There are situations where it is not possible to use the CA PAM client to connect to PAM and final Linux endpoints and it is necessary to use the PAM Gateway for ssh

The specific configuration steps can be found in the documentation so they will not be covered in this article

Since using this login method implies a certain degree of complexity one may wonder if there is a way to automate connections using a third party client such as Putty or MobaXterm so that the final user need to do just some minimal configuration

The present article provides some configuration steps to be able to use Putty and MobaXterm to connect to a remote endpoint using the PAM Gateway for SSH

CA PAM 4.2.1 and later

In what follows we will assume that we are connecting to a remote endpoint, with IP Address 192.0.2.10 and  target account  <targetuser> through appliance 192.0.2.20

On this PAM appliance the PAM Gateway for SSH has been configured to listen on port 22222

There is a PAM user <user>, which is connecting to PAM appliance 192.168.0.20 and it is trying to connect to remote Linux endpoint 192.0.2.10 as <targetuser>. To this effect a policy has been assigned to <user> to use endpoint 192.0.2.10 with autologin using <targetuser>

<user> is connecting to PAM from a Windows workstation, and he has generated a public/private keypair id_rsa.pub/id_rsa (and the converted id_rsa.ppk for usage with Putty and MobaXterm) which are stored under C:\Users\<user>\.ssh\

PAM user <user>, has accessed PAM and configured its extended identity with its public key, id_rsa.pub, as stated in the documentation and. He has also downloaded from the access page the PAM Gateway for ssh certificate id_rsa-cert.pub, protected with PAM Gateway for ssh private key

Whenever trying to connect to endpoint 192.0.2.10 using the PAM Gateway for ssh, <user> will be prompted to paste the following string in his command line under C:\Users\<user>\.ssh\:

ssh -i id_rsa <targetuser>@56001@[email protected]:22@192.0.2.20 -p 22222

so if he goes to C:\Users\<user>\.ssh\ and that directory contains id_rsa, id_rsa.pub and id_rsa-cert.pub and runs this command, he should be able to log in

To configure Putty and MobaXterm to do the following, please follow this steps

Configuration for Putty

• Under Connection-> Cyphers --> Private key, specify the path to the private key generated and imported into Putty format. In this example that would be C:\users\<user>\.ssh\id_rsa.ppk
• Under Connecttion -> Cyphers  --> Certificate to use with Private Key, the path to the PAM ssh gateway certificate downloaded from PAM on connecting or from the access page, in this case C:\users\<user>\.ssh\id_rsa-cert.pub
• Under Data --> Auto Login Username, the first part of the tunnel ssh tunnel, so:  <targetuser>@56001@[email protected]:22
• For Connection specify for Hostname  the ip of the PAM appliance, in this case 192.0.2.20, and as port the port in the connection string 22222

Save the session as a certain name, <session>. Using <session> configuration on initiating a ssh gateway connection will enable <user> to connect to endpoint 192.0.2.20 using <targetuser> and if the id_rsa, id_rsa.pub or id_rsa-cert.pub change the new ones need to be placed in the same place as the old ones so that they are properly picked up by the saved Putty session.

Note as well that the way this has been configured, the Auto Login name has been filled in with <targetuser>@56001@[email protected]:22 which means PAM will try to connect to this specific endpoint with user <targetuser>, so it is a very specific use case. This configuration will only be usable with endpoint 192.0.2.10, trying to connect as user <targetuser>. 

If a more generic configuration is needed, please leave the Data --> Auto Login Username field blank and for each connection just copy the first part (in red) of the connection string (e.g. <targetuser>@56001@[email protected]:22) and use it as login username in Putty. This requires however a bit more knowledge on the part of the final user

In all cases the password requested is the private key password, so note it is important that the private key installed in the user's directories is actually protected by password, as othewise this mechanism provides straight autologin if the certificates and keys are still valid.

Configuration for MobaXterm

• Create a ssh session <session> in MobaXterm that you can use for storing the connection configuration
• As Remote Host for this session you have just created, speficy, the ip of the PAM appliance. In the example  192.0.2.20, and as Port the corresponding port in the string, so 22222
• For Specify Username, add <targetuser>@56001@[email protected]:22 or the first part of the connection string as indicated earlier
• Then in Advanced SSH settings for this session, specify in the Use Private Key, the location of the id_rsa.ppk key. In this example C:\users\<user>\.ssh\id_rsa.ppk
• Still under Advanced SSH settings, choose Expert SSH Settings and in the Use Certificate with Public Key, specify the path to the PAM Certificate protected with the PAM Gateway for ssh key. In this case that would be C:\users\<user>\.ssh\id_rsa-cert.pub

This article overlaps partially with KB398618