MFA caching (PSM for SSH) in Privilege Cloud

Security teams that enforce modern authentication methods, such as SAML and OpenID Connect with strong MFA, certificate based PKI, or any other method supported for authentication to Privilege Cloud Portal, can use the same authentication method in PSM for SSH.

Moreover, *nix administrators no longer need to wait for an MFA token or pin refresh between each connection to a target server. They can connect to multiple target servers through PSM for SSH for interactive sessions, remote command execution, or file transfer, while performing the MFA flow only once in a configurable period of time, and not being prompted for any other authentication factor during that time.

This capability enables users to begin working on their day-to-day tasks much quicker, as establishing sessions against multiple servers can now be done almost in parallel.

In addition, running the same update command or script on multiple targets using tools like Cluster SSH can be done in a single click, as there is no need to enter any further authentication factor per target server.

To use these capabilities, *nix administrators first access the Privilege Cloud Portal and select the required authentication method. Once the users are authenticated to Privilege Cloud Portal they can navigate to the PSM for SSH MFA caching page and generate an SSH Key with a preconfigured validity period during which users can connect to any target server authorized for them.

For greater security, admins can also select to protect the generated SSH key with a passphrase as well as proactively invalidate it in case of an incident.

These capabilities for modern authentication and MFA caching for PSM for SSH can be achieved with any authentication method supported by Privilege Cloud Portal, both via UI and API.

 
  • To use MFA caching PSM for SSH must be version 12.1 or higher.

  • For security reasons, an Administrator user cannot connect through PSM for SSH using SSH key.

  • OpenSSH 7.8 or higher must be installed on the PSM for SSH machine. RHEL 7.9 includes an earlier version of OpenSSH. If you are using RHEL 7.9 version, then we recommend that you upgrade to RHEL version 8, which has OpenSSH version 7.8 out of the box to support MFA caching.

Configuration

The settings are located under Administration > Configuration Options > Options > Privileged Session Management > General Settings > Server Settings > SSH Proxy Settings > MFA Caching Settings.

Property

Description

Possible Values

Enable

Enable the MFA caching capability for all PSM for SSH servers

Yes/No

Default: No

EnablePassphrase

Enable a passphrase to protect the SSH key

Yes/No

Default: No

GracePeriodMinutes

The time period during which the generated SSH key is valid

Minutes

Default: 60

KeyEncryption

The encryption algorithm

RSA, DSA, ECDSA-NISTP256,

ECDSA-NISTP384, ECDSA-NISTP521, ED25519

Default: RSA

KeyLength

The length of the encryption key

Numeric

Default: 4096

Add a passphrase policy

If you enable a passphrase, you must add a passphrase policy. Right-click on MFA Caching Settings and select Add Key Password Policy.

Passphrase policy settings:

Property

Description

Possible Values

MinPasswordLength

The minimal required length of the passphrase

Numeric

Default: 4

MinUpperCase

The minimal number of upper-case characters in the passphrase

Numeric

Default: 0

MinLowerCase

The minimal number of lower-case characters in the passphrase

Numeric

Default: 0

MinDigits

The minimal number of digits in the passphrase

Numeric

Default: 0

MinSpecialChars

The minimal number of special characters, such as &, %, !, or ^, in the passphrase

Numeric

Default: 0

ForbiddenChars

Forbidden characters

Characters separated by a comma

Default: ? ; : . ’

MFA caching SSH key generation

  1. Authenticate to the Privilege Cloud Portal using your preferred authentication method.

  2. Navigate to PSM for SSH MFA caching under the Accounts navigation pane.

  3. If the passphrase is disabled, click Generate to generate the MFA caching SSH key.

  4. If the passphrase is enabled:

    1. Enter a passphrase according to the defined policy.

    2. Click Generate to generate the MFA caching SSH key.

     

    If EnablePassphrase is enabled, the user must enter a passphrase to protect the SSH key and will be prompted for that passphrase on each connection.

  5. The result is a generated SSH key limited to the predefined validity period (GracePeriodMinutes) in three formats:

    • OpenSSH

    • PEM

    • PPK

  6. Download the key or copy it to the clipboard.

  7. Use the generated key with your regular PSM for SSH connection.

    When connecting using SSH key in MFA caching, use the full user name in the following format: 
    <name>@<company domain>.com. The system does not support the short name based on <First name initial> <Family name>. For example, use john.smith@cyberark.com and not jsmith.

Rest API

Advanced users can benefit from the following REST APIs to generate and revoke SSH keys.