PAM: Using key authentication ssh to access linux/unix devices


Article ID: 194193


Updated On:


CA Privileged Access Manager (PAM)


This document describes:
How to create a public/private key pair certificate files.
How to transfer the public key to the target device for a specific user.
How to test the key pair login from a linux box to another, to verify it all is in place.
How to use the private key to access the linux device from within PAM ssh applet.


Product: Layer 7 Privileged Access Manager.
Version: 3.x

A linux box jpplab160 ( where we will create the certificates on.
A linux box jpplab162 ( where we install the public key to access it from PAM.


From computer jpplab160, located in the root home folder, we run the following command 'ssh-keygen -f rsa -f .ssh/keyfile' to generate the public/private RSA key pair.
During the execution of the command you will be prompted to type a passphrase to protect the private key.

The output files keyfile and (private and public key files) have been created in the hidden .ssh folder :

Verify, by running the 'cat .ssh/keyfile' command, that the private key header and footer are like the following ones,  - - - - - BEGIN RSA PRIVATE KEY - - - - -  and  - - - - - END RSA PRIVATE KEY - - - - -
If they are not exactly like this, the private RSA key file will not be recognized by PAM.

Make sure that on the computer jpplab162, the .ssh folder in the user1 home directory has the following permissions 'drwx------.'
As we want to use this key pair to login as user1 on computer jpplab162, we will proceed to transfer the public key to this computer using the 'ssh-copy-id -i .ssh/keyfile [email protected]' command.
During the execution of the command you will be prompted to introduce the user1 password on jpplab162:

Now try to login into the remote linux computer with the 'ssh -i .ssh/keyfile [email protected]' command.
During the execution of the command, you will be requested to type the passphrase if one was previously defined:

At this point we have verified that the key pair works as we could successfully login from one computer to the other one.

Now we will use the private key from within PAM to start a ssh session to the device jpplab162 ( with the user user1 and without using a password.
Transfer the private key file named keyfile to the workstation the PAM Client is running on.
Open the PAM Client and go to 'Credentials / Manage Targets / SSH Key Pair Policies':


Press the 'ADD' button and in the 'Add SSH Key Pair Policy' window fill up the fields and type the 'OK' button:

Go to 'Devices / Manage Devices' and verify that the computer you want to connect to (in our case jpplab162) has the ssh access method enabled:

Go to 'Credentials / Manage Target / Applications' and define a target application to access the device:

Click on the 'Script Processor' tab and select the proper OS, in our case Linux:

Click on the 'SSH-2' tab and select the 'SSH Key Pair Policy' we previously defined and click 'OK':

Go to 'Credentials / Manage Target / Accounts' and define a target account for the user1 user using the previous defined Key_SSH target application.
Expand the 'Protocol' drop down list and select 'SSH-2 Public Key Authentication' like shown in the image:

Press the 'CHOOSE FILE' button by the 'Private Key' label and import the private key file keyfile you previously transferred to the PAM Client workstation:

Add the passphrase for the private key if you defined one, in our case we did:

Select the 'Password' tab and select 'Update both the Credential Manager Server and the target system' and press 'OK':

If it all is Ok, the 'Verified' value should be greenchecked:

Go to 'Policies / Manage Policies' and create a new policy to access the device:

Select the 'Access' tab and make sure that the 'SSH:22' is in the 'Selected Access' list:


Click on the magnifying glass and make sure that the 'Key-SSH - user1' is in the 'Selected Target Account' list and click 'OK' twice:

Go to the 'Access' tab, click on the 'SSH' tile. A SSH session should automatically open without the need of typing any password: