Authentication Methods

This topic describes which methods users can use to authenticate to PSM for SSH.

Supported authentication methods

Users can authenticate to PSM for SSH using any of the following authentication methods:

Method	Description
CyberArk password	You can log onto the Vault with a password that was defined for you in the Vault.
LDAP	You can log onto the Vault with a user and password that were defined for you in an LDAP directory that is integrated with the Vault.
RADIUS including Challenge - Response	You can log onto the Vault with Radius authentication. After supplying your Vault username and password, if any more logon credentials are required, you will be prompted for them.
SSH Key	You can log onto the Vault with a private SSH key. A corresponding public SSH key must be assigned to your Vault user to allow authentication. For a description of authenticating with a private SSH key, refer to Privileged Single Sign-On. Administrators can manage users’ public SSH keys either through LDAP, or in the Vault. The private SSH key is provided by the user during the connection. For further information refer to Managing Users' Public SSH Keys for Vault Authentication. Integrated mode requires the ssh client to support an ssh authentication method of type publickey,keyboard-interactive.
Smart card authentication	You can connect to target systems through PSM for SSH by authenticating to the Vault with a certificate. The certificate can be stored on a smart card such as CAC or PIV cards. To use certificate authentication, connect with a client that supports migrating certificates to SSH keys, such as Putty CAC. As with regular SSH key authentication, a public SSH key that corresponds to your certificate must be assigned to your user in the Vault to enable authentication. For further information refer to Managing Users' Public SSH Keys for Vault Authentication.

The Vault administrator can enforce a specific authentication method for all users, or enable users to authenticate one of the above authentication methods that is configured for their Vault user account. This is useful when different users in the organization use different authentication methods.

Configure user authentication method

Required products

To configure PSM for SSH to use SSH Key authentication or smart card authentication, upgrade all the PSM and PSM for SSH servers in your environment to v9.6 or above.

Configure the user authentication method

Log onto the Password Vault Web Access as a user with permission to configure platforms.
Click ADMINISTRATION, then in the System Configuration page click Options; the Web Access Options are displayed.
Expand Privileged Session Management, then General Settings, and then Server Settings.
Select SSH Proxy Settings; the SSH Proxy Settings properties are displayed.

In AuthenticationMethod, specify the authentication method that the Vault will use to authentication PSM for SSH users. Specify one of the following valid values:

Password
LDAP

RADIUS

RADIUS authentication is supported for copying files securely through the PSM for SSH with SFTP or SCP protocol, except when RADIUS authentication is configured for challenge-response.

If you work in integrated mode (InstallCyberArkSSHD = Integrated), RADIUS authentication is supported even when RADIUS authentication is configured for challenge-response.

SSH Key - Select this option for either a private key file or for smart card authentication.
Default – Enables users to authenticate with the authentication method that is configured for them, without forcing a specific method. This is the default value.

Click Apply to save the new configuration and stay in the same page,

or,

Click OK to save the new configuration and return to the System Configuration page.

Restart the psmpsrv service to apply the configuration changes:

At a command line, run the following commands:

RHEL7, SUSE11, SUSE12

service psmpsrv stop
service psmpsrv start

RHEL8

systemctl stop psmpsrv
systemctl start psmpsrv