Connections to SSH-Managed Devices

Using the pbssh program and the Endpoint Privilege Management for Unix and Linux policy, you can control who can access SSH-managed devices (such as a Windows computer or certain network devices) and what commands users can execute on those devices.

The pbssh binary enables you to access and manage third party devices that are not accessible using the traditional pbrun binary. These devices can be a router, a Windows machine, a Unix/Linux server where Endpoint Privilege Management is not installed, or any other appliance that can be managed by SSH.

Using the pbssh program and the Endpoint Privilege Management for Unix and Linux policy, you can now control which users can access these SSH-managed devices and which commands the designated users can execute on these devices without having Endpoint Privilege Management installed on the devices. As long as SSH is configured properly to access the device, pbssh is able to access and manage the device. In addition, the logging features (I/O logging and event logging) are available for pbssh.

Compared to the traditional Endpoint Privilege Management pbrun program, there are a few limitations on what pbssh can achieve. Because Endpoint Privilege Management is not installed on the target device (runhost), all run variables in the Endpoint Privilege Management policy are not applicable to pbssh. Therefore pbssh cannot elevate the privileges of a user on the target device. Using the function setkeystrokeaction, you can limit the commands that a user can execute on the target device. However, you cannot allow the user to run a command on that device that they are normally not able to run.

When invoked, the pbssh program connects to the target host (specified with the required field -h) using an existing user account (defined by the required -u option) on the target machine. The target host will likely require a password. If Password Safe (pkrun) is available and configured properly (using Endpoint Privilege Management settings pkrunfile, pk_cert, and pk_servers) the password is automatically retrieved from the Password Safe server. Otherwise the user is prompted to provide the password.

The following settings govern this feature:

pbsshlog

  • Version 6.0 and earlier: pbsshlog setting not available.
  • Version 6.2.5 and later: pbsshlog setting available.

pbsshlog contains the name of the pbssh diagnostic log file.

pbsshlog /var/log/pbssh.log

Default

No default value

Used on

Submit hosts

pbsshshell

  • Version 6.0 and earlier: pbsshshell setting not available.
  • Version 6.2.5 and later: pbsshshell setting available.

The pbsshshell setting specifies the shell to be used while connected to an SSH-managed device. Endpoint Privilege Management for Unix and Linux uses this setting to correctly perform I/O logging.

pbsshshell bash

Default

pbsshshell /bin/sh

Used on

Submit hosts

pk_cert

  • Version 6.0 and earlier: pk_cert setting not available.
  • Version 6.2.5 and later: pk_cert setting available.

The pk_cert setting specifies the absolute path to the Password Safe certificate to use when using pbssh.

pk_cert /etc/mypk.cert

Default

No default value

Used on

Submit hosts

For more information, see pbssh.

pk_servers

  • Version 6.0 and earlier: pk_servers setting not available.
  • Version 6.2.5 and later: pk_servers setting available.

The pk_servers setting specifies one or more Password Safe servers (by host name or IP address) from which to obtain the password to use when logging in to an SSH-managed device.

pk_servers host0 192.168.1.125

Default

No default value

Used on

Submit hosts

pkrunfile

  • Version 6.0 and earlier: pkrunfile setting not available.
  • Version 6.2.5 and later: pkrunfile setting available.

The pkrunpath setting specifies the absolute path and file name of the pkrun executable file. This setting enables you to use Password Safe when using pbssh.

pkrunfile /usr/bin/pkrun

Default

No default value

Used on

Submit hosts

For more information, see pbssh.

pktimeout

  • Version 6.0 and earlier: pktimeout setting not available.
  • Version 6.2.5 and later: pktimeout setting available.

The pktimeout setting specifies the amount of time (in seconds) that the pbssh program waits for a response from Password Safe. If you specify a value less than 60 seconds, then 60 seconds is used.

pktimeout 100

Default

pktimeout 60

Used on

Submit hosts

shortnamespk

  • Version 6.0 and earlier: shortnamespk setting not available.
  • Version 6.2.5 and later: shortnamespk setting available.

The shortnamespk setting enables pbssh to connect to a Password Safe host using a short host name instead of a fully-qualified domain name. Specifying yes for the shortnamespk setting enables short host names; specifying no requires that host names be fully-qualified domain names.

shortnamespk yes

Default

shortnamespk no

Used on

Submit hosts