By default PrivX Extender logs info and errors to
If you want to enable logging to syslog, specify the rsyslog address and protocol in
/opt/privx/etc/extender-config.toml, similar to the following:
Restart PrivX Extender to apply the changes. In addition make sure rsyslog is enabled on the extender host:
# systemctl restart privx-extender # systemctl restart rsyslog
To allow proxying native-client connections via PrivX Extenders:
On all your PrivX servers, enable the
forwarder_enabled setting in
Restart PrivX services to apply the changes:
# systemctl restart privx
The forwarder relays all the data it receives (not just the native-client connections), and should not be enabled in high-security networks.
Session recording must be disabled on hosts that are to be accessed using proxied native-client connections. For more detailed instructions about toggling session recording, see Session-Recording Setup.
(Optional) To simplify native-client commands, specify the required connection parameters in the users' client configuration (typically at
~/.ssh/config). You can do this using
Host blocks that at least specify:
The target HostName in
privx-nc -x $PRIVX_AGENT_PROXY %h %p
Host bilberry HostName example-extender/bilberry.example.com ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p
After setup, you can connect to target hosts as follows:
As the native-client user, start the PrivX agent (if not already started) and use it to log into PrivX.
If you have specified the required parameters in your SSH-client configuration, you can connect simply using the appropriate Host block. For example:
$ ssh [email protected]
$ sftp [email protected]
$ scp source/file/path [email protected]:/target/file/path
Otherwise, you must additionally provide the ProxyCommand and the name of the PrivX Extender, similar to the following:
$ ssh -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p" \ [email protected]/bilberry.example.com
$ sftp -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY %h %p" \ [email protected]/bilberry.example.com
$ scp -o "ProxyCommand privx-nc -x $PRIVX_AGENT_PROXY example-extender/%h %p" \ source/file/path[email protected]:/target/file/path
If you are using a custom load balancer, ensure that its session-affinity cookie (also known as a sticky-session cookie) is accepted by all your PrivX Extenders:
Add the name of the session-affinity cookie to the
known_lb_cookies setting. The setting is in the Extender at
Restart the Extender with:
# systemctl restart privx-extender
See PrivX high availability deployment for more information.
If your PrivX HA deployment also includes PrivX Carriers and PrivX Web Proxies, configure those to accept your session-affinity cookie as well.
Updated 8 months ago