Allowing PAM users to sync local with remote directories using rsync over ssh

book

Article ID: 127952

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

We are trying to eliminate direct access to target devices and require users to access devices through PAM. One utility frequently used is rsync (over ssh), which allows users to sync all files in a local directory with a directory on a target device. We are looking for instructions on how to allow PAM users the use of rsync commands when the remote device can be accessed through PAM only.

Environment

Any PAM implementation.

Resolution

A TCP/UDP service can allow PAM users to run rsync commands that will be routed through the PAM appliance to the target device.
The configuration is as follows:

1.Define a new TCP/UDP service in PAM with the following settings: 
  - Choose a local IP that is not used by other services yet, e.g. 127.0.0.7. 
  - For the Ports field use 22:2222 (or other preferred local port instead of 2222). You can also use 22:* to let PAM use a free local Port. 
  - Set Application Protocol to SSH 
  - Leave the client application field empty.

<Please see attached file for image>

User-added image

2. Assign this service to a target device to which you want to sync files. 

3a. Define or update a policy between a user and the target device, adding the service you created.

3b. Optionally add target accounts to this service for auto-logon. In that case PAM will provide the password of the configured account when the user runs the rsync command later on and is prompted for the password. If multiple accounts are defined, the user would select the account to use when launching the service, and then would have to use the chosen account name in the rsync command. You may not need to do this depending on your use case. In our test we added the target account with name rsyncuser to the policy.

<Please see attached file for image>

User-added image

4. Once the policy is in place, the PAM user can launch the service from the Access page. This will popup a text box showing which local IP and which port the user should connect to. In the example from 1, the local IP would be 127.0.0.7 and the port would be 2222.

<Please see attached file for image>

User-added image

5. Now the user can run an rsync command, such as 
/usr/bin/rsync -v -e "ssh -p2222" /home/rsyncuser/testdir/*.txt [email protected]:/home/rsyncuser/testdir

<Please see attached file for image>

User-added image

Note the use of the local port 2222 and local IP 127.0.0.7, which makes rsync connect to the PAM client rather than the target device. PAM will then route this connection through the PAM appliance to the target device for which the service was launched. 
Typically the rsync command will prompt for the password of the remote user, in this case rsyncuser. If you have this account configured in PAM as target account, and assign this target account to the PAM service in the access policy (step 3b above), PAM will automatically insert the target account password when the rsync command is run and the password prompt comes back, rather than presenting the prompt to the user. This is seen, specifically the password prompt is NOT seen, in the screenshot above, where PAM transparently supplied the password of user rsyncuser, and the command is followed immediately by the list of files synchronized.

Attachments

1558689609937000127952_sktwi1f5rjvs16g01.jpeg get_app
1558689608079000127952_sktwi1f5rjvs16g00.jpeg get_app
1558689606226000127952_sktwi1f5rjvs16fzz.jpeg get_app
1558689602911000127952_sktwi1f5rjvs16fzy.jpeg get_app