on a smart card device).

CI/CD tools such as Jenkins or Ansible can also be used to run SSH commands, scripts and playbooks.

Verify that you are correctly configured. For details, refer to Configure Automation Tools Access to *NIX machines through PSM for SSH.

To use Jenkins, replace the <TargetUser>@<TargetAddress> with the PSM for SSH syntax in the job configuration, as shown in Option 1.

For Ansible to interact with the target via PSM for SSH, use the PSM for SSH syntax shown in Option 1.

Copy files securely through PSM for SSH

You can use native SFTP clients, such as WinSCP and FileZilla, or the SCP or Rsync command from your desktop to securely transfer files through PSM for SSH.

Native SFTP client

On the PSM for SSH Server and target machines, ensure that the /etc/ssh/sshd_config file is configured for SFTP usage with the following line uncommented:

subsystem sftp /usr/libexec/openssh/sftp-server

Changing this file requires an sshd service restart.

Do the following to use a native SFTP client to securely transfer files through PSM for SSH:

Copy files with SCP

You can use the SCP command to securely transfer files through PSM for SSH. When using SCP through PSM for SSH, PSM for SSH will not prompt you for any required parameters that you do not specify. Make sure that you specify all mandatory parameters in the command.

Copy files with Rsync

You can use the Rsync command to securely transfer files through PSM for SSH.

Limitations

  • Command access control does not apply on SFTP sessions (This is also true for InstallCyberArkSSHD = Integrated)

  • Accounts that require a logon account are not supported.

  • Video recording for SFTP sessions is not supported.

If your administrator set the InstallCyberArkSSHD parameter to Yes or No the following limitations apply:

  • RADIUS challenge-response is not supported
  • Reason for access is not supported
  • Integration with enterprise ticketing systems is not supported

Specify a reason for accessing accounts through PSM for SSH

A rule in the Master Policy determines whether users can only retrieve passwords or SSH keys after they specify a reason that explains why they need to retrieve them. If the rule is active, the user is prompted to provide the relevant information before the remote session begins.

 

When copying files through PSM for SSH , users will not be prompted to specify a reason.

If your administrator set the InstallCyberArkSSHD parameter to Integrated, you are prompted if you use SCP.

Connect through PSM for SSH  with Active Directory Users

Users can connect to a UNIX machine through PSM for SSH using their AD credentials. This automatically synchronizes their AD user with a corresponding user in the Vault.

Use the following syntax to access the target machine using AD Bridge capabilities:

 
<ssh client> <VaultUser>@<TargetAddress>#<TargetPort>@<ProxyAddress>