Supported Authentication Methods

PrivX users can authenticate to target hosts using one of the following methods.

​​Stored password​

• Users are authenticated using passwords stored in PrivX. Users do not need to input credentials when connecting.

  ​​Advantages​​: Easy to set up.
  ​​Disadvantages​​: Weak passwords may compromise security.

​​Certificate​​

• Users are authenticated using just-in-time certificates. PrivX automatically issues certificates as needed; users do not need to input credentials when connecting.

  ​​Advantages​​: Automatically expiring certificate that is never exposed to users, making this method the most secure option.
  Disadvantages: Routers or older hardware might not support certificates. System times must be synchronized for certificate-based authentication to work correctly.

​​Public key​​

• Users are authenticated using public keys provided by PrivX. Users do not need to input credentials when connecting.

  ​​Advantages​​: Public-key authentication is largely supported even on older and non-mainstream SSH servers.
  ​​Disadvantages​​: Public keys must be manually provisioned to target users on target servers. Public keys never expire, so they need to be manually renewed.

​​User-provided password​​

• Users are prompted for password when connecting.

  ​​Advantages​​: No additional target-host configuration required.
  ​​Disadvantages​​: Users must provide the target-user password when connecting. Weak passwords may compromise security.

📘

Note

If a target supports multiple methods, the topmost supported method is used. User-provided password is enabled on all target hosts by default.

Also see Connection method vs feature matrix