This article describes how to provide access from PrivX users to hosts. The high-level steps involve:
- Adding users who are to be given access.
- Adding target hosts, so that they can be accessed.
- Connecting to target hosts via the PrivX GUI.
This article also describes enabling optional features for SSH connections:
- Certificate Authentication
You need a licensed PrivX deployment. To quickly set up PrivX, see Quick PrivX Setup.
You will also need a host for PrivX users to connect to. This target host must satisfy the following:
- The PrivX server must be able to establish SSH connections to the target host.
- The target host has a
rootaccount that can be connected to via SSH.
If you do not have other hosts, you may use the PrivX server itself as the target host.
You can quickly provide access by adding local users to PrivX. To do this:
Navigate to the address of the PrivX server and log in as superuser.
In the PrivX GUI, navigate to the Administration→Users page and click Add User.
You will be presented with the New User view.
In the New User view, provide the required information about the user. Click Save to save the user.
You should now be able to see your new local user back on the Administration→Users page.
PrivX provides access in a role-based manner. To create a role and to add rolemembers:
In the PrivX GUI, navigate to the Administration→Roles page, and click Add Role.
You will be presented with a form for providing information about the new role.
Provide a name for the new role. Also add users to the role by defining rules. To define a new rule for the role, click Add Rule. In this example, we add a rule to include the local user(s) who have the principal alice into the role:
The number of role members is indicated by Matching users. The count is updated when you unfocus from the Search String field (such as by pressing enter, or by clicking somewhere else in the GUI).
Leave the other role settings as they are.
Click Save to finalize role creation. Your new role should be visible back on the Administration→Roles page.
Make hosts accessible via PrivX:
On the Administration→Hosts page, click Add Host. Provide at least:
The Name and the network Addresses of the host. This data helps users identify the target host.
The Services (SSH and/or RDP servers) available on the host. In this example we add the SSH server by providing its FQDN address and port number.
The Accounts to which roles are mapped on the target host. Leave the Password empty to require password authentication upon connecting. In this example we allow the previously-created example role to access the host as target user
If you are adding an RDP host which uses domain accounts, you must use the [email protected] syntax. For example, for domain account Domain\Administrator, the correct syntax is [email protected].
Enable SSH - Trust on first use to allow users to accept the SSH host key upon login.
Click Save to save the host.
You may verify that the host is listed back on the Administration→Hosts page.
After you have set up roles to access hosts, you may test connections as follows:
Log into the PrivX GUI as the test user we created previously.
Navigate to the Connections→Available Hosts page. The hosts you can connect to are listed under Available hosts.
Expand a connection entry to display its available services. In this example, we click the SSH-server service to connect to our test host.
Accept the SSH host key if prompted. Authenticate to the host by providing the password of the target account (not the PrivX account password). You should now be successfully connected to the host.
Enable authentication using just-in-time certificates, which improves security and gets rid of passwords.
To enable certificate authentication for OpenSSH connections, run the PrivX host-deployment script on the target host. The host-deployment script is a Python script that configures the OpenSSH server on the target host to accept certificates issued by PrivX. The script also sets up allowed principals for target users.
To obtain and run the host-deployment script:
Create a host-deployment script. To do this, access the PrivX GUI as superuser, then go to the Administration→Deployment→Deploy and Configure SSH Target Hosts page.
Select Configure using a deployment script, provide a name for the script, then click Add Script. Download the
deploy.py script when prompted to.
Upload the host-deployment script to the target host. You may do this via the PrivX GUI by connecting to the target host (similarly as in Connecting to Hosts), and then by navigating to the File Transfers tab.
Execute the host-deployment script as
rooton the target host.
In the command, use
--principals to specify the target accounts and the roles that are allowed to access them. Also add the
--standalone option if your target host is not hosted by a supported cloud provider.
For example, allowing both the target accounts root and johndoe to be accessed by members of Example Role and privx-admin (replace /path/to/deploy.py with the path of the host-deployment script, note that role names with spaces need to be quoted):
# python /path/to/deploy.py --standalone --principals \ root="Example Role",privx-admin:johndoe="Example Role",privx-admin
SSH connections to the target accounts from the specified roles are now authorized using certificates, without prompting users for passwords.
You may also verify that certificate authorization is used by checking the OpenSSH-server logs on the target server. Upon successful certificate authorization there should be a log message like the following:
Accepted publickey for root from 192.0.2.26 port 50930 ssh2: RSA-CERT \ ID [email protected]:53188 serial 4920619392583124720 (serial 4920619392583124720) \ CA RSA 98:16:36:bf:6e:c6:3f:e5:a1:5e:31:61:c1:37:ef:d8
Updated about 1 month ago