Using MobaXterm with the PAM SSH Gateway

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

PAM 4.2.1 introduced a new features that allows PAM users to launch SSH access sessions from a browser without having to install the PAM client on their workstation. The example provided in PAM documentation is for an ssh command launched from a command prompt, e.g. from a Powershell window. Many PAM users have the MobaXterm client installed on their workstation. Is the PAM Gateway for SSH compatible with this client?

Resolution

MobaXterm can be configured to work with the PAM SSH Gateway. The following information assumes that you followed instructions on page Access Terminal Access Target Devices Using an SSH Client already to generate a key pair and upload the public key to PAM, and a PAM administrator configured policies to grant you access to SSH servers through PAM. With these prerequisites a browser session into PAM will show SSH icons for those SSH servers on the access page. When you click on one of those icons to launch a session, you get a popup similar to the following:

The PAM admin configured a validity period for the trusted user certificate. If the last generated certificate has expired already, download a new certificate by clicking on the icon shown in the green box above, and copy it to where your own key pair is stored. See the documentation page mentioned above for details. After this you are ready to launch your SSH client, in this case MobaXterm.

The command string in the SSH Connection popup specifies the private key file name (here pam124_key), a complex "user" string including the SSH server address (IP ending in .121), and the PAM server address (IP ending in .124) and port number (22222) of the SSH gateway running on the PAM server. These can be entered in a MobaXterm configuration as shown in the following screenshot:

The remote host address is the PAM server address
The username is the complex string "pamadmin1@40001@_@<SSH server address>:22". Here pamadmin1 is the name of a target account configured in the access policy for auto-login, and 40001 is the ID of that account in the PAM database. These substrings will be different in your case. But whatever they are, you can just copy them from the SSH Connection popup you got after launching the SSH access method.
The port is 22222 in our example, the SSH gateway port on the PAM server as configured by the PAM administrator. Again, the SSH Connection popup window (first screenshot) has this information, you don't need to know this upfront.
Under Advanced SSH settings check "Use private key" and navigate to the private key you configured per instructions on the documentation page.

Now when you launch this session, PAM will automatically log you on to the SSH server with the credentials of the target account configured for auto-login, in this case the account with name pamadmin1. Assuming that your private key requires a passphrase, you will be asked to enter that before the connection is established.

None of the configuration strings are expected to change, as long as the access policy in PAM doesn't change. Therefore the sessions can be saved and reused later on. As mentioned above, the trusted user certificate has a limited validity period, as configured by the PAM administrator, and you will have to keep refreshing it. That is independent of which SSH client you use.