Configure SSH and RDP Connections

In the Password Safe web portal, requesters can request access to use SSH or RDP remote connections. To permit remote connections, you must configure an access policy.

The following section provides additional information on setting up SSH or RDP connections.

For more information, please see Configure Password Safe Access Policies.

Requirements for SSH

  • You must install PuTTY to enable SSH functionality. Go to www.putty.org to download the software.
  • If you use a Windows 8 or Windows Server 2012 VMWare virtual machine, VMWare Tools installs itself as a URL Handler for SSH and stops the sample registry script from working. You must remove the registry variable:

    [HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMwareHostOpen\Capabilities\UrlAssociations]"ssh"="VMwareHostOpen.AssocUrl"

Supported SSH Client Algorithms

When Password Safe checks and changes passwords, it uses the below list of algorithms to connect and communicate.

Authentication Methods Password, Public key, Keyboard interactive
Encryption Algorithms AES, Triple DES, Blowfish, blowfish-ct, blowfish-cbc,
Encryption Modes CBC, CTR
Host Key Algorithms RSA, DSS, ecdsa-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, ssh-ed25519
Key Exchange Algorithms curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1 (disabled by default), diffie-hellman-group-exchange-sha1 (disabled by default), diffie-hellman-group1-sha1 (disabled by default)
MAC Algorithms MD5, SHA-1, SHA-2, HMAC-MD5, HMAC-MD5-96, HMAC-SHA1-96
Symmetric Key Algorithms arcfour256, arcfour128, arcfour

The Following Algorithms Are Disabled by Default

diffie-hellman-group1-sha1 arcfour256 HMAC-SHA1-96
diffie-hellman-group-exchange-sha1 arcfour128 aes256-cbc
blowfish-ctr arcfour aes192-cbc
blowfish-cbc HMAC-MD5 aes128-cbc
3des-cbc HMAC-MD5-96  

Use the Following Registry Keys to Turn on the Algorithms

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\ SshKeyExchangeAlgorithms (DWORD) = 1023 (enables all key exchange)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\ SshEncryptionAlgorithms (DWORD) = 31 (sets all encryption algorithms)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\ MacAlgorithms (DWORD) = 15 (sets all MAC algorithms)

These values are in decimal.

Weak RSA server host keys shorter than 1024 bits are rejected by default. Use the following registry key to change this setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\ SshMinimumRsaKeySize (DWORD) = 1024 (size of key and bits)

Host Key Algorithms

Below is a list of host key algorithms enabled for use by Password Safe's SSH client and server. Supported algorithms in default order of preference are:

  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521
  • ssh-ed25519
  • rsa-sha2-512
  • rsa-sha2-256
  • ssh-rsa (disabled by default)
  • ssh-dss (disabled by default)

Use the following registry key to change the available client host key algorithms:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\ PBPS\SessionManager\ssh_proxy\client_host_key_algorithms (REG_MULTI_SZ)

Use the following registry key to change the available server host key algorithms:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\ PBPS\SessionManager\ssh_proxy\host_key_algorithms (REG_MULTI_SZ)

KEX Algorithms

Below is a list of key exchange (KEX) algorithms enabled for use by Password Safe's SSH client and server. Supported algorithms in default order of preference are:

  • curve25519-sha256
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group14-sha256
  • diffie-hellman-group14-sha1 (disabled by default for incoming client connections only)
  • diffie-hellman-group-exchange-sha1 (disabled by default)
  • diffie-hellman-group1-sha1 (disabled by default)

Use the following registry key to change the available key exchange algorithms for the server side of Password Safe's SSH proxy (between the user's SSH client and the proxy):

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\kex_algorithms (REG_MULTI_SZ)

Use the following registry key to change the available key exchange algorithms for the client side of Password Safe's SSH proxy (between the proxy and the managed systems):

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\client_kex_algorithms (REG_MULTI_SZ)

RSA Host Key Size

You can configure the size (in bits) of the RSA private host key generated and used by Password Safe's SSH server.

Use the following registry key to change the host key size:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\rsa_host_key_size (REG_DWORD)

Valid values are: 2048 (default), 3072, and 4096.

Auto-Launch PuTTY Registry File

To launch the SSH client automatically, the SSH protocol must be associated with an application. To register an application, such as PuTTY, which is used in the example below, change the references to PuTTY to point to the application.

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\ssh]
@="URL:Secure Shell Protocol"
"URL Protocol"=""
[HKEY_CLASSES_ROOT\ssh\DefaultIcon]
@="%%ProgramFiles%%\\PuTTY\\putty.exe"
[HKEY_CLASSES_ROOT\ssh\shell]
[HKEY_CLASSES_ROOT\ssh\shell\open]
[HKEY_CLASSES_ROOT\ssh\shell\open\command]
@="cmd /V:ON /s /c @echo off && set url=%1 && for /f \"tokens=1,2,3 delims=:/ \" %%a in (\"!url!\") do set protocol=%%a&set host=%%b&set port=%%c && start \"\" \"%%ProgramFiles%%\\PuTTY\\putty.exe\" -P !port! !host!"

Supported SSH Session Protocols

You can use the following protocols with an SSH session: X11, SCP, and SFTP. You also have options to allow local and remote port forwarding.

When transferring files using SCP, there may be some incompatibilities with specific clients (e.g. WinSCP). We recommend using SFTP or a different client.

Use the Registry Editor to turn these settings on. These settings are all type DWORD with toggle values of either 0 (no) or 1 (yes).

  • X11:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\ PBPS\SessionManager\ssh_proxy\allow_x11 = 1(DWORD)

  • SCP:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\ PBPS\SessionManager\ssh_proxy\allow_scp

  • SFTP:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\ PBPS\SessionManager\ssh_proxy\allow_sftp

  • Local Port Forwarding: Whether or not to allow local port forwarding requests from the user's SSH client through to the managed system (default: 0)

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\allow_local_port_forwarding

  • Remote Port Forwarding: Whether or not to allow remote port forwarding requests from the user's SSH client through to the managed system (default: 0).

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\allow_remote_port_forwarding

For more information, please see Issues with WinSCP Using SCP Mode.

Multiple SSH Sessions

To avoid a potential security risk, more than one SSH session is not permitted through a single SSH connection.

You can turn on the following registry key to permit more than one session on a connection:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_multiplex = 1

Enable Login Accounts for SSH Sessions

Creating a login account allows the user to open an SSH session in environments where remote shell access is not permitted, for instance, the root account. A login account will be used to establish the initial shell connection and then switch the session to the managed account.

The functional account used should be a low privilege user and not the same elevated functional account that has elevated privileges to change passwords.

This feature supports the following platforms: AIX, HPUX, Linux, and Solaris.

Enable Login Accounts Manually

To manually enable login accounts, you must enable the function on both the managed system and the managed account you want to use for the SSH session.

  1. From the Managed Systems page, create a new managed system, or select one from the grid.
  2. From the menu actions, select Edit Managed System.
  3. Within the Credentials section, toggle the User Login Account for SSH Sessions option to yes.
  4. Select your account from the Login Account dropdown.
  5. Click Update Managed System and dismiss the configuration slide-out.
  6. From the Managed System menu, select Go to advance details.
  7. Select the Managed Accounts tab.
  8. Select the managed account you wish to edit.
  9. Within the Credentials section, toggle the Login Account for SSH Sessions option to yes.
  10. Click Update Account.

Enable Login Accounts with a Smart Rule

For organizations managing many assets and accounts, administrators can enable login accounts with a Smart Rule as follows:

  1. Create a Smart Rule to manage the assets to use to access the SSH session.
  2. Select the action Manage Assets using Password Safe.
  3. Select the platform and the functional account.
  4. From the Enable Login Account for SSH Session list, select yes.
  5. Select a login account.
  6. Create a Smart Rule to manage the managed accounts to allow users to log in for an SSH session.
  7. In the Actions section, select Managed Account Settings.
  8. Scroll to Account Options and select Enable Login Account for SSH Sessions.

Use Direct Connect for SSH and RDP Session Requests

You can use Direct Connect for remote session requests for SSH and RDP sessions. Direct Connect requests access to a managed account on behalf of the requester. The requester accesses the system without ever viewing the managed account's credentials.

If the requester is not granted auto-approval for a session, the user receives a message stating Request requires approval. If the request is not approved within 5 minutes this connection will close. After 5 minutes the client disconnects and the user can send another connection request. When the request is approved, the user is automatically connected.

When there is an existing request for the system and account, the request is reused and the session created.

SSH Session Requests

Using an SSH client, a user can use the Password Safe Request and Approval system for SSH remote connections. The requester's information, including the Reason and the Request Duration, are auto-populated with default Password Safe settings.

To access a managed account or application using Direct Connect, the requester has to connect to Password Safe's SSH Proxy using a custom SSH connection string with one of the following formats:

  • For UPN credentials:
    <Requester>+<Username@Domain>+<System Name>@<Password Safe>
  • For down-level logon names\non-domain credentials:
    <Requester>@<Domain\\Username>@<System Name>@<Password Safe> 

You can override the default SSH port and enter port 4422. The requester is then prompted to enter their password, which they use to authenticate with Password Safe.

  • For UPN credentials:
    ssh -p 4422 <Requester>+<Username@Domain>+<System Name>@<Password Safe>
  • For down-level logon names\non-domain credentials:
    ssh -p 4422 <Requester>@<Domain\\Username>@<System Name>@<Password Safe>
  • For an SSH application:
    ssh -p 4422 <Requester>@<Account name>:<Application alias>@<System name>@<Password Safe>

Once the requester is authenticated, they are immediately connected to the desired machine.

RDP Session Requests

RDP Direct Connect supports push two-factor authentication. An access-challenge response is not supported.

LDAP users that use the mail account naming attribute cannot use RDP Direct Connect.

To request an RDP session using Direct Connect:

Download the RDP Direct Connect file to request an RDP Session.

  1. Click the arrow to download the RDP Direct Connect file from Password Safe.

    This is a one-time download. Each account and system combination requires that the user download the unique RDP file associated with it.

  2. Run the file to establish a connection to the targeted system.
  3. The requester is then prompted to enter the password they use to authenticate with Password Safe.

Direct Connect Delimiters

You can customize the character delimiters accepted in a Direct Connect connection string (in addition to + and @) by setting the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\ PBPS\SessionManager\direct_connect\delimiters (REG_SZ)

Additionally, you can enable support for a dynamic delimiter. When this is enabled, any connection string that starts and ends with the same non-alphanumeric character is split on that character.

'/' used as the delimiter:

ssh -p 4422 /requestor/maccount/msystem/@bihost

To enable dynamic delimiters (default is off), set the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\direct_connect\dynamic_delimiter = 1 (REG_DWORD)

Use Two-Factor Authentication Token

RDP and SSH Direct Connect sessions support using a two-factor authentication token.

  • RDP session: A delimiter (,) must be entered after you enter the password. For example: password, token

    The delimiter can be changed using the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\rdp_proxy\2fa_delimiter

    The delimiter must be excluded from user login passwords.

  • SSH session: You are prompted to enter a token after you enter the password.

Configure RDP Sessions

Certificate Authentication

To ensure secure communications, an RDP session uses the same certificate as the certificate created for the web portal. The certificate supports SSL/TLS authentication types.

Create a Certificate and Add to the BeyondInsight Server

To avoid certificate error messages when initiating an RDP session, create a certificate signed by a valid Certificate Authority (CA) for the BeyondInsight server. Add that certificate and the certificate chain to the BeyondInsight server certificate stores. Use the high-level steps below as guidance:

Create the Certificate Request

  1. On the BeyondInsight server, open IIS Manager.
  2. On the local host node, select Server Certificates, and then select Create Certificate Request.
  3. Go through the Request Certificate wizard. On the Cryptographic Service Provider Properties page, select a bit length of 2048.
The Common Name equals the server name or the IP address, depending on the URL you are using for the BeyondInsight log in page.

For example, server name might be an IP address, the server short name, or a fully qualified domain name:

https:\\<server name>\webconsole

common name = <servername>

  1. Enter a file name for the certificate request and set the location to the desktop.

Sign the Certificate

The procedure for signing the certificate varies, depending on your company’s CA implementation.

  1. Go to your Certificate Authority website.
  2. On the Certificate Request or Renewal Request page, copy the text from the certificate request file.
  3. Be sure to select Web Server as the Certificate Template type.
  4. After you click Submit, download the certificate and certificate chain to your desktop.
  5. Copy the files to the BeyondInsight server desktop. This will be the server certificate.
  6. Open IIS Manager on the BeyondInsight server, and click Complete Certificate Request.
  7. On the Specify Certificate Authority Response page, find the file on your desktop, enter a friendly name, and use the default Personal certificate store.

Bind the Server Certificate to the Default Web Site in IIS

  1. Right-click Default Web Site, and then select Edit Bindings.
  2. Select https on port 443, and then click Edit.
  3. From the SSL certificate list, select the server certificate created earlier, and then click OK.

Add Certificate Chain

  1. On the BeyondInsight server, open mmc and add the Certificates snap-in.
  2. Expand Trusted Root Certification Authorities.
  3. Right-click Certificates then select All Tasks > Import.
  4. Go through the Certificate Import wizard to import the certificate chain file (created earlier).
  5. Select the appropriate file extension. Be sure to store the certificate in Trusted Root Certification Authorities.

Enable Smart Sizing

When in an RDP session, the user can choose to smart size the client window so that no scroll bars display.

You can enable Smart Sizing on the Session Monitoring Configuration page by checking the box.

Turn Off Font Smoothing

Font smoothing is turned on by default. To turn off font smoothing, change the following registry key value from 0 to 1

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\rdp_proxy\disable_font_smoothing = 1 (DWORD)

Configure RDP Port for Connection to Target System

Administrators can set an RDP connection port for a specific Windows managed system on a per-system basis. One or more RDP ports can be configured. Administrators can also use a Smart Rule to target a set of managed systems with the new RDP connection port.

  • To set the RDP port for a managed system, go to Configuration > Privileged Access Management > Global Settings > Sessions, and then enter the Default RDP port for new Managed Systems.
  • To edit an RDP port, go to Managed Systems and then click the ellipsis to the right of the Windows managed system. Select Edit Managed System. Under Identification, edit the port.
  • To set an RDP port using a Smart Rule, go to Smart Rules. Select Asset under the Smart Rule type filter. Click Create Smart Rule. Under Actions, select Windows as the Platform, and then set the port.
  • To set more than one port, go to Smart Rules. Select Managed System under the Smart Rule type filter. Click Create Smart Rule. Under Actions, select Set port on each system, and then enter the port. Click Add another action for each additional port.

Configure Session Proxy Ports

Ports can be configured using the BeyondInsight configuration tool. In the configuration tool, scroll to the Password Safe section to set all port values.

The default inbound port connections to the Password Safe proxy:

  • RDP: 4489
  • SSH: 4422
  • Session Monitoring Listen Host: 127.0.0.1
  • Session Monitoring Listen Port: 4488
  • Session Monitoring RDP Listen Post: 4489
  • Session Monitoring SSH Listen Post: 4422

Session Countdown Duration

You can configure the maximum amount of time for which the session countdown timer is displayed by setting the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\ PBPS\SessionManager\rdp_proxy\countdown_duration (DWORD value in seconds, default is 1800)