Quick SSH Access

This article describes how to provide access from PrivX users to hosts. The high-level steps involve:

  • Adding users who are to be given access.
  • Adding target hosts, so that they can be accessed.
  • Connecting to target hosts via the PrivX GUI.

This article also describes enabling optional features for SSH connections:

  • Certificate Authentication

Prerequisites

You need a licensed PrivX deployment. To quickly set up PrivX, see Quick PrivX Setup.

You will also need a host for PrivX users to connect to. This target host must satisfy the following:

  • The PrivX server must be able to establish SSH connections to the target host.
  • The target host has a root account that can be connected to via SSH.

If you do not have other hosts, you may use the PrivX server itself as the target host.

Adding Users and Permissions

You can quickly provide access by adding local users to PrivX. To do this:

  1. Navigate to the address of the PrivX server and log in as ​superuser​​.
    PrivX login pagePrivX login page

  2. In the PrivX GUI, navigate to the ​Administration→Users​ page and click ​Add User​​.
    Administration→Users page with Add User button highlightedAdministration→Users page with Add User button highlighted
    You will be presented with the ​New User​​ view.

  3. In the ​New User​ view, provide the required information about the user. Click ​Save​​ to save the user.
    New User page with basic user fields filled in, including: username, password & verify password, full name, and emailNew User page with basic user fields filled in, including: username, password & verify password, full name, and email

    You should now be able to see your new local user back on the ​Administration→Users​​ page.
    Users page displaying the newly createdUsers page displaying the newly created

PrivX provides access in a role-based manner. To create a role and to add rolemembers:

  1. In the PrivX GUI, navigate to the ​Administration→Roles​ page, and click ​Add Role​​.

    You will be presented with a form for providing information about the new role.

    Add Role view with one rule where directory is set to Local users and Search string is set to (principal=alice)Add Role view with one rule where directory is set to Local users and Search string is set to (principal=alice)

  2. Provide a name for the new role. Also add users to the role by defining rules. To define a new rule for the role, click ​Add Rule​​. In this example, we add a rule to include the local user(s) who have the principal ​alice​​ into the role:

    Add Role view with Matching users showing one matchAdd Role view with Matching users showing one match

    📘

    Note

    The number of role members is indicated by ​Matching users​​. The count is updated when you unfocus from the ​Search String​​ field (such as by pressing enter, or by clicking somewhere else in the GUI).

    Leave the other role settings as they are.

  3. Click ​Save​ to finalize role creation. Your new role should be visible back on the ​Administration→Roles​​ page.

    Dropdown menu next to the role. The List Members choice is highlighted in the dropdown menuDropdown menu next to the role. The List Members choice is highlighted in the dropdown menu
    Role members view listing alice as a memberRole members view listing alice as a member

Adding Target Hosts

Make hosts accessible via PrivX:

On the ​Administration→Hosts​ page, click ​Add Host​​. Provide at least:

  • The ​Name​ and the network ​Addresses​​ of the host. This data helps users identify the target host.

  • The ​Services​​ (SSH and/or RDP servers) available on the host. In this example we add the SSH server by providing its FQDN address and port number.

  • The ​Accounts​ to which roles are mapped on the target host. Leave the ​Password​ empty to require password authentication upon connecting. In this example we allow the previously-created example role to access the host as target user ​root​​.

    📘

    Note

    If you are adding an RDP host which uses domain accounts, you must use the ​[email protected]​ syntax. For example, for domain account ​Domain\Administrator​​, the correct syntax is ​[email protected]​​.

  • Enable ​SSH - Trust on first use​​ to allow users to accept the SSH host key upon login.
    Add hosts view with basic host information filled in, including host name, comma-separated addresses. Also defines one SSH service with Trust on first use enabled. Finally, including one Explicit account mapping Example Role to rootAdd hosts view with basic host information filled in, including host name, comma-separated addresses. Also defines one SSH service with Trust on first use enabled. Finally, including one Explicit account mapping Example Role to root

    Click ​Save​​ to save the host.

    You may verify that the host is listed back on the ​Administration→Hosts​​ page.

Connecting via the GUI

After you have set up roles to access hosts, you may test connections as follows:

  1. Log into the PrivX GUI as the test user we created previously.

  2. Navigate to the ​Connections→Available Hosts​ page. The hosts you can connect to are listed under ​Available hosts​​.

    Expand a connection entry to display its available services. In this example, we click the SSH-server service to connect to our test host.

  3. Accept the SSH host key if prompted. Authenticate to the host by providing the password of the target account (not the PrivX account password). You should now be successfully connected to the host.

Enable Certificate Authentication

Enable authentication using just-in-time certificates, which improves security and gets rid of passwords.

To enable certificate authentication for OpenSSH connections, run the PrivX host-deployment script on the target host. The host-deployment script is a Python script that configures the OpenSSH server on the target host to accept certificates issued by PrivX. The script also sets up allowed principals for target users.

To obtain and run the host-deployment script:

  1. Create a host-deployment script. To do this, access the PrivX GUI as ​superuser​​, then go to the ​Administration→Deployment→Deploy and Configure SSH Target Hosts​​ page.

    Select ​Configure using a deployment script​​, provide a name for the script, then click ​Add Script​​. Download the ​deploy.py​​ script when prompted to.

  2. Upload the host-deployment script to the target host. You may do this via the PrivX GUI by connecting to the target host (similarly as in Connecting to Hosts​), and then by navigating to the ​File Transfers​​ tab.

  3. Execute the host-deployment script as root on the target host.

    In the command, use ​--principals​ to specify the target accounts and the roles that are allowed to access them. Also add the --standalone​​ option if your target host is not hosted by a supported cloud provider.

    For example, allowing both the target accounts ​root​ and ​johndoe​ to be accessed by members of ​Example Role​ and ​privx-admin​ (replace ​/path/to/deploy.py​​ with the path of the host-deployment script, note that role names with spaces need to be quoted):

    # python /path/to/deploy.py --standalone --principals \
      root="Example Role",privx-admin:johndoe="Example Role",privx-admin
    

SSH connections to the target accounts from the specified roles are now authorized using certificates, without prompting users for passwords.

You may also verify that certificate authorization is used by checking the OpenSSH-server logs on the target server. Upon successful certificate authorization there should be a log message like the following:

Accepted publickey for root from 192.0.2.26 port 50930 ssh2: RSA-CERT \
ID [email protected]:53188 serial 4920619392583124720 (serial 4920619392583124720) \
CA RSA 98:16:36:bf:6e:c6:3f:e5:a1:5e:31:61:c1:37:ef:d8