Supported Authentication Methods

PrivX users can authenticate to target hosts using one of the following methods.

Method

Supported by

Notes

Stored password

SSH, RDP, Web

Not supported with agent-based SSH connections

Certificate (for SSH connections)

SSH

Only for supported OpenSSH versions described in SSH Certificate Authentication.

Public key

SSH

Not supported with agent-based SSH connections

Certificate (for RDP connections)

RDP

Target hosts must satisfy the prerequisites from RDP Certificate Authentication.

Not supported with native-client connections.

User-provided password

SSH, RDP, Web

​​Stored password​

  • Users are authenticated using passwords stored in PrivX. Users do not need to input credentials when connecting.

    ​​Advantages​​: Easy to set up.
    ​​Disadvantages​​: Weak passwords may compromise security.

​​Certificate​​

  • Users are authenticated using just-in-time certificates. PrivX automatically issues certificates as needed; users do not need to input credentials when connecting.

    ​​Advantages​​: Automatically expiring certificate that is never exposed to users, making this method the most secure option.
    Disadvantages: Routers or older hardware might not support certificates. System times must be synchronized for certificate-based authentication to work correctly.

​​Public key​​

  • Users are authenticated using public keys provided by PrivX. Users do not need to input credentials when connecting.

    ​​Advantages​​: Public-key authentication is largely supported even on older and non-mainstream SSH servers.
    ​​Disadvantages​​: Public keys must be manually provisioned to target users on target servers. Public keys never expire, so they need to be manually renewed.

​​User-provided password​​

  • Users are prompted for password when connecting.

    ​​Advantages​​: No additional target-host configuration required.
    ​​Disadvantages​​: Users must provide the target-user password when connecting. Weak passwords may compromise security.

📘

Note

If a target supports multiple methods, the topmost supported method is used. User-provided password is enabled on all target hosts by default.

Also see Connection method vs feature matrix


Did this page help you?