Configure SSH and RDP Connections
In the Password Safe web portal, requesters can request access to use SSH or RDP remote connections. To permit remote connections, you must configure an access policy.
The following section provides additional information on setting up SSH or RDP connections.
For more information, please see Configure Password Safe Access Policies.
Requirements for SSH
- You must install PuTTY to enable SSH functionality. Go to www.putty.org to download the software.
- If you use a Windows 8 or Windows Server 2012 VMWare virtual machine, VMWare Tools installs itself as a URL Handler for SSH and stops the sample registry script from working. You must remove the registry variable:
Supported SSH Client Algorithms
When Password Safe checks and changes passwords, it uses the below list of algorithms to connect and communicate.
|Authentication Methods||Password, Public key, Keyboard interactive|
|Encryption Algorithms||AES, Triple DES, Blowfish, blowfish-ct, blowfish-cbc,|
|Encryption Modes||CBC, CTR|
|Host Key Algorithms||RSA, DSS, ecdsa-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, ssh-ed25519|
|Key Exchange Algorithms||curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1 (disabled by default on server side), diffie-hellman-group-exchange-sha1 (disabled by default), diffie-hellman-group1-sha1 (disabled by default)|
|MAC Algorithms||MD5, SHA-1, SHA-2, HMAC-MD5, HMAC-MD5-96, HMAC-SHA1-96|
|Symmetric Key Algorithms||arcfour256, arcfour128, arcfour|
The following algorithms are disabled by default
Use the following registry keys to turn on the algorithms
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\SshKeyExchangeAlgorithms (DWORD) = 1023 (enables all key exchange)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\SshEncryptionAlgorithms (DWORD) = 31 (sets all encryption algorithms)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\MacAlgorithms (DWORD) = 15 (sets all MAC algorithms)
These values are in decimal.
Weak RSA server host keys shorter than 1024 bits are rejected by default. Use the following registry key to change this setting:
Host Key Algorithms
Below is a list of host key algorithms enabled for use by Password Safe's SSH client and server. Supported algorithms in default order of preference are:
- ssh-rsa (disabled by default on server side)
- ssh-dss (disabled by default)
Use the following registry key to change the available client host key algorithms:
Use the following registry key to change the available server host key algorithms:
Below is a list of key exchange (KEX) algorithms enabled for use by Password Safe's SSH client and server. Supported algorithms in default order of preference are:
- diffie-hellman-group14-sha1 (disabled by default on server side)
- diffie-hellman-group-exchange-sha1 (disabled by default)
- diffie-hellman-group1-sha1 (disabled by default)
Use the following registry key to change the available key exchange algorithms for the server side of Password Safe's SSH proxy (between the user's SSH client and the proxy):
Use the following registry key to change the available key exchange algorithms for the client side of Password Safe's SSH proxy (between the proxy and the managed systems):
RSA Host Key Size
You can configure the size (in bits) of the RSA private host key generated and used by Password Safe's SSH server.
Use the following registry key to change the host key size:
Valid values are: 2048 (default), 3072, and 4096.
Auto-Launch PuTTY Registry File
To launch the SSH client automatically, the SSH protocol must be associated with an application. To register an application, such as PuTTY, which is used in the example below, change the references to PuTTY to point to the application.
Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\ssh] @="URL:Secure Shell Protocol" "URL Protocol"="" [HKEY_CLASSES_ROOT\ssh\DefaultIcon] @="%%ProgramFiles%%\\PuTTY\\putty.exe" [HKEY_CLASSES_ROOT\ssh\shell] [HKEY_CLASSES_ROOT\ssh\shell\open] [HKEY_CLASSES_ROOT\ssh\shell\open\command] @="cmd /V:ON /s /c @echo off && set url=%1 && for /f \"tokens=1,2,3 delims=:/ \" %%a in (\"!url!\") do set protocol=%%a&set host=%%b&set port=%%c && start \"\" \"%%ProgramFiles%%\\PuTTY\\putty.exe\" -P !port! !host!"
Supported SSH Session Protocols
You can use the following protocols with an SSH session: X11, SCP, and SFTP. You also have options to allow local and remote port forwarding.
Use the Registry Editor to turn these settings on. These settings are all type DWORD with toggle values of either 0 ( no ) or 1 ( yes ).
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\allow_x11 = 1(DWORD)
- Local Port Forwarding: Whether or not to allow local port forwarding requests from the user's SSH client through to the managed system (default: 0)
- Remote Port Forwarding: Whether or not to allow remote port forwarding requests from the user's SSH client through to the managed system (default: 0).
Multiple SSH Sessions
To avoid a potential security risk, more than one SSH session is not permitted through a single SSH connection.
You can turn on the following registry key to permit more than one session on a connection:
Creating a login account allows the user to open an SSH session in environments where remote shell access is not permitted, for instance, the root account. A login account will be used to establish the initial shell connection and then switch the session to the managed account.
The functional account used should be a low privilege user and not the same elevated functional account that has elevated privileges to change passwords.
This feature supports the following platforms: AIX, HPUX, Linux, and Solaris.
Enable Login Accounts Manually
To manually enable login accounts, you must enable the function on both the managed system and the managed account you want to use for the SSH session.
- From the Managed Systems page, create a new managed system, or select one from the grid.
- From the menu actions, select Edit Managed System.
- Within the Credentials section, toggle the User Login Account for SSH Sessions option to yes.
- Select your account from the Login Account dropdown.
- Click Update Managed System and dismiss the configuration slide-out.
- From the Managed System menu, select Go to advance details.
- Select the Managed Accounts tab.
- Select the managed account you wish to edit.
- Within the Credentials section, toggle the Login Account for SSH Sessions option to yes.
- Click Update Account.
Enable Login Accounts with a Smart Rule
For organizations managing many assets and accounts, administrators can enable login accounts with a Smart Rule as follows:
- Create a Smart Rule to manage the assets to use to access the SSH session.
- Select the action Manage Assets using Password Safe.
- Select the platform and the functional account.
- From the Enable Login Account for SSH Session list, select yes.
- Select a login account.
- Create a Smart Rule to manage the managed accounts to allow users to log in for an SSH session.
- In the Actions section, select Managed Account Settings.
- Scroll to Account Options and select Enable Login Account for SSH Sessions.
Use Direct Connect for SSH and RDP Session Requests
You can use Direct Connect for remote session requests for SSH and RDP sessions. Direct Connect requests access to a managed account on behalf of the requester. The requester accesses the system without ever viewing the managed account's credentials.
If the requester is not granted auto-approval for a session, the user receives a message stating Request requires approval. If the request is not approved within 5 minutes this connection will close. After 5 minutes the client disconnects and the user can send another connection request. When the request is approved, the user is automatically connected.
When there is an existing request for the system and account, the request is reused and the session created.
SSH Session Requests
Using an SSH client, a user can use the Password Safe Request and Approval system for SSH remote connections. The requester's information, including the Reason and the Request Duration, are auto-populated with default Password Safe settings.
To access a managed account or application using Direct Connect, the requester has to connect to Password Safe's SSH Proxy using a custom SSH connection string with one of the following formats:
- For UPN credentials:
<Requester>+<Username@Domain>+<System Name>@<Password Safe>
- For down-level logon names\non-domain credentials:
<Requester>@<Domain\\Username>@<System Name>@<Password Safe>
You can override the default SSH port and enter port 4422. The requester is then prompted to enter their password, which they use to authenticate with Password Safe.
- For UPN credentials:
ssh -p 4422 <Requester>+<Username@Domain>+<System Name>@<Password Safe>
- For down-level logon names\non-domain credentials:
ssh -p 4422 <Requester>@<Domain\\Username>@<System Name>@<Password Safe>
- For an SSH application:
ssh -p 4422 <Requester>@<Account name>:<Application alias>@<System name>@<Password Safe>
Once the requester is authenticated, they are immediately connected to the desired machine.
RDP Session Requests
LDAP users that use the mail account naming attribute cannot use RDP Direct Connect.
To request an RDP session using Direct Connect:
- Click the arrow to download the RDP Direct Connect file from Password Safe.
This is a one-time download. Each account and system combination requires that the user download the unique RDP file associated with it.
- Run the file to establish a connection to the targeted system.
- The requester is then prompted to enter the password they use to authenticate with Password Safe.
Direct Connect Delimiters
You can customize the character delimiters accepted in a Direct Connect connection string (in addition to + and @) by setting the following registry key:
Additionally, you can enable support for a dynamic delimiter. When this is enabled, any connection string that starts and ends with the same non-alphanumeric character is split on that character.
ssh -p 4422 /requestor/maccount/msystem/@bihost
To enable dynamic delimiters (default is off), set the following registry key:
Use Two-Factor Authentication Token
RDP and SSH Direct Connect sessions support using a two-factor authentication token.
- RDP session: A delimiter (,) must be entered after you enter the password. For example: password, token
The delimiter can be changed using the following registry key:
The delimiter must be excluded from user login passwords.
- SSH session: You are prompted to enter a token after you enter the password.
Configure RDP Sessions
To ensure secure communications, an RDP session uses the same certificate as the certificate created for the web portal. The certificate supports SSL/TLS authentication types.
Create a Certificate and Add to the BeyondInsight Server
To avoid certificate error messages when initiating an RDP session, create a certificate signed by a valid Certificate Authority (CA) for the BeyondInsight server. Add that certificate and the certificate chain to the BeyondInsight server certificate stores. Use the high-level steps below as guidance:
Create the Certificate Request
- On the BeyondInsight server, open IIS Manager.
- On the local host node, select Server Certificates, and then select Create Certificate Request.
- Go through the Request Certificate wizard. On the Cryptographic Service Provider Properties page, select a bit length of 2048.
For example, server name might be an IP address, the server short name, or a fully qualified domain name:
common name = <servername>
- Enter a file name for the certificate request and set the location to the desktop.
Sign the Certificate
The procedure for signing the certificate varies, depending on your company’s CA implementation.
- Go to your Certificate Authority website.
- On the Certificate Request or Renewal Request page, copy the text from the certificate request file.
- Be sure to select Web Server as the Certificate Template type.
- After you click Submit, download the certificate and certificate chain to your desktop.
- Copy the files to the BeyondInsight server desktop. This will be the server certificate.
- Open IIS Manager on the BeyondInsight server, and click Complete Certificate Request.
- On the Specify Certificate Authority Response page, find the file on your desktop, enter a friendly name, and use the default Personal certificate store.
Bind the Server Certificate to the Default Web Site in IIS
- Right-click Default Web Site, and then select Edit Bindings.
- Select https on port 443, and then click Edit.
- From the SSL certificate list, select the server certificate created earlier, and then click OK.
Add Certificate Chain
- On the BeyondInsight server, open mmc and add the Certificates snap-in.
- Expand Trusted Root Certification Authorities.
- Right-click Certificates then select All Tasks > Import.
- Go through the Certificate Import wizard to import the certificate chain file (created earlier).
- Select the appropriate file extension. Be sure to store the certificate in Trusted Root Certification Authorities.
Enable Smart Sizing
When in an RDP session, the user can choose to smart size the client window so that no scroll bars display.
You can enable Smart Sizing on the Session Monitoring Configuration page by checking the box.
Turn Off Font Smoothing
Font smoothing is turned on by default. To turn off font smoothing, change the following registry key value from 0 to 1
Ports can be configured using the BeyondInsight configuration tool. In the configuration tool, scroll to the Password Safe section to set all port values.
The default inbound port connections to the Password Safe proxy:
- RDP: 4489
- SSH: 4422
- Session Monitoring Listen Host: 127.0.0.1
- Session Monitoring Listen Port: 4488
- Session Monitoring RDP Listen Post: 4489
- Session Monitoring SSH Listen Post: 4422
Session Countdown Duration
You can configure the maximum amount of time for which the session countdown timer is displayed by setting the following registry key: