Jump to Content
SSH PrivX
HomeDocumentationAPI Reference
Log InSSH PrivX
Log In
HomeDocumentationAPI Reference

Getting Started

  • Introduction
  • Quick PrivX Setup
  • Quick SSH Access
  • Importing Users and Hosts
  • Configuring SSH Target Host to Accept PrivX Connections

Deployment

  • Overview
  • Release Notes for This Release
  • Preparing for Deployment
  • Get PrivX software
  • Setting up PrivX Components
  • Deploying PrivX to Amazon Web Services
  • Deploying PrivX to Google Cloud Platform: architecture blueprint
  • Deploying PrivX to Azure: architecture blueprint
  • Deploying to Kubernetes
  • High-Availability Deployment
    • Example Nginx Load-Balancer Configuration
    • Example HAProxy Load-Balancer Configuration
    • Load-Balancer Ports and Protocols
  • License Management
  • Backup and Restore
  • Native SSH and RDP clients
  • Production-Readiness Checklist

Users and Permissions

  • Adding PrivX Users
    • Importing Users from AD/LDAP
  • Granting User Permissions
    • Managing Roles
    • Requesting and Approving Memberships
    • Granting Access to Hosts
    • Granting Administrator Permissions
    • Access Groups
    • Role Permissions
  • Managing Workflows
    • Enabling Email Notifications
  • User Configuration
    • Automatic Logout
    • Require Password Change
    • Limiting Login Rate
  • Additional Authentication Methods
    • Kerberos Authentication
    • Multi-Factor Authentication
    • Client-Certificate Authentication
    • OpenID-Connect Authentication
    • Public-Key Authentication (SSH Bastion)
    • External JWT Authentication
    • Passkeys Login
  • Managing User Secrets
  • Password Change for AD and LDAP Users
  • Managing User Sessions

Authenticating to Hosts

  • Supported Authentication Methods
  • SSH Certificate Authentication
  • RDP Certificate Authentication
  • VNC Certificate Authentication
  • Script-Based Certificate-Authentication Setup
  • Certificate-Authentication Setup via ​Chef​​
  • Manual Certificate-Authentication Setup
    • SSH X.509 Certificate Authentication
  • Public-Key Authentication
  • Stored Passwords
  • Example VNC-Server Setup
  • Trusting Target-Host Identities

Connection Management

  • Setting up Hosts
  • Connecting via the PrivX GUI
  • SSH Connections with Native Clients
  • RDP Connections with Native Clients
    • Restricting Users' Access to Applications in RDP Connections
  • Network Targets
  • Website Access via PrivX
  • AWS CLI Connection with Native Client
  • Monitoring and Managing Connections
  • Automatic M2M SSH Connections

Auditing

  • Viewing Audit Data
  • SIEM Integration
  • Session Recording
  • External Logging
  • Matching Certificate-Based-Login Messages
  • Audit Events Reference
  • Splunk integration
  • UEBA Configuration

Advanced Configuration

  • Best practices
  • SSL/TLS Security
  • PrivX-Server Configuration
  • Extender Configuration
  • Carrier and Web Proxy Configuration
  • API-Client Integration
    • Automation with Golang SDK
    • Automation with Python-SDK
  • Configuring ephemeral credential access for AWS API
    • Authentication to AWS Services using AWS CLI
    • Fetching ephemeral AWS Services credentials via PrivX
    • Configuring assume-role access to AWS API
    • Configuring Federated Token Access to AWS API
  • Certificate authentication for code repositories
    • GitHub Enterprise integration
    • GitLab Integration
  • PrivX CA as Sub CA in CA Hierarchy
    • X.509 Certificate Name Constraints
    • Validating X.509 Access Certificates
  • Network Target Access
    • PrivX Router Configuration
    • Network Target Extender Support
  • Rotating Stored Passwords
  • SSH Command Restrictions
    • Example SSH Command Restrictions Configuration
  • GUI Configuration

Integrations

  • User Directories
    • AWS Cognito as a User Directory
    • Google Workspace as a User Directory
    • JumpCloud as a User Directory
    • Azure AD as a User Directory via Microsoft Graph API
    • Azure AD as a User Directory via Azure Graph API
    • Azure AD as User Directory via LDAPS
  • Host Directories
    • Google Cloud Platform as a Host Directory
  • HSM Providers
    • AWS CloudHSM as a HSM Provider
    • nShield connect as an HSM Provider
    • SafeNet Luna SA as a HSM Provider
    • SoftHSM2 as a HSM Provider
  • SCIM
  • ICAP Servers
  • OIDC Identity Providers

Troubleshooting

  • General Troubleshooting
  • Connections fail with error ​Too many Authentication Failures​​ ​
  • Directory Users Are Not Listed
  • List Users View Does Not Display All Attributes
  • Resolving x509: Common Name certificate error
  • All microservices fail to start except Keyvault
  • Deploy script fails to trust AWS CA TLS certificate
  • Windows login failures
  • Windows revocation failures
  • OpenSSH 7.8 Client Not Supported
  • Error "smart card logon is not supported for your user account "
  • Hosts with "Directory" Account Enabled Not Visible in Connections
  • Login with Correct Username and Password Fails
  • All Microservices apart from Keyvault Down
  • AD That Has Previously Worked Fails
  • Error "Administratively prohibited" with Native Clients and Extenders
  • Error "Unable to connect to Extender/Carrier" during Web Connections
  • Error "Unable to connect to Web Proxy" during Web Connections
  • Error "The proxy server is refusing connections" during Web Connections
  • Error "Host Cannot be redeployed" when Deploying a New Cloned Host
  • Error "Bad configuration option: AuthorizedPrincipalsCommand" when running the deploy script
  • Microsoft Remote Desktop version 10 for Mac Does Not Display Text
  • Error "proxy server is refusing connections" during Web Connections on RHEL8
  • RDP native client times out
  • Error "USER-STORE [ERROR] Server error: listen tcp :8084: bind: address already in use" when running in Azure
  • OIDC Login
  • "[ERROR] DB connection failure: x509: certificate has expired or is not yet valid. Retrying in 15 seconds.."
  • File transfer in RDP session is slow
  • Error "Remaining connection slots are reserved for non-replication superuser connections"
  • Permission errors when accessing PrivX audit folders
  • Password rotation does not work for Windows 2012 R2
  • Extender fails to register to PrivX because certificate expired
  • UI displays an error even operations succeed

Knowledge Base

  • Search Syntax
  • PrivX microservices architecture
  • PrivX web access architecture
  • Websockets and the PrivX Carrier browser
  • Customizing the PrivX Carrier browser
  • PrivX RDP Admin Access Deployment in Multi-Domain Environment
  • Vault and M2M
  • Onboarding SSH target hosts to PrivX via Ansible
  • Onboarding SSH target hosts to PrivX via Chef
  • Onboarding AWS, Azure & Google Cloud SSH target hosts the simple way
  • Enabling TLS 1.3
  • Removing Hosts from Directories
  • Configuring GitLab access through PrivX SSH certificate authentication
  • PrivX Analytics
  • Connection method vs feature matrix
  • Setting up and upgrading PrivX with custom network ports
  • Supported SSH Algorithms
  • Supported SFTP Protocol Versions
  • PrivX Settings
  • Granting Password-based root Access via Roles
  • Requesting and Granting Roles, Passwordless Access
  • Passwordless SSH and RDP Access
  • PrivX AWS High Availability Installation With Two ELBs
  • How to install PrivX
  • OSS Acknowledgements
  • End-user license agreement (EULA)
  • Documentation Conventions
  • PrivX Settings Examples
  • Previous Releases and Notes
    • Release Notes 1.x - 9.x
    • Release Notes 10.x - 19.x
  • Changing to the New License Back End
  • PrivX Login Flow and State Storage
  • Changing PrivX database name, username or password
  • Changing notification mechanism to PostgreSQL
  • Migrate to Rocky Linux
  • Merging changes on Extender/Carrier/WebProxy upgrade
  • Mapping Directory Users to Additional Accounts
  • Upgrade from Older Releases

PrivX Comparisons

  • Kerberos
  • Guacamole

FAQ

  • Auditing & Reporting
  • Architecture
  • Authentication, Access Control and Identity Management
  • Buying and Trying
  • Compliance
  • Connectivity
  • Data Encryption
  • Data Retention
  • Functional Use Cases
  • Integrations and System Monitoring
  • Licensing
  • Miscellaneous
  • Operational Security & Maintenance
  • Operational Technology (OT)
  • PrivX Components
  • Product Info
  • Product Features
  • Security
  • Session Recording and Playback
  • Support and Services
  • Tips and Tricks

Host Directories

Suggest Edits

PrivX can be configured to fetch cloud instances or hosts through cloud APIs. For cloud hosts, PrivX will also show instance status and cloud region in the administrator user interface.

AWS EC2 as a Host Directory
Google Cloud Platform as a Host Directory

Microsoft Azure
OpenStack

Updated 3 months ago