Our organization uses SecureCRT as an SSH client. We are moving SSH access to target devices to PAM, but would like to continue using the SSH client that our users are familiar with. Can we configure a TCP/UDP service such that it launches SecureCRT on the user's desktop and provides auto-logon with a target account specified in the access policy?
Release : Applies to any PAM release
This can be accomplished with a TCP/UDP service using Application Protocol SSH and the following Client Application string:
"C:\Program Files\VanDyke Software\SecureCRT\securecrt.exe " /T /N "<Device Name>" /TITLEBAR "Launched By PAM" /SSH2 /L <User> <Local IP> /P <First Port>
Note that it is NOT necessary to use the /PASSWORD command line option. The SSH Proxy service running on the PAM server knows when to inject the password of the target account configured for autologon. We recommend not to use this parameter, because it would expose the target account password to the PAM user.
When launching the service, the SecureCRT client will be started, have title "Launched by PAM" and use the name of the device in PAM, here RP-GCVE-RHEL7, as label for this connection:
Additional service launches will add new tabs in the existing client due to the use of the "/T" option.
To review available command line options with SecureCRT, click on the Help menu, select Help Topics, go to the Index tab and find index "command-line options".
A list of available tokens, such as <User> and <Device Name>, in the Client Application string is provided on PAM documenation page Create TCP/UDP Services to Access a Device.
The path to the securecrt.exe binary provided above, "C:\Program Files\VanDyke Software\SecureCRT\securecrt.exe ", is right for a 64-bit SecureCRT client installation for all users. Adjust the path as needed. Individual PAM users can customize the path by clicking on the "Set or change local application" link in the popup that shows for a few seconds on the PAM client after launching the service. Note that they will have to enter the full client application string with all arguments, not just the path to the executable. This local (user-specific) configuration will not be overwritten when a PAM admin updates the TCP/UDP service.