Connections to SSH-Managed Devices

Using the pbssh program and the Privilege Management for Unix and Linux policy, you can control who can access SSH-managed devices (such as a Windows computer or certain network devices) and what commands users can execute on those devices.

The pbssh binary enables you to access and manage third party devices that are not accessible using the traditional pbrun binary. These devices can be a router, a Windows machine, a Unix/Linux server where Privilege Management is not installed, or any other appliance that can be managed by SSH.

Using the pbssh program and the Privilege Management for Unix and Linux policy, you can now control which users can access these SSH-managed devices and which commands the designated users can execute on these devices without having Privilege Management installed on the devices. As long as SSH is configured properly to access the device, pbssh is able to access and manage the device. In addition, the logging features (I/O logging and event logging) are available for pbssh.

Compared to the traditional Privilege Management pbrun program, there are a few limitations on what pbssh can achieve. Because Privilege Management is not installed on the target device (runhost), all run variables in the Privilege Management policy are not applicable to pbssh. Therefore pbssh cannot elevate the privileges of a user on the target device. Using the function setkeystrokeaction, you can limit the commands that a user can execute on the target device. However, you cannot allow the user to run a command on that device that they are normally not able to run.

When invoked, the pbssh program connects to the target host (specified with the required field -h) using an existing user account (defined by the required -u option) on the target machine. The target host will likely require a password. If Password Safe (pkrun) is available and configured properly (using Privilege Management settings pkrunfile, pk_cert, and pk_servers) the password is automatically retrieved from the Password Safe server. Otherwise the user is prompted to provide the password.

The following settings govern this feature:

pbsshlog

  • Version 6.0 and earlier: pbsshlog setting not available.
  • Version 6.2.5 and later: pbsshlog setting available.

pbsshlog contains the name of the pbssh diagnostic log file.

pbsshlog /var/log/pbssh.log

No default value

Submit hosts

pbsshshell

  • Version 6.0 and earlier: pbsshshell setting not available.
  • Version 6.2.5 and later: pbsshshell setting available.

The pbsshshell setting specifies the shell to be used while connected to an SSH-managed device. Privilege Management for Unix and Linux uses this setting to correctly perform I/O logging.

pbsshshell bash
pbsshshell /bin/sh

Submit hosts

pk_cert

  • Version 6.0 and earlier: pk_cert setting not available.
  • Version 6.2.5 and later: pk_cert setting available.

The pk_cert setting specifies the absolute path to the Password Safe certificate to use when using pbssh.

pk_cert /etc/mypk.cert

No default value

Submit hosts

For more information, please see pbssh.

pk_servers

  • Version 6.0 and earlier: pk_servers setting not available.
  • Version 6.2.5 and later: pk_servers setting available.

The pk_servers setting specifies one or more Password Safe servers (by host name or IP address) from which to obtain the password to use when logging in to an SSH-managed device.

pk_servers host0 192.168.1.125

No default value

Submit hosts

pkrunfile

  • Version 6.0 and earlier: pkrunfile setting not available.
  • Version 6.2.5 and later: pkrunfile setting available.

The pkrunpath setting specifies the absolute path and file name of the pkrun executable file. This setting enables you to use Password Safe when using pbssh.

pkrunfile /usr/bin/pkrun

No default value

Submit hosts

For more information, please see pbssh.

pktimeout

  • Version 6.0 and earlier: pktimeout setting not available.
  • Version 6.2.5 and later: pktimeout setting available.

The pktimeout setting specifies the amount of time (in seconds) that the pbssh program waits for a response from Password Safe. If you specify a value less than 60 seconds, then 60 seconds is used.

pktimeout 100
pktimeout 60

Submit hosts

shortnamespk

  • Version 6.0 and earlier: shortnamespk setting not available.
  • Version 6.2.5 and later: shortnamespk setting available.

The shortnamespk setting enables pbssh to connect to a Password Safe host using a short host name instead of a fully-qualified domain name. Specifying yes for the shortnamespk setting enables short host names; specifying no requires that host names be fully-qualified domain names.

shortnamespk yes
shortnamespk no

Submit hosts