Connect to Unix machines (using PSM for SSH)

Connect to target UNIX systems from your own workstation using any standard SSH client application, such as plink, PuTTY, and SecureCrt, to benefit from a native user experience. This method eliminates the need to connect to the Privilege Cloud Portal to connect to devices.

You can connect to target UNIX systems only if your Admin has configured the system to enable this option.

Connect using the PSM for SSH command

Use the following command from any SSH client:

<ssh client> [-L localPort:127.0.0.1:TunnelingServerPort] User@targetuser#centralmanagement@targetmachine[#sshPort][#tunneltargetPort]@proxyaddress

Considerations:

  • Parameters are separated by ‘@’.

  • The user name can include one @ character. Any additional @ characters are not supported.

  • Required parameters are separated from optional parameters by ‘#’ (hash).
  • To configure the default delimeter, contact your Privilege Cloud administrator. For details on configuring the default delimeter, see Configure PSM for SSH syntax delimiter.

Command parameters

The following table describes the parameters used in the PSM for SSH command:

Parameter

Description

Required

User

The CyberArk user name that you use to log in to Privilege Cloud.

Considerations:

  • Support of @ character. Your user name may include one @ character. For example, if your user name is john@myDomain, then the @ character in your user name is supported. Any additional @ characters are not supported.

  • When connecting using SSH key in MFA caching, use the full user name in the following format: 
    <name>@<company domain>.com. The system does not support the short name based on <First name initial> <Family name>. For example, use john.smith@cyberark.com and not jsmith.

Yes

[-L <LocalPort>:127.0.0.1:TunnelingServerPort]

A standard SSH parameter that enables port forwarding setup (SSH tunneling).

For details, see SSH Tunneling for PSM for SSH.

No

<TargetUser>

The name of the account that will be used on the target system. For example, root.

Note: This parameter is case sensitive.

Yes

<DomainAddress>

Value this field according to your environment:

  • The IP address or DNS of the domain server in the domain where the target machine resides.

  • For centralized account management, this parameter can be used to access multiple target systems with one account, even if they are not on the same domain. In this case, this parameter specifies the address in the centralized account and not the domain server.

  • For SSH certificate authentication, this parameter can be used to access multiple target systems with one account. Enter the name that identifies the group where your target system belongs. Your Administrator configures this name in the address property of the account.

Note: This parameter is case sensitive.

No

<TargetAddress> The address of the target system in any of the following formats:
  • IPv4 – For example, 1.1.1.1
  • IPv6 – For example, 1000-1000-1000-1000-1000-1000-1000-0055

    Note: Use hyphens instead of colons as separators.

  • DNS – For example, ‘myhost’

    If the target machine was defined with a DNS name, you must value this field with the DNS name.

Yes

<TargetPort>

The connection port used to access the system. If this is not specified in the account properties, it will be taken from this parameter’s value. If neither of these ports is specified, the default port is used.
Default values are:

SSH – 22 (used by default if no port is specified)
Telnet – 23

The protocol (SSH or Telnet) is set according to the specified port.

No, but if you are using the SSH tunneling (port forwarding) flow this field is required to be valued with 22.

<ForwardPort>

The port of the target machine where data transferred through the tunnel is forwarded. This is the same value as the <ForwardPort> specified above, and is only relevant for SSH tunneling.

No

<ProxyAddress>

The IP address or DNS of the PSM for SSH machine. For example, 1.1.1.1 or ‘myhost’.

Yes

<TicketID>

The identifier generated for user by a ticketing system.

No

<TicketingSystem>

The name of the ticketing system.

No

<Command>

The command that will be executed on the target machine. For more information, refer to Remote SSH command execution through PSM for SSH.

No

Usage examples

Following are specific usage examples.

Remote SSH command execution through PSM for SSH

In many work environments, it is preferable to give users limited permissions to sensitive servers, for both security reasons and automation purposes.

With remote SSH command execution, administrators can execute specific commands through PSM for SSH without opening an interactive session on the target system. The session is automatically closed after the command's execution.

You can execute commands remotely on target machines over SSH from your local machine through PSM for SSH, using the standard SSH command in the following syntax:

 
<ssh client>
 user@targetuser#domainaddress@targetmachine#targetport@proxyaddress
 <command>

After you run the command, you will be prompted to enter your password.

The following example shows how to initiate an SSH privileged SSO session and execute a command on the target machine.

 
ssh john@root@target.ciscorouter.com@psmp.proxymachine.com 'service sshd restart'

In this example, John, a Privilege Cloud user, wants to retrieve an account for the root user on the target system, target.ciscorouter.com. As this command does not specify a port, the default port 22 and protocol SSH will be used. Once the session on the target machine has been initiated, the service sshd restart command will be executed and the session will be closed.

Automation tool access to *NIX machines through PSM for SSH

With remote SSH commands, you can automate command execution through PSM for SSH on a single target or multiple targets using scripts or automation tools. You can run scripts authenticating with your private SSH keys stored in Privilege Cloud (which in turn can be protected and stored securely on a smart card device).

CI/CD tools such as Jenkins or Ansible can also be used to run SSH commands, scripts and playbooks.

To use Jenkins, replace the targetuser@targetmachine with the PSM for SSH syntax in the job configuration.

For Ansible to interact with the target through PSM for SSH, use the PSM for SSH syntax. For details, see Connect using the PSM for SSH command.

Copy files securely through PSM for SSH

You can use native SFTP clients, such as WinSCP and FileZilla, or the SCP command from your desktop to securely transfer files through PSM for SSH.

Native SFTP client

Do the following to use a native SFTP client to securely transfer files through PSM for SSH:

Copy files with SCP

You can use the SCP command to securely transfer files through PSM for SSH. When using SCP through PSM for SSH, PSM for SSH does not prompt you for any required parameters that you do not specify. Make sure that you specify all mandatory parameters in the command.

Specify a reason for accessing accounts through PSM for SSH

A rule in the Master Policy determines whether users can only retrieve passwords after they specify a reason that explains why they need to retrieve them. If the rule is active, you are prompted to provide the relevant information before the remote session begins.

 

When copying files through PSM for SSH , users will not be prompted to specify a reason.

You are prompted if you use SCP.

After running the command to access a target machine through the PSM for SSH, you are prompted to type a reason for connecting. Specify the reason and press Enter.

The PSM for SSH retrieves the password, and the reason you specified is stored in the audit log.