Connect to Unix machines (using PSM for SSH)

Connect to target UNIX systems from your own workstation using any standard SSH client application, such as plink, PuTTY, and SecureCrt, to benefit from a native user experience. This method eliminates the need to connect to the Privilege Cloud Portal to connect to devices.

You can connect to target UNIX systems only if your Admin has configured the system to enable this option.

Connect using the PSM for SSH command

Use the following command from any SSH client:

<ssh client> [-t] [-L localPort:127.0.0.1:TunnelingServerPort] vaultUser@targetUser#centralmanagement@targetmachine[#sshPort][#tunneltargetPort]@proxyaddress

Considerations:

  • Parameters are separated by ‘@’.

  • The user name can include one @ character. Any additional @ characters are not supported.

  • Required parameters are separated from optional parameters by ‘#’ (hash).
  • To configure the default delimeter, contact your Privilege Cloud administrator. For details on configuring the default delimeter, see Configure PSM for SSH syntax delimiter.

Command parameters

The following table describes the parameters used in the PSM for SSH command:

Parameter

Description

Required

-t

Displays the terminal of the target machine on the user's local screen.

No

[-L <LocalPort>:127.0.0.1:TunnelingServerPort]

A standard SSH parameter that enables port forwarding setup (SSH tunneling).

For details, see SSH Tunneling for PSM for SSH.

No

<VaultUser>

The name of the user running this command.

Support of @ character. Your user name may include one @ character. For example, if your user name is john@myDomain, then the @ character in your user name is supported. Any additional @ characters are not supported.

Yes

<TargetUser>

The name of the account that will be used on the target system. For example, root.

Note: This parameter is case sensitive.
Note: This parameter is not required to connect through AD Bridge.

Yes
(not for AD Bridge)

<DomainAddress>

Value this field according to your environment:

  • The IP address or DNS of the domain server in the domain where the target machine resides.

  • For centralized account management, this parameter can be used to access multiple target systems with one account, even if they are not on the same domain. In this case, this parameter specifies the address in the centralized account and not the domain server.

  • For SSH certificate authentication, this parameter can be used to access multiple target systems with one account. Enter the name that identifies the group where your target system belongs. Your Administrator configures this name in the address property of the account.

Note: This parameter is case sensitive.

No

<TargetAddress> The address of the target system in any of the following formats:
  • IPv4 – For example, 1.1.1.1

  • IPv6 – For example, 1000-1000-1000-1000-1000-1000-1000-0055

    Note: Use hyphens instead of colons as separators.

  • DNS – For example, ‘myhost’

    If the target machine was defined with a DNS name, you must value this field with the DNS name.

 Yes

<TargetPort>

The connection port used to access the system. If this is not specified in the account properties, it will be taken from this parameter’s value. If neither of these ports is specified, the default port is used.
Default values are:

SSH – 22 (used by default if no port is specified)
Telnet – 23

The protocol (SSH or Telnet) is set according to the specified port.

No, but if you are using the SSH tunneling (port forwarding) flow this field is required to be valued with 22.

<ForwardPort>

The port of the target machine where data transferred through the tunnel is forwarded. This is the same value as the <ForwardPort> specified above, and is only relevant for SSH tunneling.

No

<ProxyAddress>

The IP address or DNS of the PSM for SSH machine. For example, 1.1.1.1 or ‘myhost’.

Yes

<TicketID>

The identifier generated for user by a ticketing system.

No

<TicketingSystem>

The name of the ticketing system.

No

<Command>

The command that will be executed on the target machine. For more information, refer to Remote SSH command execution through PSM for SSH.

No

Usage examples

Following are specific usage examples.

  
<ssh client> vaultuser@targetuser#domainaddress@targetmachine#targetport@proxyaddress

Using this command, you are prompted for your Privilege Cloud password and any parameters, mandatory or optional, that you did not specify in the command line.

  
ssh john@root@target.ciscorouter.com@psmp.proxymachine.com

In this example, John, a Privilege Cloud user, wants to retrieve an account for the root user on the target system: target.ciscorouter.com.

This command does not specify a port, so the default port 22 and protocol SSH are used.

John is prompted for his Privilege Cloud password so that PSM for SSH can retrieve information required to connect to the target machine.

In Privilege Cloud, the account is configured for Privileged SSO and contains the password required to access the target system. Therefore, John is logged on to the target system transparently without needing to specify additional credentials.

  
ssh john@root@target.ciscorouter.com#23@psmp.proxymachine.com

In this example, John, a Privilege Cloud user, wants to retrieve an account for the root user on the target system: target.ciscorouter.com. This command specifies port 23, which indicates Telnet protocol.

John is prompted for his Privilege Cloud password so that PSM for SSH can retrieve information required to connect to the target machine.

In Privilege Cloud, the account is configured for Privileged SSO and contains the password required to access the target system. Therefore, John is logged on to the target system transparently without needing to specify additional credentials.

  
ssh john@root@target.ciscorouter.com#2222@targetciscorootpass@psmp.proxymachine.com

In this example, John, a Privilege Cloud user, wants to retrieve an account for the root user on the target system: target.ciscorouter.com. This command specifies port 2222, so SSH protocol will be used.

This example shows a non-privileged SSO session, meaning that the account for the target system is not configured for Privileged SSO and does not contain the password. The user is prompted for it so that PSM for SSH can complete the connection to the remote machine. John is also prompted for his Privilege Cloud password so that PSM for SSH can retrieve information that is required to connect to the target machine.

You can connect directly to a target machine with a UNIX domain/NIS account through PSM for SSH. To access target machines with a domain/NIS account, specify the domain machine in the command.

  • File location: The target file is located in /etc/opt/CARKpsmp/components/components.conf.

  • Command syntax and delimeters: The command syntax depends on the type of account you are authenticating. See the following examples for UNIX and UPN accounts:

    Account type

    Delimeter signs

    Local UNIX account

    Use the default "#' (hash sign) delimeter and '@' sign as in the default command examples above.

    Example of command syntax for a local UNIX account:

    ssh john@root#mycompany.com@target.mycompany.com@psmp.proxymachine.com

    where:

    John, a Privilege Cloud user, wants to retrieve a domain account for the root user in the mycompany.com domain to access the target system, target.mycomany.com.

    John is prompted for his Privilege Cloud password so that PSM for SSH can retrieve the information required to connect to the target machine.

    UPN account

    Use the default "#' (hash sign) delimeter and '@' sign as in the default command examples above.

    Example of command syntax for a UPN account:

    ssh John@mycompany.com@localadmin#mycompany.com@targetmachine@psmp.proxymachine.com

    where:

    John, a Privilege Cloud user, wants to retrieve a domain account for the localadmin user in the mycompany.com domain to access the target machine, targetmachine@psmp.proxymachine.com.

If the target user is not specified, you will be prompted for it and then can specify the target user and the domain machine as shown in the following example:

  
Target user is required (to use domain account, specify <target_user>#domain_address>).
Target user: root#mycompany.com

You can connect directly to a target machine with an SSH certificate through PSM for SSH. To access target machines with an SSH certificate, specify the name that identifies the group where your target system belongs in the command.

The following example shows how to access a target machine with an SSH certificate .

  
ssh john@root#production@target.mycompany.com@psmp.proxymachine.com

In this example, John, a Privilege Cloud user, wants to retrieve a short lived SSH certificate for the root user to access the target system, target.mycomany.com, which is part of the production group of target machines.

John will also be prompted for his Privilege Cloud password so that PSM for SSH can retrieve information that is required to connect to the target machine.

If the target user is not specified, you will be prompted for it and then can specify the target user and the domain machine as shown in the following example:

  
Target user is required (to use domain account, specify <target_user>#domain_address>).
Target user: root#mycompany.com

You can connect directly to a target machine with an SSH key through PSM for SSH. To access target machines with an SSH key, specify the name that identifies the group where your target system belongs in the command.

The following example shows how to access a target machine with an SSH key.

  
ssh -ijohn@root#production@target.mycompany.com@psmp.proxymachine.com

In this example, John, a Privilege Cloud user, wants to retrieve the SSH key for the root user to access the target system, target.mycomany.com, which is part of the production group of target machines.

John will also be prompted for his Privilege Cloud password so that PSM for SSH can retrieve information that is required to connect to the target machine.

If the target user is not specified, you will be prompted for it and then can specify the target user and the domain machine as shown in the following example:

  
Target user is required (to use domain account, specify <target_user>#domain_address>).
Target user: root#mycompany.com

You can enable users connecting from the Privilege Cloud Portal to access any target *NIX machine within the organization domain, using regular Connect or Ad hoc connect, and entering the machine ID at the Privilege Cloud Portal prompt.

This applies where the address is within the domain, and the platform has been configured to support connection to non-defined machines using the machine address.

To enable connection to non-defined *NIX machines:

  1. Override component parameters and configure the system to support connection to non-defined machines from your required SSH platform, see Configure connection to non-defined *NIX machines

  2. After the PSMRemoteMachine parameter has been added to the required SSH platform, connect to any *NIX machine by entering the machine ID (address/URL) at the Privilege Cloud Portal prompt. See Connect to a non-defined *NIX machine with a Privilege Cloud Portal connection

  
ssh -i key.openssh admin@cyberark.cloud.106785@root@52.30.209.158@34.252.112.208

Enter the user's full domain: user@domain

Remote SSH command execution through PSM for SSH

In many work environments, it is preferable to give users limited permissions to sensitive servers, for both security reasons and automation purposes.

With remote SSH command execution, administrators can execute specific commands through PSM for SSH without opening an interactive session on the target system. The session is automatically closed after the command's execution.

You can execute commands remotely on target machines over SSH from your local machine through PSM for SSH, using the standard SSH command in the following syntax:

  
<ssh client>
 vaultuser@targetuser#domainaddress@targetmachine#targetport@proxyaddress
 <command>

After you run the command, you will be prompted to enter your password.

  • You can only use this functionality if the connection does not require a logon account.

The following example shows how to initiate an SSH privileged SSO session and execute a command on the target machine.

  
ssh john@root@target.ciscorouter.com@psmp.proxymachine.com 'service sshd restart'

In this example, John, a Privilege Cloud user, wants to retrieve an account for the root user on the target system, target.ciscorouter.com. As this command does not specify a port, the default port 22 and protocol SSH will be used. Once the session on the target machine has been initiated, the service sshd restart command will be executed and the session will be closed.

Automation tool access to *NIX machines through PSM for SSH

With remote SSH commands, you can automate command execution through PSM for SSH on a single target or multiple targets using scripts or automation tools. You can run scripts authenticating with your private SSH keys stored in Privilege Cloud (which in turn can be protected and stored securely on a smart card device).

CI/CD tools such as Jenkins or Ansible can also be used to run SSH commands, scripts and playbooks.

To use Jenkins, replace the targetuser@targetmachine with the PSM for SSH syntax in the job configuration.

For Ansible to interact with the target through PSM for SSH, use the PSM for SSH syntax. For details, see Connect using the PSM for SSH command.

Copy files securely through PSM for SSH

You can use native SFTP clients, such as WinSCP and FileZilla, or the SCP command from your desktop to securely transfer files through PSM for SSH.

Native SFTP client

Do the following to use a native SFTP client to securely transfer files through PSM for SSH:

Field

Desription

File protocol

SFTP

Hostname

The IP address or DNS of the PSM for SSH server through which you want to establish your connection.

Port number

Default port is 22

User name

Set the username using the standard PSM for SSH syntax parameters according to the PSM for SSH syntax:

  
vaultuser@targetuser#domainaddress@targetmachine#targetport

For a list of valid parameters and their descriptions, see Command parameters.
 

In this example, John, a Privilege Cloud user, connects as the root user to the target machine, 10.10.10.5, through a proxy machine with the address of 10.10.10.200.
  • Accounts that require a logon account are not supported.
  • Video recording for SFTP session is not supported.

Copy files with SCP

You can use the SCP command to securely transfer files through PSM for SSH. When using SCP through PSM for SSH, PSM for SSH does not prompt you for any required parameters that you do not specify. Make sure that you specify all mandatory parameters in the command.

Use the following syntax to copy files securely from your local machine to a target machine:

  
scp <path-on-end-user-machine> vaultuser@targetuser%domainaddress@targetmachine%targetport@proxyaddress:<path-on-target-machine>

  • Parameters are separated by ‘@’.

In this example, John, a Privilege Cloud user, connects as user root to the target machine, which is 10.10.10.5, through a proxy machine whose IP address is 10.10.10.200, and copy a file called readme.txt from the /home directory on the user’s local machine to the /tmp directory on the target machine.

  
scp /home/readme.txt john@root@10.10.10.5@10.10.10.200:/tmp

On your local machine, use the following syntax to copy files securely from a remote machine to your local machine:

  
scp vaultuser@targetuser#domainaddress@targetmachine#targetport@proxyaddress:<path-on-target-machine> <path-on-end-user-machine>

  • Parameters are separated by ‘@’.

In this example, John, a Privilege Cloud user, connects as user root to the target machine, which is 10.10.10.5, through a proxy machine whose IP address is 10.10.10.200, and will copy all files and directories recursively from the /tmp directory on the target machine to the /home directory on the user’s local machine.

  
scp –r john@root@10.10.10.5@10.10.10.200:/tmp /home

Specify a reason for accessing accounts through PSM for SSH

A rule in the Master Policy determines whether users can only retrieve passwords after they specify a reason that explains why they need to retrieve them. If the rule is active, you are prompted to provide the relevant information before the remote session begins.

 

When copying files through PSM for SSH , users will not be prompted to specify a reason.

You are prompted if you use SCP.

After running the command to access a target machine through the PSM for SSH, you are prompted to type a reason for connecting. Specify the reason and press Enter.

The PSM for SSH retrieves the password, and the reason you specified is stored in the audit log.