Configure Automation Tools Access to *NIX machines through PSM for SSH

"*NIX administrators can automate command execution through PSM for SSH on a single target or multiple targets using scripts, CI/CD tools or automation tools.

When CI/CD pipeline or automation tools are deployed in a hybrid environment or in another multi-cloud or multi-zone environment, connections from these tools to the *NIX machines require access between different networks, such as Cloud and on-premise. Enabling direct SSH access between these tools and *NIX machines extends the attack surface and puts the entire pipeline at risk. To secure these connections with PSM for SSH, enable SSH access to your *NIX machines only from a hardened PSM for SSH server. This isolates your *NIX machines from the network and prevents divulging credentials for your machines that are protected in the CyberArk Vault.

Automation tools typically run multiple SSH commands almost simultaneously, often on a single *nix machine and with the same user. To optimize PSM for SSH to be used with automation tools, either import a dedicated platform from the Marketplace, or create a platform, as described below.

Configure SSHD

Configure SSHD to handle a larger number of sessions and startups.

Go to /etc/ssh/sshd_config and do the following:

  • Change MaxSessions to 100
  • Change MaxStartupsto 100:30:500

Import the platform from the Marketplace

Download the UnixSSHDevOps platform from the Marketplace.

Import the platform. For details, refer to Import a platform package.

Create a platform

Clone an existing UnixSSH platform, or any other platform that is being used for Unix accounts.

Value the following parameters for the PSMP-SSH, PSMP-SCP, PSMP-SFTP, and PSMP-Rsync connection components on this platform.

  1. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  2. Select an existing SSH platform that is similar to the new target account platform. For example, Unix via SSH.

  3. Click Duplicate; the Duplicate Platform window appears.

  4. Type the name and a description of the new platform, then click Save & Close to create the new platform.

  5. Select the new target account platform, and then click Edit; the configuration page for the selected platform appears.

  6. Expand UI & Workflows, and then expand Connection Components; the Connection Components parameters are displayed with their default values.

  7. Set the Override Component Parameters for the PSMP-SSH, PSMP-SCP, PSMP-SFTP, and PSMP-Rsync connection components:

    1. Right-click the connection component and select Override Component Parameters.

    2. Add the AllowMultiplexSessions parameter and value it with Yes.

    3. Add the AllowSessionMonitoring parameter and value it with No.
  8. Expand Options, and then expand Connection Components; the Connection Components parameters are displayed with their default values.
  9. Set the Override Target Settings for the PSMP-SSH, PSMP-SCP, PSMP-SFTP, and PSMP-Rsync connection components:

    1. Right-click the connection component and select Override Target Settings.

    2. Set the Protocol parameter to SSH.

    3. Set the ClientApp parameter to {PSPComponentsFolder}/ssh [-{PSMProtocol}] {Address}.
    4. Set the ClientDispatcher parameter to NA.
    5. Set the ClientInvokeType parameter to Internal.
    6. Set the ConnectionComponentInitTimeout parameter to 20000.
  10. Enable session caching:

    1. Right-click the connection component and select Add override component parameters.

    2. Right-click and select Add parameter.

    3. Set the EnableSessionCaching parameter to Yes.
  11. Change any additional parameter values and/or add new values to define the new platform.

  12. Click Apply to save the new configurations and apply them immediately, or,

  13. Click OK to save the new configuration and return to the System Configuration page.

  14. Restart the psmpsrv service to apply the configuration changes:

    At a command line, run the following commands:

    • RHEL7, SUSE11, SUSE12

        
      service psmpsrv stop
      service psmpsrv start

    • RHEL8

        
      systemctl stop psmpsrv
      systemctl start psmpsrv

Additional Details

SSH key / Smart Card authentication to the Vault is not supported using SSH ControlMaster, which enables SSH to reuse an existing connection to a remote host when opening new connections to that host.

Valuing the AllowSessionMonitoring parameter with No has the following impact:

  • You can see session audits through the Account Details page or by generating a report, but not through the Monitoring page.
  • You can see security incidents in the Security page, but you cannot navigate to the Monitoring page to see session details.

Valuing the ClientApp parameter as shown above has the following impact:

  • When configuring the platform to secure DevOps tools, only SSH commands are written to the audit.
  • Interactive sessions or running batch files on the target are not audited.
  • Logon Sequence and Logon Account are not supported.
  • You can see session audits on the account, but not from the Monitoring page.
  • You can only use PSM for SSH  syntax as shown in Option 1.

Valuing the EnableSessionCaching parameter as shown above reduces the communication required between PSM for SSH and the Vault, when the connection through PSM for SSH is done by the same user with the same account. Edit the basic_psmpserver.conf file to add the SessionCacheExpirationSeconds parameter to set the timeout for a cache entry in PSM for SSH. The default value is 60 seconds.

 
  • Any changes to the caching parameters take effect after the PSM for SSH configuration is refreshed.
  • When EnableSessionCaching is set to Yes, SSH key authentication to the PSM for SSH server and Commands Access Control are not enabled.

Ansible

If your DevOps tool is Ansible, see alsoSecure DevOps using Ansible.