PSM for SSH pre-installation tasks

This topic describes prerequisites to the PSM for SSH installation.

Before installing or upgrading, ensure that your system still complies with security requirements. To learn more, see Security Fundamentals.

Verify the Operating System

Make sure the operating system installed on your server is supported by PSM for SSH. These are listed in Privileged Session Manager for SSH.

PSM for SSH support on SUSE does not include the installation of the CyberArk SSHD service component. If you install PSM for SSH with InstallCyberArkSSHD = Integrated, after the installation you must follow the procedure described in Enable Integrated mode on SUSE.

Installations on SUSE Linux Enterprise Server 12 might fail due to a SUSE bug on Intel CPU servers. If you encounter this bug, follow the solution provided by SUSE: https://www.suse.com/support/kb/doc/?id=7022289

Verify the installation package digital signature

The RPM installation packages for Red Hat operating system are digitally signed, to protect them from alteration after publication. To verify the digital signature of an RPM package, do the following:

Import the RPM-GPG-KEY-CyberArk public key that is provided with the installation package, by running the following command:

rpm --import RPM-GPG-KEY-CyberArk

Verify the signature of the RPM package, by running the following command:

rpm -K -v <package_name.rpm>

Review compatibility of PAM - Self-Hosted components

Make sure the components you will install are compatible.

The compatible versions of the PAM - Self-Hosted Suite components are listed in the Privileged Session Manager for SSH.

Customer license

The CyberArk license defines the number of PSM for SSH servers that you can use. Your CyberArk license will specify the following user type and interface:

User Type	Description	Allowed Interface
PSMPServer	PSM for SSH Server	PSMPApp

In addition, your license must allow your end users to use the PSM for SSH interface in order to be able to use PSM for SSH.

Your CyberArk support representative will supply the license file that you need for installation.

Until you receive your Customer license, you will not be able to install PSM for SSH.

(Optional) AD Bridge integration with LDAP

Configure LDAP integration so that users and groups will be provisioned in the Vault automatically. For more information about integrating PSM for SSH with LDAP, refer to Integrate PSM for SSH with LDAP authentication.

Install PSM for SSH

The user who will create the environment for PSM for SSH in the Vault during the installation process must have the following permissions in the Vault:

■

Add Safes

■

Audit Users

■

Add/Update Users

■

Manage Server File Categories

This user must be an owner of the PVWAConfig Safe with the following permissions:

■

List accounts

■

Retrieve accounts

■

View Owners

■

Manage Safe Owners

Create an administrative user on the PSM for SSH server

Administrative users can connect to the PSM for SSH machine to perform management tasks on the machine itself without being forwarded to a target machine.

For details, see PSM for SSH Administration.

Enable SELinux on the PSM for SSH server

PSM for SSH can be installed in environments where SELinux is enabled. To enable SELinux, it is recommended to enable it on your server before installing PSM for SSH so that the changes required to support SELinux are made automatically during the PSM for SSH installation. It is also possible to enable SELinux at a later stage. For more information, refer to PSM for SSH post-installation tasks.

Prepare the installation environment

On the PSM for SSH machine, create a new directory for the installation files. This directory is where the installation files will be located, for example /opt/CARKpsmp.
From the PSM for SSH installation package, copy the Privileged Session Manager for SSH installation package to the new directory. Make sure you copy the folder and all its contents, including its subfolders.

For a full list of the folders and files in the PSM for SSH installation package, refer to Privileged Session Manager for SSH installation file.

Configure the Vault.ini File for Installation

Open the vault.ini file and specify the parameters of the Vault that will be accessed by PSM for SSH, as shown in the following example.

vi vault.ini

In the following example, the Address parameter is set to Vault IP 1.1.1.102:

Address=1.1.1.102

During installation, the vault.ini file is copied to the PSM for SSH environment and will be used by PSM for SSH to access the Vault. For more information, refer to Vault Parameter File.

For high availability implementations and DR, you can specify more than one Vault IP address, separated by commas, as shown in the following example:

Address=1.1.1.102,1.1.1.232

The first Vault IP address that is specified is used when creating the PSM for SSH environment during installation.

When PSM for SSH is running, if it cannot access the first Vault IP address, it automatically tries to access the next Vault IP address transparently, and no human intervention is required.

Create the Credentials File for Installation

If you need to add execute permission for the CreateCredFile file, first run the following command:
```
chmod 755 CreateCredFile
```
Then, run CreateCredFile to create a credentials file for the user that will create the Vault environment during installation. This file must be called user.cred.
```
./CreateCredFile user.cred
```
You will be prompted for the user name and password. For versions 12.1.1 and later, you will also be prompted to use the Entropy file.

Rotate the password use in this command.

We recommend that you clean the history by using the history -c command.

The user credential file must be placed in a folder that is accessible only for the machine or domain administrator who runs the PSM for SSH installation. We recommend that you delete the credential file after completing the registration.

Create the PSM for SSH parameters file for installation

Create the PSM for SSH parameters file

Copy psmpparms.sample and rename it to psmpparms. This file is required for the installation process.

cp psmpparms.sample psmpparms

Open the psmpparms configuration file:

vi psmpparms

Specify the following mandatory parameters:

Parameter

Description

InstallationFolder

The full path of the installation folder that you created previously, and to where you copied the content of the PSM for SSH installation package.

AcceptCyberArkEULA

Whether or not you accept all the terms of the PSM for SSH end user license agreement. This agreement is on the installation package in the PSM installation package. Open this agreement and read it carefully, then set this parameter to Yes.

You will not be able to install the PSM for SSH until you accept all the terms of the license agreement

InstallCyberArkSSHD

Whether or not the PSM for SSH installation installs the CyberArk SSHD service or is integrated with the original service.

The default value is Integrated.

For details, see InstallCyberArkSSHD parameter.

Hardening

Whether or not the PSM for SSH hardening settings will be applied.

CreateVaultEnvironment

Whether or not installation creates the PSM for SSH environment in the Vault.

By default, this parameter is set to Yes.

For a standard installation set to Yes.

For an installation in stages set to No.

If set to No, use the PSM for SSH registration tool to create the PSM for SSH environment in the Vault. For details, see PSM for SSH registration tool.

Specify the following optional parameters:

Parameter	Description
PSMPCreateEnvRetryTimeout	Time to wait between client registration retries (in seconds). By default, this parameter is commented out. Default value: 1 second
PSMPCreateEnvClientsCount	The number of PSM for SSH instances registering simultaneously. By default, this parameter is commented out. Default value: 10
EnableADBridge	Whether to enable the ADBridge environment creation and service deployment while installing PSM for SSH. By default, this parameter is commented out. In a Distributed Vaults environment, set to No and remove the #.

Parameter

Description

PSMPCreateEnvRetryTimeout

Time to wait between client registration retries (in seconds).

By default, this parameter is commented out.

Default value: 1 second

PSMPCreateEnvClientsCount

The number of PSM for SSH instances registering simultaneously.

By default, this parameter is commented out.

Default value: 10

EnableADBridge

Whether to enable the ADBridge environment creation and service deployment while installing PSM for SSH.

By default, this parameter is commented out.

In a Distributed Vaults environment, set to No and remove the #.

To install multiple PSM for SSH instances at the same time and not override the configuration files (PVConfiguration.xml and Policies.xml), a locking mechanism has been added.

Our recommendation is to set the PSMPCreateEnvRetryTimeout parameter to 1 second (the default value) and the PSMPCreateEnvClientsCount parameter to the number of the required retries (based on the amount of required PSM for SSH registrations).

For example, if there are 60 PSM for SSH instances, the recommendation is to set PSMPCreateEnvClientsCount to 60 and to set PSMPCreateEnvRetryTimeout to 1 second. PSM for SSH will try 60 registrations at the same time with a one-second retry in case of failure to lock the configuration file. Another option in this example is to set PSMPCreateEnvClientsCount to 20 and PSMPCreateEnvRetryTimeout to 3 seconds.

Save the psmpparms configuration file.

Move the psmpparms configuration file to the /var/tmp directory.

mv psmpparms /var/tmp/psmpparms

InstallCyberArkSSHD parameter

When you install PSM for SSH, you configure how to handle the installation of the SSHD service. You can select from one of the following options:

Value	Description
Integrated	The local SSHD service is configured to work thorough the PAM (Pluggable Authentication Module). The PAM module is deployed as part of the PSM for SSH installation. A few limitations apply, as described in Limitations. This is the default value. To use SSH Key or Smart card with MFA caching in Integrated mode, you must have SSH 7.8 or higher installed on the PSM for SSH machine. In RHEL 8, SSH 7.8 is included by default.
Yes	Override the local SSHD service with a CyberArk customized SSHD service to benefit from full PSM for SSH functionality. Note: PSM for SSH support on SUSE does not include the installation of or integration with the SSHD service when set to Yes.
No	Do not install the CyberArk SSHD service. Significant functional limitations apply, as described in Limitations.

Value

Description

Integrated

The local SSHD service is configured to work thorough the PAM (Pluggable Authentication Module). The PAM module is deployed as part of the PSM for SSH installation. A few limitations apply, as described in Limitations.

This is the default value.

To use SSH Key or Smart card with MFA caching in Integrated mode, you must have SSH 7.8 or higher installed on the PSM for SSH machine. In RHEL 8, SSH 7.8 is included by default.

Yes

Override the local SSHD service with a CyberArk customized SSHD service to benefit from full PSM for SSH functionality.

Note: PSM for SSH support on SUSE does not include the installation of or integration with the SSHD service when set to Yes.

Do not install the CyberArk SSHD service. Significant functional limitations apply, as described in Limitations.

Parameter changes

If you select Yes, the following parameters are valued as shown:

After installation and hardening, in the sshd_config file:

Parameter	Description
Subsytem sftp	Commented out The sftp protocol is disabled
GatewayPorts	No Remote hosts cannot connect to ports forwarded from the client
AllowTcpForwarding	No
PrintLastLog	No
PermitEmptyPasswords	Yes Enable users to connect with an empty password. RHEL and CentOS users must ensure that the /etc/pam.d/password-auth file includes the nullok parameter in the auth sufficient line. SUSE users must ensure that the /etc/pam.d/common-auth-pc file includes the nullok parameter in the auth sufficient line. auth sufficient pam_unix.so nullok try_first_pass
UseDNS	No Do not enable connections with a DNS name instead of an IP
UsePAM	Yes PAM flow is mandatory
ChallengeResponseAuthentication	No PAM-conversation is not enabled

In the etc/profile and etc/bashrc files:

Parameter	Description
umask 027	By default, files created by users have the 750 permissions These files can be read only by users in the same group

Parameter

Description

umask 027

By default, files created by users have the 750 permissions

These files can be read only by users in the same group

Disable NSCD

On all Linux-based operating systems, NSCD is a daemon that provides a cache for the most common name service requests. Disable it to prevent unexpected behavior.

Run the following command to stop NSCD:
```
systemctl stop nscd.service nscd.socket
```

Run the following command to disable NSCD:

systemctl disable nscd.service nscd.socket

Some unexpected behavior may occur if you do not disable NSCD. For details, see Using NSCD with SSSD.

Limitations

If you select No, the following limitations apply:

You cannot use the native syntax of SSH command to connect through PSM for SSH.

You can only use the following syntax:

<ssh client> [–L <srcport>:localhost:target_port] -t PSMConnect@<proxyaddress> <vaultuser> <targetuser> <targetmachine> [-protocol <telnet|ssh>] [-port <port>] [-vp <vault-password>] [–tpw < targetpassword>] [-tunnel <target_port>]

This is described in Connect through PSM for SSH.

You cannot connect with domain accounts
You cannot copy files securely with SFTP client or the SCP command
You cannot use Remote SSH Command Execution through PSM for SSH
SSH tunneling is not supported.

For a full list of parameters in the psmpparms file, refer to Privileged Session Manager for SSH installation file.