SecureCRT TCP/UDP service configuration with auto-logon
Article ID: 256932
Updated On:
Products
Issue/Introduction
Our organization uses SecureCRT as an SSH client. We are moving SSH access to target devices to PAM, but would like to continue using the SSH client that our users are familiar with. Can we configure a TCP/UDP service such that it launches SecureCRT on the user's desktop and provides auto-logon with a target account specified in the access policy?
Resolution
This can be accomplished with a TCP/UDP service using Application Protocol SSH and the following Client Application string:
"C:\Program Files\VanDyke Software\SecureCRT\securecrt.exe " /T /N "<Device Name>" /TITLEBAR "Launched By PAM" /SSH2 /L <User> <Local IP> /P <First Port>
Note that it is NOT necessary to use the /PASSWORD command line option. The SSH Proxy service running on the PAM server knows when to inject the password of the target account configured for autologon. We recommend not to use this parameter, because it would expose the target account password to the PAM user.
Because the Client Application text box is a single line and tends to not show the full string, it is recommended to copy the string you use into the Comments field so you can easily see what you configured.
When launching the service, the SecureCRT client will be launched from the path specified in the client application string, have title "Launched by PAM" and use the name of the device in PAM, here MY-SSH-SERVER, as label for this connection:
Additional service launches will add new tabs in the existing client due to the use of the "/T" option.
Additional Information
To review available command line options with SecureCRT, click on the Help menu, select Help Topics, go to the Index tab and find index "command-line options".
A list of available tokens, such as <User> and <Device Name>, in the Client Application string is provided on PAM documentation page Create TCP/UDP Services to Access a Device.
The path to the securecrt.exe binary provided above, "C:\Program Files\VanDyke Software\SecureCRT\securecrt.exe ", is right for a 64-bit SecureCRT client installation for all users. Adjust the path as needed. Individual PAM users can customize the path by clicking on the "Set or change local application" link in the popup that shows for a few seconds on the PAM client after launching the service. Note that they will have to enter the full client application string with all arguments, not just the path to the executable. This local (user-specific) configuration will not be overwritten when a PAM admin updates the TCP/UDP service.
Feedback
