Session-Password Authentication

Session-password authentication allows OIDC users to authenticate to PrivX with native clients that do not support the browser based OpenIDConnect Authentication.

Enabling session-password authentication requires the following:

  1. PrivX admin has enabled session passwords for the user directory.
  2. End user logs into PrivX UI using the available authentication methods to obtain their session password.
  3. End user provides the PrivX username and the session password for the native client when connecting via PrivX Bastion.

Later in this article, the login session of step 2 is referred to as the parent session and the login session of step 3 as the child session.

With session-password authentication, any MFA authentication step is skipped for child sessions. We recommend enabling session passwords only when strictly needed, and only for user-directory types where other authentication methods cannot be supported by native clients.

Enabling Session Passwords

To enable session passwords for a directory:

  1. On Administration→Directories, Edit a directory.
  2. Expand Advanced settings, then under Session password settings, enable Session Password.
    You may also set password-strength requirements, and how long child sessions can stay up after the parent session is terminated.
  3. Save your changes. Users belonging to the directory can now obtain session passwords via the PrivX GUI.

After enabling session passwords and saving the directory settings, the password strength and entropy are displayed for the specified session-password policy. The password strength categories are following:

  • Weak: 36-59 bits of entropy
  • Strong: 60-119 bits of entropy
  • Very strong: at least 120 bits of entropy

Checking Out And Using Session Passwords

After enabling session passwords for your user directory, you can obtain your session password as follows:

  1. Toward the upper right of your screen, click your user and navigate to Account.
  2. Under Session Password, click Get Session Password.
  3. Copy your Username and Session Password.

You may also check out session passwords via the SSH Bastion CLI.

Session passwords are automatically generated by PrivX, and they're unique per parent session.

The session password can be used for authenticating via the PrivX Bastion for as long as the parent session is active.

If the parent session becomes inactive - for example due to end user closing the browser window - then authentications with the session password will be rejected as soon as the parent session's access token expires. If the end user explicitly logs out from the parent session, the session password is invalidated and authentication attempts using it will be rejected immediately.

Child sessions created by successful session-password authentication remain usable at least until the parent session is explicitly logged out or the parent session has been idle for longer than specified in child session auto logout delay setting of the user directory. Child sessions will then terminate when their current access tokens expire.

Monitoring Session-Password Authentication

Successful session-password authentication events generate User-logged-in (100) audit events with the property authentication-method set to Session Password.

Was this page helpful?