pbssh

  • Version 6.0.1 and earlier: pbssh program not available.
  • Version 6.1 and later: pbssh program available.

Using Privilege Management for Unix and Linux policy and the pbssh program, you can control access to, and activities on, SSH-managed devices. The pbssh program is similar to the pbrun program, except that it uses the SSH protocol (or, optionally, the telnet protocol) to connect to devices that do not have Privilege Management for Unix and Linux installed on them; such devices can include Windows computers and certain network devices.

You must specify the -h option (to indicate the host name of the target device), and the -u option (to indicate the user name with which to log into the device). To execute a command on the target device, use the -C option. You may also optionally use the -P (--port) option to specify a particular port for the SSH connection.

If you have a Password Safe appliance, the Privilege Management for Unix and Linux can be configured to automatically obtain the device password from Password Safe. To do so, the following Privilege Management for Unix and Linux settings must be specified on the submit host:

  • pkrunfile
  • pk_cert (or the --pk_cert option)
  • pk_servers (or the --pk_servers option)
  • pbsshshell (optional)

If you do not have a Password Safe appliance, then pbssh prompts the user for the password. The user is also prompted under these circumstances:

  • The Password Safe appliance is not available.
  • The Privilege Management for Unix and Linux settings are not specified or not correctly specified.
  • The --skip_pkrun option is specified on the pbrun command line.
  • The --telnet option is specified on the pbrun command line.

The --domain option has two purposes, both of which are related to Password Safe:

  • If you need to log into a host using a domain account, then you use the --domain option defines the domain from which Password Safe should obtain the domain account password.
  • If the --user option defines a user account, and you want to use a Password Safe managed account alias in place of the actual managed system name, then you use the --domain option to specify the managed system alias.

Unlike pbrun, pbssh does not require a command to be specified. Consequently, the Privilege Management for Unix and Linux policy function basename() always returns pbssh. In the Privilege Management for Unix and Linux policy, to determine the command that was specified, parse the argv list.

pbssh [options] command [command_arguments]
   -c, --pk_cert
   -C, --command
   -d, --debug=connect
   -d, --debug=time
   -d, --debug=ttime
   -D, --domain
   -h, --host=run_host
   -k, --skip_pk
   -K, --pk_servers
   -P, --port=ssh_port
   -r, --pk_reset_password
   -T, --telnet
   -u, --user=request_user
pbssh –v | --version
pbssh --help
-c, --pk_cert Optional. Absolute path to thePassword Safe certificate on the submit host. Overrides the pk_cert Privilege Management for Unix and Linux setting.
-C, --command='ssh_command' Optional. Command and arguments to be executed on the target SSH-managed device. If arguments are specified, the command and its arguments must be enclosed together in single quotation marks.
-d connect, --debug=connect Optional. Displays policy server connection information for debugging.
-d time, --debug=time Optional. Displays pbssh timing information for debugging. This option is intended primarily for BeyondTrust Technical Support.
-d ttime, --debug=ttime Optional. Displays pbssh total run time for debugging.
-D, --domain

Optional. Specifies a domain for Password Safe to use when obtaining a domain account password, or defines a Password Safe managed system alias to use instead of the actual host name.

Version 6.1 and earlier: option not available.

Version 6.2 and later: option available.

-h, --host=run_host Requests run_host as the run host for the secured task.
-k, --skip_pkrun Optional. Specifies that the SSH-managed device password not be obtained from Password Safe.
-K, --pk_servers Optional. Specifies the host name or IP address of one or more PowerBroker Safe appliances. Overrides the pk_servers Privilege Management for Unix and Linux setting. To specify more than one PowerBroker Safe appliance, separate each name by a space and enclose the list in quotation marks.
-P, --port=ssh_port Specifies a TCP port to use for the SSH session. If not specified, then a default port number is used.
-r, --pk_reset_password Optional. Specifies that PowerBroker Safe check in a new password for the user after the PowerBroker Safe command is complete.
-T, --telnet Optional. Specifies that a connection to an SSH-managed device be made using the telnet protocol, not the SSH protocol.
-u, --user=request_user Sets the variable requestuser to request_user. The policy can then decide to honor the request and set runuser and/or runeffectiveuser equal to request_user.
-v, --version Optional. Displays the program version and exits.
--help Optional. Displays the program help message and exits.

/etc/pb.settings Local Privilege Management for Unix and Linux submithost settings

pbssh –h runhost -u jjones -C "dir /w"

For more information, please see Connections to SSH-Managed Devices.