Enable SSH Transparent Login for Device Groups

book

Article ID: 7781

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

You can provision a CA Privileged Access Manager device to permit execution of sudo or BeyondTrust PowerBroker pbrun using the login password for the device from the SSH Access Method applet.

 

Important:

  • Security Requirement: Configure sudo or pbrun on the target so that each execution requires a password from the client. Otherwise, security can be compromised.
  • Transparent login cannot be applied to Device Groups.

 

Policy setup against individual device -- Transparent Login option is available:

<Please see attached file for image>

 

Policy setup against (Device Group) -- Transparent Login option is not available:

<Please see attached file for image>

 

Cause

The SSH Transparent Login option is made available to policy against individual device ONLY when Transparent Login is configured at the device level.

Environment

Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY
Component:

Resolution

Create a dummy RDP Application ('Hide from User' option checked) in PAM and associate that service with the Device Group:

<Please see attached file for image>

class="image-3 jive-image" style="font-weight: inherit; font-style: inherit; font-family: inherit; height: 303px; width: 620px;" src="https://communities.ca.com/servlet/JiveServlet/downloadImage/38-6611-131581/pastedImage_21.png" alt="" width="944" height="461">

<Please see attached file for image>

class="jive-image image-4" style="font-weight: inherit; font-style: inherit; font-family: inherit; height: 405px; width: 620px;" src="https://communities.ca.com/servlet/JiveServlet/downloadImage/38-6611-131585/pastedImage_22.png" alt="" width="937" height="611">

Transparent Login option is now made available to the Device Group:

<Please see attached file for image>

class="image-5 jive-image" style="font-weight: inherit; font-style: inherit; font-family: inherit; height: 450px; width: 620px;" src="https://communities.ca.com/servlet/JiveServlet/downloadImage/38-6611-131586/pastedImage_23.png" alt="" width="939" height="681">

 

NOTE:

As the checking for Transparent Login configuration is at device level, the suggested workaround is practically bypassing this validation. Hence, the Transparent Login might be enabled on the Device Group level, but the Transparent Login configuration need to be done on device level.

 

Also, the suggested workaround is not suitable for 'Command String' Transparent Login.

 

Additional Information

https://docops.ca.com/ca-privileged-access-manager/2-8-3/EN/implementing/provision-your-server/provisioning-devices/set-up-transparent-login/ssh-connections

https://communities.ca.com/community/ca-security/ca-privileged-access-management/blog/2017/08/21/tech-tip-ca-privileged-access-manager-enable-ssh-transparent-login-for-device-groups

 

 

Attachments

1558700076034000007781_sktwi1f5rjvs16oxa.png get_app
1558700074110000007781_sktwi1f5rjvs16ox9.png get_app
1558700071544000007781_sktwi1f5rjvs16ox8.png get_app
1558700069712000007781_sktwi1f5rjvs16ox7.png get_app
1558700067530000007781_sktwi1f5rjvs16ox6.png get_app