Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[HOWTO] How to use the Centrify Privileged Access Service Cloud Connector as an SSH gateway without logging into the Centrify Administrator Portal

Privileged Access Service ,  

24 September,20 at 04:42 PM

The Centrify Privileged Access Service Cloud connector has an SSH gateway, this SSH gateway is used to facilitate remote logins to target systems using the SSH protocol.
In order to utilize the SSH gateway feature, the SSH service must be enabled on the Cloud connector via the Centrify Administrator Portal.
1) Log into the Centrify Administrator Portal
2) Navigate to "Settings>Network>Centrify Connectors> Click into the Connector> Select "SSH/RDP Services"> check the "Enable SSH connections" option

SSH service enabled via connector


The Target system must be vaulted in the Centrify PAS portal
For additional details on how to add a system to the Centrify Portal see this link


vaulted target system


A local account must be vaulted via the Centrify PAS portal, and the Active Directory user must have login permissions to the vaulted local account in order to be able to use it to login to the target system.
For additional details on how to add a local account to a system, see this link



vaulted local account


Our example test user "saul.berenson@ocean.net" has "Login" permissions to the Local vaulted account "michealj"

login permissions to the local account


1. Open an SSH session to a Centrify cloud connector system using your Active Directory account that is usually used to log into the Centrify PAS portal.
In this example;
cloud.ocean.net: Is my Centrify Cloud connector Windows system
saul.berenson@ocean.net is my Active Directory user that I usually use to login to the Centrify PAS portal
michealj is the vaulted local account that is local to the target Linux system
centos7.ocean.net is the vaulted Linux system in the Centrify PAS portal


ssh to connector


ssh connection



Pros of using this method to login to a target host:

1) If Centrify DirectAudit is enabled via the Privileged Access Service, the login session used above wil get audited since the SSH session is using the Centrify cloud connector. Note that the Centrify DirectAudit agent is not needed in order for auditing to happen if the target host is accessed in this manner.

Image below shows the SSH session opened in the above example in the Centrify Audit Analyzer console



audited session audit analyzer




2) This login session is logged as an event in the Centrify Privileged Access Service on both the target system activity table and the vaulted user's activity table.

Logged activity on the target system in the Centrify PAS portal



target system activity table




Logged activity on the vaulted local user in the Centrify PAS portal



activity logged on the vaulted local account



3) Because the user has login permissions to the vaulted local account, the user does not need to know the password for the vaulted local account, neither does the user need to check out the password for that vaulted local account.

Note: In order for the above type of SSH connection to the target host to work, DNS needs to be setup correctly. A good test is to see if you can open an SSH session to the target host via the Centrify PAS Portal.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.