Quick SSH Access

This article describes how to provide access from PrivX users to hosts. The high-level steps involve:

  • Adding users who are to be given access.
  • Adding target hosts, so that they can be accessed.
  • Connecting to target hosts via the PrivX GUI.

This article also describes enabling optional features for SSH connections:

  • Certificate Authentication

Prerequisites

You need a licensed PrivX deployment. To quickly set up PrivX, see Quick PrivX Setup.

You will also need a host for PrivX users to connect to. This target host must satisfy the following:

  • The PrivX server must be able to establish SSH connections to the target host.
  • The target host has a root account that can be connected to via SSH.

If you do not have other hosts, you may use the PrivX server itself as the target host.

Adding Users and Permissions

You can quickly provide access by adding local users to PrivX. To do this:

  1. Navigate to the address of the PrivX server and log in as superuser.
    PrivX login page

  2. In the PrivX GUI, navigate to the Administration→Users page and click Add User.
    Administration→Users page with Add User button highlighted
    You will be presented with the New User view.

  3. In the New User view, provide the required information about the user. Click Save to save the user.
    New User page with basic user fields filled in, including: username, password & verify password, full name, and email

    You should now be able to see your new local user back on the Administration→Users page.
    Users page displaying the newly created

PrivX provides access in a role-based manner. To create a role and to add rolemembers:

  1. In the PrivX GUI, navigate to the Administration→Roles page, and click Add Role.

    You will be presented with a form for providing information about the new role.

    Add Role view with one rule where directory is set to Local users and Search string is set to (principal=alice)

  2. Provide a name for the new role. Also add users to the role by defining rules. To define a new rule for the role, click Add Rule. In this example, we add a rule to include the local user(s) who have the principal alice into the role:

    Add Role view with Matching users showing one match

The number of role members is indicated by Matching users. The count is updated when you unfocus from the Search String field (such as by pressing enter, or by clicking somewhere else in the GUI).

Leave the other role settings as they are.

  1. Click Save to finalize role creation. Your new role should be visible back on the Administration→Roles page.

    Dropdown menu next to the role. The List Members choice is highlighted in the dropdown menu
    Role members view listing alice as a member

Adding Target Hosts

Make hosts accessible via PrivX:

On the Administration→Hosts page, click Add Host. Provide at least:

  • The Name and the network Addresses of the host. This data helps users identify the target host.

  • The Services (SSH and/or RDP servers) available on the host. In this example we add the SSH server by providing its FQDN address and port number.

  • The Accounts to which roles are mapped on the target host. Leave the Password empty to require password authentication upon connecting. In this example we allow the previously-created example role to access the host as target user root.

If you are adding an RDP host which uses domain accounts, you must use the username@domain syntax. For example, for domain account Domain\Administrator, the correct syntax is Administrator@Domain.

  • Enable SSH - Trust on first use to allow users to accept the SSH host key upon login.
    Add hosts view with basic host information filled in, including host name, comma-separated addresses. Also defines one SSH service with Trust on first use enabled. Finally, including one Explicit account mapping Example Role to root
    Click Save to save the host.

    You may verify that the host is listed back on the Administration→Hosts page.

Connecting via the GUI

After you have set up roles to access hosts, you may test connections as follows:

  1. Log into the PrivX GUI as the test user we created previously.

  2. Navigate to the Connections→Available Hosts page. The hosts you can connect to are listed under Available hosts.

    Expand a connection entry to display its available services. In this example, we click the SSH-server service to connect to our test host.

  3. Accept the SSH host key if prompted. Authenticate to the host by providing the password of the target account (not the PrivX account password). You should now be successfully connected to the host.

Enable Certificate Authentication

Enable authentication using just-in-time certificates, which improves security and gets rid of passwords.

To enable certificate authentication for OpenSSH connections, run the PrivX host-deployment script on the target host. The host-deployment script is a Python script that configures the OpenSSH server on the target host to accept certificates issued by PrivX. The script also sets up allowed principals for target users.

To obtain and run the host-deployment script:

  1. Create a host-deployment script. To do this, access the PrivX GUI as superuser, then go to the Administration→Deployment→Deploy and Configure SSH Target Hosts page.

    Select Configure using a deployment script, provide a name for the script, then click Add Script. Download the deploy.py script when prompted to.

  2. Upload the host-deployment script to the target host. You may connect to the target host via the PrivX GUI, and then upload the deploy.py via the connection's File Transfers tab.

  3. Execute the host-deployment script as root on the target host.

    In the command, use --principals to specify the target accounts and the roles that are allowed to access them. Also add the --standalone option if your target host is not hosted by a supported cloud provider.

    For example, allowing both the target accounts root and johndoe to be accessed by members of Example Role and privx-admin (replace /path/to/deploy.py with the path of the host-deployment script, note that role names with spaces need to be quoted):

    # python /path/to/deploy.py --standalone --principals \
  root="Example Role",privx-admin:johndoe="Example Role",privx-admin

SSH connections to the target accounts from the specified roles are now authorized using certificates, without prompting users for passwords.

You may also verify that certificate authorization is used by checking the OpenSSH-server logs on the target server. Upon successful certificate authorization there should be a log message like the following:

Accepted publickey for root from 192.0.2.26 port 50930 ssh2: RSA-CERT \
ID alice@127.0.0.1:53188 serial 4920619392583124720 (serial 4920619392583124720) \
CA RSA 98:16:36:bf:6e:c6:3f:e5:a1:5e:31:61:c1:37:ef:d8

Was this page helpful?

On this page