v36
v32
v33
v34
v35

v36
v32
v33
v34
v35

Getting Started

Introduction
Quick PrivX Setup
Quick SSH Access
Importing Users And Hosts
Configuring SSH Target Host to Accept PrivX Connections

Deployment

Overview
Release Notes for This Release
Preparing for Deployment
Get PrivX Software
- PrivX SHA-256 Sums Database
Setting Up PrivX Components
Deploying PrivX to Amazon Web Services
Deploying PrivX to Google Cloud Platform: architecture blueprint
Deploying PrivX to Azure: architecture blueprint
Deploying to Kubernetes
High-Availability Deployment
License Management
Backup and Restore
Native SSH and RDP Clients
Production-Readiness Checklist
Integrating PrivX With XSOAR

Users and Permissions

Adding PrivX Users
- Importing Users from AD/LDAP
Granting User Permissions
Managing Workflows
- Enabling Email Notifications
User Configuration
Additional Authentication Methods
Managing User Secrets
Password Change for AD and LDAP Users
Managing User Sessions

Authenticating to Hosts

Supported Authentication Methods
SSH Certificate Authentication
RDP Certificate Authentication
VNC Certificate Authentication
Script-Based Certificate-Authentication Setup
Certificate-Authentication Setup via Chef
Manual Certificate Authentication Setup
- SSH X.509 Certificate Authentication
Public Key Authentication
Stored Passwords
Example VNC-Server Setup
Trusting Target-Host Identities

Connection Management

Setting up Hosts
Connecting via The PrivX GUI
SSH Connections with Native Clients
RDP Connections with Native Clients
- Restricting Users Access to Applications in RDP Connections
Database Connections with Native Clients
Network Targets
Website Access via PrivX
AWS CLI Connection with Native Client
Monitoring and Managing Connections
Automatic M2M SSH Connections

Auditing

Viewing Audit Data
SIEM Integration
Session Recording
External Logging
Matching Certificate-Based-Login Messages
Audit Events Reference
- Audit Event Details
Splunk Integration
UEBA Configuration
Exporting List Data

Advanced Configuration

Best Practices
SSL/TLS Security
- X.509 Certificate Name Constraints
- Validating X.509 Access Certificates
PrivX-Server Configuration
Extender Configuration
Carrier and Web Proxy Configuration
- Configuring Podman for Carrier
API-Client Integration
- Automation With Golang SDK
- Automation with Python SDK
Configuring Ephemeral Credential Access For Aws Api
Certificate Authentication For Code Repositories
- GitHub Enterprise integration
- GitLab Integration
Network Target Access
- PrivX Router Configuration
- Network Target Extender Support
Rotating Stored Passwords
Ssh Command Restrictions
- Example SSH Command Restrictions Configuration
GUI Configuration
Admin Command-Line Tool
Disk-Space Alerts
Audit Event Indexing for Faster Searches
Password Management for AD/Entra Domains

Integrations

User Directories
Host Directories
HSM Providers
SCIM
ICAP Servers
PrivX as OIDC Identity Provider

Troubleshooting

General Troubleshooting
Connections fail with error Too Many Authentication Failures
Directory users are not listed
List users view does not display all attributes
Resolving x509: Common Name certificate error
All microservices fail to start except Keyvault
Deploy script fails to trust AWS CA TLS certificate
Windows login failures
Windows revocation failures
OpenSSH 7.8 Client Not Supported
Error "smart card logon is not supported for your user account"
Hosts with "Directory" Account Enabled not visible in Connections
Login with Correct Username and Password Fails
All Microservices apart from Keyvault down
AD that has previously worked fails
Error "Administratively prohibited" with Native Clients and Extenders
Error "Unable to connect to Extender/Carrier" during Web Connections
Error "Unable to connect to Web Proxy" during Web Connections
Error "Host cannot be redeployed" when deploying a new Cloned Host
Error "Bad Configuration Option: AuthorizedPrincipalsCommand" when running the deploy script
Microsoft Remote Desktop version 10 for Mac does not display text
Error "proxy server is refusing connections" during Web Connections on RHEL8
RDP native client times out
Error "USER-STORE [ERROR] Server error: listen tcp :8084: bind: address already in use" when running in Azure
OIDC Login
"[ERROR] DB connection failure: x509: certificate has expired or is not yet valid. Retrying in 15 seconds...
File transfer in RDP session is slow
Error "Remaining connection slots are reserved for non-replication superuser connections"
Permission errors when accessing PrivX audit folders
Password rotation does not work for Windows 2012 R2
Extender fails to register to PrivX because certificate expired
Installation and Upgrade Errors
- PostgreSQL Version Errors During Installation and Upgrade
- Keyvault Error - Failed to Decrypt

Knowledge Base

Search Syntax
PrivX microservices architecture
PrivX web access architecture
Websockets and the PrivX Carrier browser
Customizing the PrivX Carrier browser
PrivX RDP Admin Access Deployment in Multi-Domain Environment
Vault and M2M
Onboarding SSH target hosts to PrivX via Ansible
Onboarding SSH target hosts to PrivX via Chef
Onboarding AWS, Azure & Google Cloud SSH target hosts the simple way
Enabling TLS 1.3
Removing Hosts from Directories
Configuring Gitlab access through PrivX SSH certificate authentication
PrivX Analytics
Connection method vs feature matrix
Setting up and upgrading PrivX with custom network ports
Supported SSH Algorithms
Supported SFTP Protocol Versions
PrivX Settings
Granting Password-based root access via Roles
Requesting and granting roles, Passwordless Access
Passwordless SSH And RDP Access
PrivX AWS High Availability Installation tith two ELBs
How to install PrivX
OSS Acknowledgements
End-user license agreement (EULA)
Documentation Conventions
PrivX Settings Examples
Previous Release Notes
PrivX Login Flow and State Storage
Changing PrivX database name, username or password
Changing notification mechanism to PostgreSQL
Migrate from CentOS 8
Merging changes Oon Extender/Carrier/WebProxy upgrade
Mapping Directory Users to Additional Accounts
Upgrade from Older Releases
Improve performance with indexing
Migrate from EOL Operating Systems
PrivX on Kubernetes
Managed Accounts as Reusable Credentials

PrivX Comparisons

Kerberos
Guacamole

FAQ

Auditing & Reporting
Architecture
Authentication, Access Control and Identity Management
Buying And Trying
Compliance
Connectivity
Data Encryption
Data Retention
Functional Use Cases
Integrations And System Monitoring
Licensing
Miscellaneous
Operation Security Maintenance
Operational Technology (OT)
PrivX Components
Product Info
Product Features
Security
Session Recording and Playback
Support and Services
Tips and Tricks

Passwordless SSH and RDP Access

This tutorial illustrates how users can employ PrivX's passwordless SSH and RDP access.

Key Concepts

Multi-Factor Authentication (MFA) (Steps 1-2)
Roles governing access (Step 3)
Passwordless SSH access (Steps 4-5)
Passwordless RDP access (Steps 6-7)

Steps

Our example user chris.hall logs in to PrivX.

834

This PrivX instance has Multi-Factor Authentication (MFA) active, so Chris checks the pin code from his authenticator application, for example Google Authenticator app.

834

Chris has the roles rdp-user and ssh-user. These roles are set up to allow him passwordless RDP and SSH access on certain target hosts.

1028

To demonstrate role ssh user, Chris navigates to Connections, lists his available SSH hosts and clicks PrivXDemo Linux-3.

2116

On the target host, he is granted passwordless SSH access as user ubuntu.

1696

To demonstrate role rdp-user, he lists his available RDP hosts and clicks Administrator @ PrivXDemo Windows AD.

1918

On the target host, he is granted passwordless RDP access as user Administrator.

1962

Was this page helpful?

On this page

Key Concepts
Steps