SSH Tunneling for PSM for SSH

This topic describes how to configure SSH tunneling for PSM for SSH.


PSM for SSH enables authorized users to initiate and use an SSH tunnel to access a target SSH server, while providing start/end tunnel session audit capabilities. Through this tunnel, users can launch GUI applications such as Web or SQL from their workstation, maintaining their existing workflow.

Using PSM for SSH, Security Managers can control access by determining which users can access different target systems. PSM for SSH’s flexible configuration also enables them to enable and disable tunneling for specify systems, according to access and security needs.

All access through PSM for SSH is monitored and stored as a full audit trail in Privilege Cloud, where authorized auditors can access it at any time.

Enable SSH tunneling

To enable SSH tunneling you must enable SSH tunneling in Privilege Cloud Portal, enable access using SSH tunneling , and configure parameters in the sshd_config file.

Step 1: Enable SSH tunneling in Privilege Cloud Portal

To enable users to use accounts to access remote machines through an SSH Tunnel, configure the associated platform through the Privilege Cloud Portal

Step 2: Enable access through an SSH tunnel

Set the appropriate parameters to use SSH tunneling through the Privilege Cloud Portal or through the PSM for SSH machine. The values in the PSM for SSH machine override the values in the Privilege Cloud Portal.

Perform one of the following procedures:

Step 3: Configure parameters in the sshd_config file

On the PSM for SSH machine, in /etc/ssh, edit the sshd_config file:

  • AllowTcpForwarding– Value to local
  • DisableForwarding– Value to No

Enable SSH tunneling on command

To enable users to run a command on the remote machine through an SSH Tunnel, perform one of the following procedures.

Disable SSH tunneling

This procedure describes how to disable SSH tunneling after you have specified ports in the TunnelingPorts parameter.

  1. In the SSH Proxy parameter, set EnableSSHTunneling to No.

  2. Right-click TunnelingPorts and, from the pop-up menu, select Revert to Default.

  3. Set TunnelingServerEnable to No.