Create SSH Credentials

You can create Public Key Encryption credentials to connect to SSH-configured targets. You can select a credential that contains a public and private key pair used for SSH connections.

DSA and RSA key formats are supported.

Optionally, when configuring SSH, you can select to elevate the credential. Using sudo, you can access scan targets that are not configured to allow root accounts to log on remotely. You can log on as a normal user and use sudo to connect with a more privileged account. Additionally, you can use sudo to elevate the same account to get more permissions. Using pbrun, you can elevate the credential when working with Privilege Management for Unix & Linux target assets.

  1. In the BeyondInsight console, navigate to Configuration > Discovery Management > Credentials.
  2. Click Create Credential.
  3. Screenshot of the Create Credentials section highlighting SSH

  4. From the Type list, select SSH from the Type list.
  5. Select an authentication type.
    • Plain text: Enter a Username and Password.
    • Public Key: Upload a private key file, and then enter a Username and Passphrase. A public key is generated based on the contents of the private key.
  6. Enter a Description and Key.
  7. Elevating credentials is optional. To elevate credentials, select one of the following from the Elevation list:
    • sudo: The optional sudo username should be blank in most cases. When blank, commands run with the effective privileges of the root account. If an optional username is entered, sudo runs in the security context of that user.
    • pbrun: Enter the pbrunuser username.
    • Enable: Enter the credentials for Cisco devices. If you are auditing Cisco devices, you can elevate the credentials to privileged for more thorough scans.

This feature propagates credentials stored in BeyondInsight to Discovery Scanner servers and allows end users and API calls to leverage credentials locally on the network scanner. This eliminates the need to provide credentials separately for those scanners.

If the credential name matches an existing credential in the BeyondTrust Discovery Scanner, the credential is overwritten with the value from BeyondInsight.

  1. Click Create Credential..