The Centrify Privileged Access Service Cloud connector has an SSH gateway, this SSH gateway is used to facilitate remote logins to target systems using the SSH protocol.
In order to utilize the SSH gateway feature, the SSH service must be enabled on the Cloud connector via the Centrify Administrator Portal.
1) Log into the Centrify Administrator Portal
2) Navigate to "Settings>Network>Centrify Connectors> Click into the Connector> Select "SSH/RDP Services"> check the "Enable SSH connections" option
The Target system must be vaulted in the Centrify PAS portal
For additional details on how to add a system to the Centrify Portal see this link
A local account must be vaulted via the Centrify PAS portal, and the Active Directory user must have login permissions to the vaulted local account in order to be able to use it to login to the target system.
For additional details on how to add a local account to a system, see this link
Our example test user "firstname.lastname@example.org" has "Login" permissions to the Local vaulted account "michealj"
1. Open an SSH session to a Centrify cloud connector system using your Active Directory account that is usually used to log into the Centrify PAS portal.
In this example;cloud.ocean.net
: Is my Centrify Cloud connector Windows email@example.com
is my Active Directory user that I usually use to login to the Centrify PAS portalmichealj
is the vaulted local account that is local to the target Linux systemcentos7.ocean.net
is the vaulted Linux system in the Centrify PAS portal
Pros of using this method to login to a target host:
1) If Centrify DirectAudit is enabled via the Privileged Access Service, the login session used above wil get audited since the SSH session is using the Centrify cloud connector. Note that the Centrify DirectAudit agent is not needed in order for auditing to happen if the target host is accessed in this manner.
Image below shows the SSH session opened in the above example in the Centrify Audit Analyzer console
2) This login session is logged as an event in the Centrify Privileged Access Service on both the target system activity table and the vaulted user's activity table.
Logged activity on the target system in the Centrify PAS portal
Logged activity on the vaulted local user in the Centrify PAS portal
3) Because the user has login permissions to the vaulted local account, the user does not need to know the password for the vaulted local account, neither does the user need to check out the password for that vaulted local account.
Note: In order for the above type of SSH connection to the target host to work, DNS needs to be setup correctly. A good test is to see if you can open an SSH session to the target host via the Centrify PAS Portal.