5.15 Secure Shell Relay

Secure Shell Relay (SSH Relay) provides the ability to access privileged accounts using a standard SSH client. This feature provides the ability to access Privileged User Manager functionality without a PUM agent on the target host. SSH Relay allows users to connect to a remote host using secure shell without knowing the privileged account credentials such as password or identity certificate of the user.

Configuring an SSH Relay Session

The packages are:

SSH Relay listens on port 2222. You need to verify port 2222 is assigned for hosts running the SSH Relay Agent package.

Configuring an agent-less host for SSH Relay involves the following:

Starting an SSH Relay Session

  1. Start an SSH client, using the following format for the command:

    ssh -t -p2222 <PUMframeworkuser@sshrelayhost> <root@hostname>

  2. Provide credentials details for the SSH Relay user.

NOTE:Starting a SSH relay session with the above syntax will list all available sessions to the authenticated PUM framework user.

5.15.1 Using usrun for SSH Relay

This feature extends the SSH relay functionality by supporting the ability to issue a usrun command to access a machine through SSH and a credential vault.

Creating an Account Domain with Credentials

  1. Click Command Control on the home page of the console.

  2. In the navigation pane, select Privileged Accounts.

  3. In the task pane, click Add Account Domain.

  4. Specify the following information:

    Name: Specify the IP address or full DNS name of the host.

    Type: Select SSH as the account type for the user.

    SSH Host: Select the host for the user.

    SSH Host Key: Click Lookup to populate the host key; otherwise, manually specify the SSH host key.

    Credential Type: In the drop-down list, select either Password or SSH Private Key.

    Account: Specify the account name of the domain user. Example: root.

    Password: Specify the password for the domain user account, if you have selected credential type as Password.

    SSH Key: Generate the key pair and copy the private key content here, if you have selected credential type as SSH Private Key.

    To generate the key pair:

    1. Open an terminal as root to the remote agentless host and browse to the /.ssh folder.

    2. Enter ssh-keygen -t rsa.

      Public and private keys are generated.

    3. Copy the content of the public key from the remote agentless host to the authorized_keys file.

    4. Copy the content of the private key from the remote agentless host to the Privileged User Manager SSH private key.

    Passphrase: Specify the passphrase that was entered while generating the key pair.

  5. Click Finish to save the account domain details.

Creating a Rule

  1. Click Command Control on the home page of the console.

  2. Click Rules in the navigation pane.

  3. Click Add Rule in the task pane.

  4. Specify a name for the rule.Click Finish. The new rule is added.

  5. To configure the rule, select the rule, then click Modify Rule in the task pane.

    Make the following changes:

    Run User: Specify the user as root.

    Credentials: From the drop-down list, select the required account domain. The Run User is automatically populated with the domain user provided in the account domain.

    Run Host: Specify as Submit Host.

  6. Click Finish. The settings you have defined for the rule are displayed in the console.

Import SSH Session Command

  1. Click Command Control on the home page of the console.

  2. Click Import Samples in the task pane.

  3. Expand Sample Commands and select SSH Session.

  4. Click Finish. The samples are added to the appropriate section of the configuration.

Adding a Command to a Rule

After creating a rule and a command, you need to add command definitions to your rule conditions to control whether the rule is processed, depending on the command that is submitted by the user.

To add a command to your rule:

  1. Drag the command definition to the rule in the navigation pane.