Extender Configuration
Configuring Extender Log Location
By default PrivX Extender logs info and errors to /var/log/privx/privx-extender.log
If you want to enable logging to syslog, specify the rsyslog address and protocol in /opt/privx/etc/extender-config.toml
, similar to the following:
syslog_protocol="tcp"
syslog_address="localhost:514"
Restart PrivX Extender to apply the changes. In addition make sure rsyslog is enabled on the extender host:
# systemctl restart privx-extender
# systemctl restart rsyslog
Proxying Native-Client Connections
To allow proxying native-client connections via PrivX Extenders:
On all your PrivX servers, enable the
forwarder_enabled
setting in/opt/privx/etc/ssh-proxy.toml
.Restart PrivX services to apply the changes:
# systemctl restart privx
🚧 Caution
The forwarder relays all the data it receives (not just the native-client connections), and should not be enabled in high-security networks.
Session recording must be disabled on hosts that are to be accessed using proxied native-client connections. For more detailed instructions about toggling session recording, see Session-Recording Setup.
(Optional) To simplify native-client commands, specify the required connection parameters in the users' client configuration (typically at
/etc/ssh/ssh_config
or~/.ssh/config
). You can do this usingHost
blocks that at least specify:The target HostName in
extender-name/target-host-address
format.The ProxyCommand:
privx-nc -x $PRIVX_AGENT_PROXY %h %p
For example:
Host bilberry HostName example-extender/bilberry.example.com ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p
After setup, you can connect to target hosts as follows:
As the native-client user, start the PrivX agent (if not already started) and use it to log into PrivX.
If you have specified the required parameters in your SSH-client configuration, you can connect simply using the appropriate Host block. For example:
$ ssh target-user@bilberry
$ sftp target-user@bilberry
$ scp source/file/path target-user@bilberry:/target/file/path
Otherwise, you must additionally provide the ProxyCommand and the name of the PrivX Extender, similar to the following:
$ ssh -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p" \
target-user@example-extender/bilberry.example.com
$ sftp -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p" \
target-user@example-extender/bilberry.example.com
$ scp -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY example-extender/%h %p" \
source/file/pathtarget-user@bilberry.example.com:/target/file/path
Custom Load-Balancer Support
If you are using a custom load balancer, ensure that its session-affinity cookie (also known as a sticky-session cookie) is accepted by all your PrivX Extenders:
Add the name of the session-affinity cookie to the
known_lb_cookies
setting. The setting is in the Extender at/opt/privx/etc/extender-config.toml
.Restart the Extender with:
# systemctl restart privx-extender
See PrivX high availability deployment for more information.
If your PrivX HA deployment also includes PrivX Carriers and PrivX Web Proxies, configure those to accept your session-affinity cookie as well.