SSH Connections with Native Clients

This section describes how to establish SSH connections with native clients.

Users can connect to target hosts/accounts using the SSH clients installed on their workstations, without needing to use the PrivX GUI. Connections are authenticated against PrivX. For example, if PrivX allows you to access a target account with certificate authentication, your native clients will also connect using certificate authentication without prompting you for target-account credentials.

The PrivX SSH bastion only supports the SSHv2 protocol. SSHv1 protocol is intentionally not supported due to its known security vulnerabilities.

Prerequisites

• Specify which roles may be used for SSH-native-client connections.

• Your PrivX license must have SSH Bastion feature enabled, see Licensable Features.

• After ugrading PrivX, you may need to re-download the extender-config.toml file for the native client connections to work with via Extenders. For more instructions about extender configuration file, see Setting up PrivX Components.

Connecting via PrivX Bastion

Using native SSH clients, you can connect to targets via PrivX SSH Bastion. By default PrivX SSH Bastion runs on port 2222. PrivX SSH Bastion provides the following connection modes:

• Interactive: Access PrivX Bastion to list and select possible targets.

• Direct: Specify your connection target directly to the native client.

• Direct using ProxyCommand: Specify your PrivX username via ssh_config.

• Direct using privx-cmd: Similar to ProxyCommand, but supports OIDC users.

info

PrivX-Bastion connections are verified against the PrivX-Bastion host key. You may verify and install these host keys from the Connections→Native Clients page.

Connecting Interactively

To connect via PrivX Bastion interactively:

1. Connect to PrivX SSH Bastion using your PrivX account. For example, with ssh, sftp, or scp:

   $ ssh -p 2222 privxuser@privx.example.com

   $ sftp -P 2222 privxuser@privx.example.com

   $ scp -P 2222 local/path privxuser@privx.example.com:remote/path

   $ scp -P 2222 privxuser@privx.example.com:remote/path local/path

   Replace the example values as follows:

   • privxuser - Your PrivX-user name.

   • privx.example.com - Your PrivX-server address.

   • local/path - Local file/directory path for scp.

   • remote/path - Remote file/directory path for scp.

   Provide your PrivX-user password when prompted.

2. You will be presented with a list of possible targets. Select a target to connect to it.

Connecting Directly

To directly connect via PrivX Bastion, provide:

• Target-user name

• Target-host address

• PrivX-user name

• PrivX-server address

• (Optional) Extender name

• (Optional) Target port

By default bastion runs on your PrivX servers, port 2222.

Full bastion syntax is as follows:

targetuser%extender%targethost%targetport%privx-user@privx.example.com

info

With OpenSSH versions 10.0p2 and later you will need to replace every instance of % in your syntax with %%.

For example, instead of:

targetuser%extender%targethost%targetport%privx-user@privx.example.com

Use:

targetuser%%extender%%targethost%%targetport%%privx-user@privx.example.com

Common case leaves out the extender and the target port, leaving the syntax as following:

targetuser%targethost%privx-user@privx.example.com

Following are examples of ssh, scp and sftp usage with the connection string:

$ ssh -p 2222 targetuser%targethost%privx-user@privx.example.com

$ scp -P 2222 targetuser%targethost%privx-user@privx.example.com:example.txt \
/target/directory

$ sftp -P 2222 targetuser%targethost%privx-user@privx.example.com

Following is an example using PrivX Extender:

$ ssh -P 2222 targetuser%extender%targethost%privx-user@privx.example.com

$ scp -P 2222 example.txt \
targetuser%extender%targethost%privx-user@privx.example.com:/tmp

If you use native-client connections with bastion syntax often, consider specifying the connection parameters in the users' client configuration (typically at /etc/ssh/ssh_config or ~/.ssh/config) using Host blocks. For example:

Host targethost.example.com
    Port 2222
    User targetuser%targethost%privx-user
    Hostname privx.example.com

After which you can connect with much simpler syntax:

$ ssh targethost.example.com

User sessions with native SSH clients can be monitored. For more information about viewing session audit data, see Viewing Audit Data. For more information about setting up session recording for a host, see Session-Recording Setup.

SSH-Bastion connections prompt you to log in to PrivX. For automated, scripted access, set up public-key authentication as described in Public-Key Authentication (SSH Bastion).

Connecting Directly Using ProxyCommand

Connecting directly via PrivX Bastion using ProxyCommand allows you to apply most configurations in the client-users' SSH configuration. This method requires you to use public-key authentication to PrivX Bastion. The SSH-client user must have an SSH keypair.

info

OIDC users can use this method only when Expire Implicit Roles are enabled for their OIDC directory. Otherwise, consider Connecting Directly Using privx-cmd instead.

To connect directly using ProxyCommand:

1. Add PrivX-Bastion host keys to the SSH-client's known-hosts file. You can get the Bastion host keys from the Connections→Native Clients page.

2. Add the client-user's authorized key to their PrivX account, as described in Public-Key Authentication (SSH Bastion).

3. Configure SSH client to use public-key authentication and a proxy when connecting to target hosts. These configuration options can be specified in the client-user's client configuration (typically at /etc/ssh/ssh_config or ~/.ssh/config), for example:

   Host *
       IdentityFile ~/.ssh/id_privx
       HostKeyAlias privx.example.com:2222
       ProxyCommand nc -X connect -x privx.example.com:1080 %h %p

   In the example, replace privx.example.comwith your PrivX address.

   Note that the parameters your nc command accepts may be different from the example. You can substitute nc with another proxy command that supports http connect or SOCKS5/4a proxy protocol.

   By default PrivX Bastion listens for proxy connections on port 1080.

4. Connect to target. If you provided the configuration options in the client-user's client configuration:

   ssh targetuser@targethost

   Alternatively you may provide the configuration options in the ssh command, for example:

   ssh -o "IdentityFile ~/.ssh/id_privx" \
   -o "HostKeyAlias privx.example.com:2222" \
   -o "ProxyCommand nc -X connect -x privx.example.com:1080 %h %p" \
   targetuser@targethost

   Your connection will be routed via PrivX Bastion to the final target. Connection to PrivX Bastion is authenticated using public-key authentication.

info

A known bug in nmap-ncat version 7.91 causes the nc command to fail to connect to a http connect or SOCKS proxy. Suggested workarounds are to install a newer version of the nmap-ncat package, to install the bsd netcat package or to use the socat command instead.

Connecting Directly Using privx-cmd

Connecting directly via PrivX Bastion using privx-cmd allows users to perform a browser-based login, for example OIDC login, as part of the SSH-native-client connection. This method is similar to the Connecting Directly Using ProxyCommand method, with the following differences:

• Users need to use the privx-cmd binary as the SSH ProxyCommand.
• Client machine must be capable of launching a browser for the user to login to PrivX.
• PrivX OIDC user needs to have the 'authorized-keys-manage' permission

To connect directly using privx-cmd:

1. Install the privx-cmd binary on the client machine.

2. Add PrivX-Bastion host keys to the SSH-client's known-hosts file. You can get the Bastion host keys from the Connections→Native Clients page.

3. Configure SSH client to use privx-cmd as the ProxyCommand when connecting to target hosts. These configuration options can be specified in the client-user's client configuration.

   OpenSSH

   In the client configuration (typically at /etc/ssh/ssh_config or ~/.ssh/config), add settings similar to the following:

   Host *
       IdentityFile ~/.ssh/id_privx
       HostKeyAlias privx.example.com:2222
       ProxyCommand privx-cmd -privx https://privx.example.com %h %p

   In the example, replace privx.example.com with your PrivX address. In this example the user's private and public key are stored in ~/.ssh/id_privx and ~/.ssh/id_privx.pub respectively.

   PuTTY

   PuTTY supports local proxy command configuration under Connection→Proxy.

   1. Select Proxy Type: Local and specify privx-cmd in Telnet command, or local
      proxy command:

        C:\Program Files (x86)\SSH Communications Security\PrivX Cmd\privx-cmd.exe -privx https://master.privx.ssh.com %host %port

   2. Set Do DNS name lookup at proxy end: Yes

   3. Under Connection→SSH→Auth, set Private key file for authentication.

4. Establish trust relationship with PrivX server by running the following command:

   privx-cmd -command probe -privx https://privx.example.com

   In the example, replace privx.example.comwith your PrivX address. This command probes PrivX server's certificate, and - unless the certificate is signed by a trusted CA - prompts the user to accept the certificate. Accepted certificates are stored in ~/.privx/agent.json.

5. Connect to a target host:

   ssh targetuser@targethost

   This command performs the following:

   • If needed, privx-cmd launches a browser for the user to log into PrivX. Upon successful login privx-cmd gets an access token/refresh token. The refresh token is saved to ~/.privx/token.json for privx-cmd to reuse for later connections.
   • privx-cmd registers the user's public key as an authorized key to PrivX.
   • privx-cmd connects to SSH-Bastion's proxy port 1080, requests a connection to the target host, and starts forwarding data between the SSH client and SSH Bastion.

   Your connection to the final target is routed via PrivX Bastion. Connection to PrivX Bastion is authenticated using public-key authentication.

On subsequent SSH connections privx-cmd attempts to use the saved refresh token to fetch access tokens. If this succeeds the user is not required to re-login to PrivX, so no browsers are launched. Note that the command privx-cmd -command logout removes any saved refresh tokens from the file system, which forces the user to re-login on next SSH connection.

You can use privx-cmd command-line options to override the default values used in previous examples. This is required if, for example:

• You want to store your SSH keypair to another file.
• Do not want to save the refresh token to file system.
• Want to use a non-default browser for login.
• Your SSH-Bastion proxy listener hostname is different from your PrivX-server hostname.

Enabling Proxy-Protocol Support

Enabling proxy protocol causes SSH Bastion to parse proxy-protocol headers and use the client IP address communicated through the protocol as the TCP connection's true origin instead of the TCP connection's remote IP address. This can be useful in HA deployments with a non-transparent load balancer such as HAProxy.

To enable proxy-protocol support, perform the following on all PrivX Servers:

1. In the SSH-Bastion configuration /opt/privx/etc/ssh-mitm.toml, set use_proxy_protocol to true.

   To require client connections to have proxy-protocol headers, and to restrict client addresses, you may optionally specify proxy_protocol_trusted_source_addresses to include the addresses from which users will connect to SSH Bastion.

2. Restart PrivX Server services to apply your changes.