Configure SSH and RDP Connections

In the Password Safe web portal, requesters can request access to use SSH or RDP remote connections. To permit remote connections, you must configure an access policy.

The following section provides additional information on setting up SSH or RDP connections.

For more information, please see Configure Password Safe Access Policies.

Requirements for SSH

  • You must install PuTTY to enable SSH functionality. Go to www.putty.org and download the software.
  • If you use a Windows 8 or Windows Server 2012 VMWare virtual machine, VMWare Tools installs itself as a URL Handler for SSH and stops the sample registry script from working. You must remove the registry variable:

    [HKEY_LOCAL_MACHINE\SOFTWARE\VMware Inc.\VMwareHostOpen\Capabilities\UrlAssociations]"ssh"="VMwareHostOpen.AssocUrl"

Supported SSH Client Algorithms

When Password Safe checks and changes passwords, it uses the below list of algorithms to connect and communicate.

Authentication Methods Password, Public key, Keyboard interactive
Encryption Algorithms AES, Triple DES, Blowfish, blowfish-ct, blowfish-cbc,
Encryption Modes CBC, CTR
Host Key Algorithms RSA, DSS, ecdsa-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, ssh-ed25519
Key Exchange Algorithms curve25519-sha256, ecdsa-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1
MAC Algorithms MD5, SHA-1, SHA-2, HMAC-MD5, HMAC-MD5-96, HMAC-SHA1-96
Symmetric Key Algorithms arcfour256, arcfour128, arcfour
diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1
blowfish-ctr blowfish-cbc 3des-cbc
arcfour256 arcfour128 arcfour
HMAC-MD5 HMAC-MD5-96 HMAC-SHA1-96
aes256-cbc aes192-cbc aes128-cbc

 

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\SshKeyExchangeAlgorithms (DWORD) = 1023 (enables ALL key exchange)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\SshEncryptionAlgorithms (DWORD) = 31 (sets all encryption algorithms)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\MacAlgorithms (DWORD) = 15 (sets all MAC algorithms)

These values are in decimal.

Weak RSA server host keys shorter than 1024 bits are now rejected by default. Use the following registry key to change this setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\SshMinimumRsaKeySize (DWORD) = 1024 (size of key and bits)

Below is a list of host key algorithms enabled for use by Password Safe's SSH client and server. Supported algorithms in default order of preference are:

  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521
  • ssh-ed25519
  • rsa-sha2-512
  • rsa-sha2-256
  • ssh-rsa
  • ssh-dss (disabled by default)

Use the following registry key to change the available client host key algorithms:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\client_host_key_algorithms (REG_MULTI_SZ)

Use the following registry key to change the available server host key algorithms:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\host_key_algorithms (REG_MULTI_SZ)

Below is a list of key exchange algorithms enabled for use by Password Safe's SSH client and server. Supported algorithms in default order of preference are:

  • curve25519-sha256
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group14-sha1
  • diffie-hellman-group-exchange-sha1 (disabled by default)
  • diffie-hellman-group1-sha1 (disabled by default)

Use the following registry key to change the available key exchange algorithms for the server side of Password Safe's SSH proxy (between the user's SSH client and the proxy):

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\kex_algorithms (REG_MULTI_SZ)

Use the following registry key to change the available key exchange algorithms for the client side of Password Safe's SSH proxy (between the proxy and the managed systems):

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\client_kex_algorithms (REG_MULTI_SZ)

You can configure the size (in bits) of the RSA private host key generated and used by Password Safe's SSH server.

Use the following registry key to change the host key size:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\rsa_host_key_size (REG_DWORD)

Valid values are: 2048 (default), 3072, and 4096.

Auto-Launch PuTTY Registry File

To launch the SSH Client automatically, the SSH protocol must be associated with an application. To register an application, such as PuTTY, which is used in the example below, change the references to PuTTY to point to the application.

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\ssh
@="URL:Secure Shell Protocol"
"URL Protocol"=""
[HKEY_CLASSES_ROOT\ssh\DefaultIcon]
@="%%ProgramFiles%%\\PuTTY\\putty.exe"
[HKEY_CLASSES_ROOT\ssh\shell]
[HKEY_CLASSES_ROOT\ssh\shell\open]
[HKEY_CLASSES_ROOT\ssh\shell\open\command]
@="cmd /V:ON /s /c @echo off && set url=%1 && for /f \"tokens=1,2,3 delims=:/ \" %%a in (\"!url!\") do set protocol=%%a&set host=%%b&set port=%%c && start \"\" \"%%ProgramFiles(x86)%%\\PuTTY\\putty.exe\" -P !port! !host!"

Supported SSH Session Protocols

You can use the following protocols with an SSH session: X11, SCP, and SFTP. You also have options to allow local and remote port forwarding.

Use the Registry Editor to turn these settings on. These settings are all type DWORD with toggle values of either 0 ( no ) or 1 ( yes ).

  • X11:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_x11 = 1(DWORD)
  • SCP:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_scp
  • SFTP:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_sftp
  • Local Port Forwarding: Whether or not to allow local port forwarding requests from the user's SSH client through to the managed system (default: 0 - no)
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_local_port_forwarding
  • Remote Port Forwarding: Whether or not to allow remote port forwarding requests from the user's SSH client through to the managed system (default: 0 - no).
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_remote_port_forwarding

Multiple SSH Sessions

To avoid a potential security risk, more than one SSH session is not permitted through one SSH connection.

You can turn on the following registry key to permit more than one session on a connection:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_multiplex = 1

Enable Login Accounts for SSH Sessions

Creating a login account allows the user to open an SSH session in environments where remote shell access is not permitted, for instance, the root account. A login account will be used to establish the initial shell connection and then switch the session to the managed account.

The functional account used should be a low privilege user and not the same elevated functional account that has elevated privileges to change passwords.

This feature supports the following platforms: AIX, HPUX, Linux, and Solaris.

To manually enable login accounts, you must enable the function on both the managed system and the managed account you want to use for the SSH session.

  1. From the Managed Systems page, create a new managed system, or select one from the grid.
  2. From the menu actions, select Edit Managed System.
  3. Within the Credentials section, toggle the User Login Account for SSH Sessions option to yes.
  4. Select your account from the Login Account dropdown.
  5. Click Update Managed System and dismiss the configuration slide-out.
  6. From the Managed System menu, select Go to advance details.
  7. Select the Managed Accounts tab.
  8. Select the managed account you wish to edit.
  9. Within the Credentials section, toggle the Login Account for SSH Sessions option to yes.
  10. Click Update Account.

For organizations managing many assets and accounts, administrators can enable login accounts with a Smart Rule as follows:

  1. Create a Smart Rule to manage the assets which will be used to access the SSH session.
  2. Select the action Manage Assets using Password Safe.
  3. Select the platform and the functional account.
  4. From the Enable Login Account for SSH Session list, select yes.
  5. Select a login account.
  6. Create a Smart Rule to manage the managed accounts which will allow users to log in for an SSH session.
  7. In the Actions section, select Managed Account Settings.
  8. Scroll to Account Options and select Enable Login Account for SSH Sessions.

Use Direct Connect for SSH and RDP Session Requests

You can use Direct Connect for remote session requests for SSH and RDP sessions. Direct Connect requests access to a managed account on behalf of the requester. The requester accesses the system without ever viewing the managed account's credentials.

If the requester is not granted auto-approval for a session, the user receives a message stating Request requires approval. If the request is not approved within 5 minutes this connection will close. After 5 minutes the client disconnects and the user can send another connection request. When the request is approved, the user is automatically connected.

When there is an existing request for the system and account, the request is reused and the session created.

Using an SSH client, a user can use the Password Safe Request and Approval system for SSH remote connections. The requester's information, including the Reason and the Request Duration, are auto-populated with default Password Safe settings.

To access a managed account using Direct Connect, the requester has to connect to Password Safe's SSH Proxy using a custom SSH connection string with the following formats:

  • For UPN credentials:
    <Requester>+<Username@Domain>+<System Name>@<Password Safe>
  • For down-level logon names\non-domain credentials:
    <Requester>@<Domain\\Username>@<System Name>@<Password Safe> 

You can override the default SSH port and enter port 4422. The requester will then be prompted to enter their password, which they use to authenticate with Password Safe.

  • For UPN credentials:
    ssh -p 4422 <Requester>+<Username@Domain>+<System Name>@<Password Safe>
  • For down-level logon names\non-domain credentials:
    ssh -p 4422 <Requester>@<Domain\\Username>@<System Name>@<Password Safe>

Once the requester is authenticated, they will be immediately connected to the desired machine.

RDP Direct Connect supports push two-factor authentication. An access-challenge response is not supported.
LDAP users that use the mail account naming attribute cannot use RDP Direct Connect.

To request an RDP session using Direct Connect:

Download the RDP Direct Connect file to request an RDP Session.

  1. Click the arrow to download the RDP Direct Connect file from Password Safe.

    This is a one-time download. Each account and system combination requires that the user download the unique RDP file associated with it.

  2. Run the file to establish a connection to the targeted system.
  3. The requester is then prompted to enter the password they use to authenticate with Password Safe.

You can customize the character delimiters accepted in a Direct Connect connection string (in addition to + and @) by setting the following registry key:

HKLM\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\direct_connect\delimiters (REG_SZ)

Additionally, you can enable support for a dynamic delimiter. When this is enabled, any connection string that starts and ends with the same non-alphanumeric character will be split on that character.

For example: ssh -p 4422 /requestor/maccount/msystem/@bihost

In this case, '/' will be used as the delimiter.

To enable dynamic delimiters (default is off), set the following registry key:

HKLM\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\direct_connect\dynamic_delimiter = 1 (REG_DWORD)

RDP and SSH Direct Connect sessions support using a two-factor authentication token.

  • RDP session: A delimiter (,) must be entered after you enter the password. For example: password, token

    The delimiter can be changed using the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\rdp_proxy\2fa_delimiter

    The delimiter must be excluded from user login passwords.

  • SSH session: You are prompted to enter a token after you enter the password.

Configure RDP Sessions

To ensure secure communications, an RDP session uses the same certificate as the certificate created for the web portal. The certificate supports SSL/TLS authentication types.

Create a Certificate and Add to the BeyondInsight Server

To avoid certificate error messages when initiating an RDP session, create a certificate signed by a valid Certificate Authority (CA) for the BeyondInsight server. Add that certificate and the certificate chain to the BeyondInsight server certificate stores. Use the high-level steps below as guidance:

Create the Certificate Request

  1. On the BeyondInsight server, open IIS Manager.
  2. On the local host node, select Server Certificates, and then select Create Certificate Request.
  3. Go through the Request Certificate wizard. On the Cryptographic Service Provider Properties page, select a bit length of 2048.
The Common Name equals the server name or the IP address, depending on the URL you are using for the BeyondInsight log in page.

For example, server name could be an IP address, the server short name, or a fully qualified domain name:

https:\\<server name>\webconsole

common name = <servername>

  1. Enter a file name for the certificate request and set the location to the desktop.

Sign the Certificate

The procedure for signing the certificate varies, depending on your company’s CA implementation.

  1. Go to your Certificate Authority website.
  2. On the Certificate Request or Renewal Request page, copy the text from the certificate request file.
  3. Be sure to select Web Server as the Certificate Template type.
  4. After you click Submit, download the certificate and certificate chain to your desktop.
  5. Copy the files to the BeyondInsight server desktop. This will be the server certificate.
  6. Open IIS Manager on the BeyondInsight server, and click Complete Certificate Request.
  7. On the Specify Certificate Authority Response page, find the file on your desktop, enter a friendly name, and use the default Personal certificate store.

Bind the Server Certificate to the Default Web Site in IIS

  1. Right-click Default Web Site, and then select Edit Bindings.
  2. Select https on port 443, and then click Edit.
  3. From the SSL certificate list, select the server certificate created earlier, and then click OK.

Add Certificate Chain

  1. On the BeyondInsight server, open mmc and add the Certificates snap-in.
  2. Expand Trusted Root Certification Authorities.
  3. Right-click Certificates then select All Tasks > Import.
  4. Go through the Certificate Import wizard to import the certificate chain file (created earlier).
  5. Select the appropriate file extension. Be sure to store the certificate in Trusted Root Certification Authorities.

When in an RDP session, the user can choose to smart size the client window so that no scroll bars display.

You can enable Smart Sizing on the Session Monitoring Configuration page by selecting the check box.

Font smoothing is turned on by default. To turn off font smoothing, change the following registry key value from 0 to 1.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\rdp_proxy\disable_font_smoothing = 1 (DWORD)

Ports can be configured using the BeyondInsight Configuration tool. In the configuration tool, scroll to the Password Safe section to set all port values.

These ports are configurable under Global Settings. The default inbound port connections to the Password Safe proxy:

  • RDP: 4489
  • SSH: 4422

You can configure the maximum amount of time for which the session countdown timer will be displayed by setting the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\rdp_proxy\countdown_duration (DWORD value in seconds, default is 1800)