Configure SSH and RDP Proxy Connections

In the Password Safe web portal, requesters can request access to use SSH or RDP remote connections. To permit remote connections, you must configure an access policy.

For information on access policies, see Configure Password Safe Access Policies.

The following section provides additional information on setting up SSH or RDP connections.

All registry changes must be done on each machine hosting a resource broker.

Host Key Algorithms

Below is a list of host key algorithms enabled for use by Password Safe's SSH client and server. Supported algorithms in default order of preference are:

  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521
  • ssh-ed25519
  • rsa-sha2-512
  • rsa-sha2-256
  • ssh-rsa (disabled by default)
  • ssh-dss (disabled by default)

Use the following registry key to change the available client host key algorithms:

HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\ PBPS\SessionManager\ssh_proxy\client_host_key_algorithms (REG_MULTI_SZ)

Use the following registry key to change the available server host key algorithms:

HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\ PBPS\SessionManager\ssh_proxy\host_key_algorithms (REG_MULTI_SZ)

KEX Algorithms

Below is a list of key exchange (KEX) algorithms enabled for use by Password Safe's SSH client and server. Supported algorithms in default order of preference are:

  • curve25519-sha256
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group14-sha256
  • diffie-hellman-group14-sha1 (disabled by default for incoming client connections only)
  • diffie-hellman-group-exchange-sha1 (disabled by default)
  • diffie-hellman-group1-sha1 (disabled by default)

Use the following registry key to change the available key exchange algorithms for the client side of Password Safe's SSH proxy (between the proxy and the managed systems):

HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\ssh_proxy\kex_algorithms (REG_MULTI_SZ)

Use the following registry key to change the available key exchange algorithms for the server side of Password Safe's SSH proxy (between the user's SSH client and the proxy):

HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_kex_algorithms (REG_MULTI_SZ)

MAC Algorithms

Below is a list of message authentication code (MAC) algorithms enabled for use by Password Safe's SSH client and server. Supported algorithms in default order of preference are:

  • hmac-sha2-256
  • hmac-sha2-512
  • hmac-sha1
  • hmac-sha1-96 (disabled by default)
  • hmac-md5 (disabled by default; not supported in FIPS mode)

Use the following registry key to change the available mac client host key algorithms:

HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\ PBPS\SessionManager\ssh_proxy\client_macs (REG_MULTI_SZ)

Use the following registry key to change the available mac server host key algorithms:

HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\ PBPS\SessionManager\ssh_proxy\macs (REG_MULTI_SZ)

When Password Safe is running in FIPS mode, every supported MAC algorithm is enabled by default.

Ciphers

Below is a list of ciphers enabled for use by Password Safe's SSH client and server. Supported ciphers in default order of preference are:

  • aes256-ctr
  • aes192-ctr
  • aes128-ctr
  • aes256-cbc (disabled by default)
  • aes192-cbc (disabled by default)
  • aes128-cbc (disabled by default)
  • blowfish-cbc (disabled by default; not supported in FIPS mode)
  • 3des-cbc (disabled by default)

Use the following registry key to change the available client cipher algorithms:

HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\ PBPS\SessionManager\ssh_proxy\client_ciphers (REG_MULTI_SZ)

Use the following registry key to change the server cipher algorithms:

HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\ PBPS\SessionManager\ssh_proxy\ciphers (REG_MULTI_SZ)

When Password Safe is running in FIPS mode, every supported cipher is enabled by default.

RSA Host Key Size

You can configure the size (in bits) of the RSA private host key generated and used by Password Safe's SSH server.

Use the following registry key to change the host key size:

HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\ssh_proxy\rsa_host_key_size (REG_DWORD)

Valid values are: 2048 (default), 3072, and 4096.

Auto-Launch PuTTY Registry File

To launch the SSH client automatically, the SSH protocol must be associated with an application. To register an application, such as PuTTY, which is used in the example below, change the references to PuTTY to point to the application.

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\ssh]
@="URL:Secure Shell Protocol"
"URL Protocol"=""
[HKEY_CLASSES_ROOT\ssh\DefaultIcon]
@="%%ProgramFiles%%\\PuTTY\\putty.exe"
[HKEY_CLASSES_ROOT\ssh\shell]
[HKEY_CLASSES_ROOT\ssh\shell\open]
[HKEY_CLASSES_ROOT\ssh\shell\open\command]
@="cmd /V:ON /s /c @echo off && set url=%1 && for /f \"tokens=1,2,3 delims=:/ \" %%a in (\"!url!\") do set protocol=%%a&set host=%%b&set port=%%c && start \"\" \"%%ProgramFiles%%\\PuTTY\\putty.exe\" -P !port! !host!"

Supported SSH Session Protocols

You can use the following protocols with an SSH session: X11, SCP, and SFTP. You also have options to allow local and remote port forwarding.

When transferring files using SCP, there may be some incompatibilities with specific clients (e.g. WinSCP). We recommend using SFTP or a different client.

Use the Registry Editor to turn these settings on. These settings are all type DWORD with toggle values of either 0 (no) or 1 (yes).

  • X11:

    HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\ PBPS\SessionManager\ssh_proxy\allow_x11 = 1(DWORD)

  • SCP:

    HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\ PBPS\SessionManager\ssh_proxy\allow_scp

  • SFTP:

    HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\ PBPS\SessionManager\ssh_proxy\allow_sftp

  • Local Port Forwarding: Whether or not to allow local port forwarding requests from the user's SSH client through to the managed system (default: 0)

    HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\ssh_proxy\allow_local_port_forwarding

  • Remote Port Forwarding: Whether or not to allow remote port forwarding requests from the user's SSH client through to the managed system (default: 0).

    HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\ssh_proxy\allow_remote_port_forwarding

For more information, please see Issues with WinSCP Using SCP Mode.

Multiple SSH Sessions

To avoid a potential security risk, more than one SSH session is not permitted through a single SSH connection.

You can turn on the following registry key to permit more than one session on a connection:

HKEY_LOCAL_MACHINE\SOFTWARE\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_multiplex = 1

Enable Login Accounts for SSH Sessions

Creating a login account allows the user to open an SSH session in environments where remote shell access is not permitted, for instance, the root account. A login account will be used to establish the initial shell connection and then switch the session to the managed account.

The functional account used should be a low privilege user and not the same elevated functional account that has elevated privileges to change passwords.

This feature supports the following platforms: AIX, HPUX, Linux, and Solaris.

Enable Login Accounts Manually

To manually enable login accounts, you must enable the function on both the managed system and the managed account you want to use for the SSH session.

  1. From the Managed Systems page, create a new managed system, or select one from the grid.
  2. From the menu actions, select Edit Managed System.
  3. Within the Credentials section, toggle the User Login Account for SSH Sessions option to yes.
  4. Select your account from the Login Account dropdown.
  5. Click Update Managed System and dismiss the configuration slide-out.
  6. From the Managed System menu, select Go to advance details.
  7. Select the Managed Accounts tab.
  8. Select the managed account you wish to edit.
  9. Within the Credentials section, toggle the Login Account for SSH Sessions option to yes.
  10. Click Update Account.

Enable Login Accounts with a Smart Rule

For organizations managing many assets and accounts, administrators can enable login accounts with a Smart Rule as follows:

  1. Create a Smart Rule to manage the assets to use to access the SSH session.
  2. Select the action Manage Assets using Password Safe.
  3. Select the platform and the functional account.
  4. From the Enable Login Account for SSH Session list, select yes.
  5. Select a login account.
  6. Create a Smart Rule to manage the managed accounts to allow users to log in for an SSH session.
  7. In the Actions section, select Managed Account Settings.
  8. Scroll to Account Options and select Enable Login Account for SSH Sessions.

Use Direct Connect for SSH and RDP Session Requests

You can use Direct Connect for remote session requests for SSH and RDP sessions. Direct Connect requests access to a managed account on behalf of the requester. The requester accesses the system without ever viewing the managed account's credentials.

If the requester is not granted auto-approval for a session, the user receives a message stating Request requires approval. If the request is not approved within 5 minutes this connection will close. After 5 minutes the client disconnects and the user can send another connection request. When the request is approved, the user is automatically connected.

When there is an existing request for the system and account, the request is reused and the session created.

SSH Session Requests

Using an SSH client, a user can use the Password Safe Request and Approval system for SSH remote connections. The requester's information, including the Reason and the Request Duration, are auto-populated with default Password Safe settings.

To access a managed account or application using Direct Connect, the requester has to connect to Password Safe's SSH Proxy using a custom SSH connection string with one of the following formats:

  • For UPN credentials:
    <Requester>+<Username@Domain>+<System Name>@<Password Safe>
  • For down-level logon names\non-domain credentials:
    <Requester>@<Domain\\Username>@<System Name>@<Password Safe>

You can override the default SSH port and enter port 4422. The requester is then prompted to enter their password, which they use to authenticate with Password Safe.

  • For UPN credentials:
    ssh -p 4422 <Requester>+<Username@Domain>+<System Name>@<Password Safe>
  • For down-level logon names\non-domain credentials:
    ssh -p 4422 <Requester>@<Domain\\Username>@<System Name>@<Password Safe>
  • For an SSH application:
    ssh -p 4422 <Requester>@<Account name>:<Application alias>@<System name>@<Password Safe>

Once the requester is authenticated, they are immediately connected to the desired machine.

RDP Session Requests

RDP Direct Connect supports push two-factor authentication. An access-challenge response is not supported.

LDAP users that use the mail account naming attribute cannot use RDP Direct Connect.

To request an RDP session using Direct Connect:

Download the RDP Direct Connect file to request an RDP Session.

  1. Click the arrow to download the RDP Direct Connect file from Password Safe.

    This is a one-time download. Each account and system combination requires that the user download the unique RDP file associated with it.

  2. Run the file to establish a connection to the targeted system.
  3. The requester is then prompted to enter the password they use to authenticate with Password Safe.

Direct Connect Delimiters

You can customize the character delimiters accepted in a Direct Connect connection string (in addition to + and @) by setting the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\ PBPS\SessionManager\direct_connect\delimiters (REG_SZ)

Additionally, you can enable support for a dynamic delimiter. When this is enabled, any connection string that starts and ends with the same non-alphanumeric character is split on that character.

'/' used as the delimiter:

ssh -p 4422 /requestor/maccount/msystem/@bihost

To enable dynamic delimiters (default is off), set the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\direct_connect\dynamic_delimiter = 1 (REG_DWORD)

Use Two-Factor Authentication Token

RDP and SSH Direct Connect sessions support using a two-factor authentication token.

  • RDP session: A delimiter (,) must be entered after you enter the password. For example: password, token

    The delimiter can be changed using the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\rdp_proxy\2fa_delimiter

    The delimiter must be excluded from user login passwords.

  • SSH session: You are prompted to enter a token after you enter the password.

Configure RDP Sessions

Enable Smart Sizing

When in an RDP session, the user can choose to smart size the client window so that no scroll bars display.

You can enable Smart Sizing on the Session Monitoring Configuration page by checking the box.

Turn Off Font Smoothing

Font smoothing is turned on by default. To turn off font smoothing, change the following registry key value from 0 to 1

HKEY_LOCAL_MACHINE\SOFTWARE\Beyondtrust\PBPS\SessionManager\rdp_proxy\disable_font_smoothing = 1 (DWORD)

Configure RDP Port for Connection to Target System

Administrators can set an RDP connection port for a specific Windows managed system on a per-system basis. One or more RDP ports can be configured. Administrators can also use a Smart Rule to target a set of managed systems with the new RDP connection port.

  • To set the RDP port for a managed system, go to Configuration > Privileged Access Management > Global Settings > Sessions, and then enter the Default RDP port for new Managed Systems.
  • To edit an RDP port, go to Managed Systems and then click the ellipsis to the right of the Windows managed system. Select Edit Managed System. Under Identification, edit the port.
  • To set an RDP port using a Smart Rule, go to Smart Rules. Select Asset under the Smart Rule type filter. Click Create Smart Rule. Under Actions, select Windows as the Platform, and then set the port.
  • To set more than one port, go to Smart Rules. Select Managed System under the Smart Rule type filter. Click Create Smart Rule. Under Actions, select Set port on each system, and then enter the port. Click Add another action for each additional port.

Configure Session Proxy Ports

Ports are configured in the registry.

RDP:

HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\rdp_proxy\listen_port (DWORD, default 4489)

SSH:

HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\ssh_proxy\listen_port (DWORD, default 4422)

Session Countdown Duration

You can configure the maximum amount of time for which the session countdown timer is displayed by setting the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Beyondtrust\ PBPS\SessionManager\rdp_proxy\countdown_duration (DWORD value in seconds, default is 1800)