pbssh
- Version 6.0.1 and earlier: pbssh program not available.
- Version 6.1 and later: pbssh program available.
Using Endpoint Privilege Management for Unix and Linux policy and the pbssh program, you can control access to, and activities on, SSH-managed devices. The pbssh program is similar to the pbrun program, except that it uses the SSH protocol (or, optionally, the telnet protocol) to connect to devices that do not have Endpoint Privilege Management for Unix and Linux installed on them; such devices can include Windows computers and certain network devices.
You must specify the -h option (to indicate the host name of the target device), and the -u option (to indicate the user name with which to log into the device). To execute a command on the target device, use the -C option. You may also optionally use the -P (--port) option to specify a particular port for the SSH connection.
If you have a Password Safe appliance, the Endpoint Privilege Management for Unix and Linux can be configured to automatically obtain the device password from Password Safe. To do so, the following Endpoint Privilege Management for Unix and Linux settings must be specified on the submit host:
- pkrunfile
- pk_cert (or the --pk_cert option)
- pk_servers (or the --pk_servers option)
- pbsshshell (optional)
If you do not have a Password Safe appliance, then pbssh prompts the user for the password. The user is also prompted under these circumstances:
- The Password Safe appliance is not available.
- The Endpoint Privilege Management for Unix and Linux settings are not specified or not correctly specified.
- The --skip_pkrun option is specified on the pbrun command line.
- The --telnet option is specified on the pbrun command line.
The --domain option has two purposes, both of which are related to Password Safe:
- If you need to log into a host using a domain account, then you use the --domain option defines the domain from which Password Safe should obtain the domain account password.
- If the --user option defines a user account, and you want to use a Password Safe managed account alias in place of the actual managed system name, then you use the --domain option to specify the managed system alias.
Unlike pbrun, pbssh does not require a command to be specified. Consequently, the Endpoint Privilege Management for Unix and Linux policy function basename() always returns pbssh. In the Endpoint Privilege Management for Unix and Linux policy, to determine the command that was specified, parse the argv list.
Syntax
pbssh [options] command [command_arguments] -c, --pk_cert -C, --command -d, --debug=connect -d, --debug=time -d, --debug=ttime -D, --domain -h, --host=run_host -k, --skip_pk -K, --pk_servers -P, --port=ssh_port -r, --pk_reset_password -T, --telnet -u, --user=request_user pbssh –v | --version pbssh --help
Arguments
-c, --pk_cert | Optional. Absolute path to thePassword Safe certificate on the submit host. Overrides the pk_cert Endpoint Privilege Management for Unix and Linux setting. |
-C, --command='ssh_command' | Optional. Command and arguments to be executed on the target SSH-managed device. If arguments are specified, the command and its arguments must be enclosed together in single quotation marks. |
-d connect, --debug=connect | Optional. Displays policy server connection information for debugging. |
-d time, --debug=time | Optional. Displays pbssh timing information for debugging. This option is intended primarily for BeyondTrust Technical Support. |
-d ttime, --debug=ttime | Optional. Displays pbssh total run time for debugging. |
-D, --domain |
Optional. Specifies a domain for Password Safe to use when obtaining a domain account password, or defines a Password Safe managed system alias to use instead of the actual host name. Version 6.1 and earlier: option not available. Version 6.2 and later: option available. |
-h, --host=run_host | Requests run_host as the run host for the secured task. |
-k, --skip_pkrun | Optional. Specifies that the SSH-managed device password not be obtained from Password Safe. |
-K, --pk_servers | Optional. Specifies the host name or IP address of one or more PowerBroker Safe appliances. Overrides the pk_servers Endpoint Privilege Management for Unix and Linux setting. To specify more than one PowerBroker Safe appliance, separate each name by a space and enclose the list in quotation marks. |
-P, --port=ssh_port | Specifies a TCP port to use for the SSH session. If not specified, then a default port number is used. |
-r, --pk_reset_password | Optional. Specifies that PowerBroker Safe check in a new password for the user after the PowerBroker Safe command is complete. |
-T, --telnet | Optional. Specifies that a connection to an SSH-managed device be made using the telnet protocol, not the SSH protocol. |
-u, --user=request_user | Sets the variable requestuser to request_user. The policy can then decide to honor the request and set runuser and/or runeffectiveuser equal to request_user. |
-v, --version | Optional. Displays the program version and exits. |
--help | Optional. Displays the program help message and exits. |
Files
/etc/pb.settings Local Endpoint Privilege Management for Unix and Linux submithost settings
pbssh –h runhost -u jjones -C "dir /w"
For more information, see Connections to SSH-Managed Devices.