PSM for SSH can record all activities that occur in the privileged session in a compact format. Text recordings are stored and protected in the Vault server and are accessible to authorized auditors. PSM for SSH also provides privileged Single Sign-On capabilities and allows users to connect to target devices without being exposed to the privileged connection password.
PSM for SSH separates end users from target machines and initiates privileged sessions without divulging passwords, maintaining the highest level of security that is typical to all CyberArk components.
In addition, PSM for SSH can display a broad overview of all activity performed on every privileged account, without exception. All activities are fully monitored and meet strict auditing standards.
PSM for SSH enables end users to connect transparently to target UNIX systems that use the SSH or Telnet protocol, including SSH tunneling.
This post shows some basic steps how to configure PSM-SSH connector to make it support HTML5 and AutoLogonSequence using a logon account
AutoLogonSequenceWithLogonAccount
As different devices may have different logon processes, you can configure how PSM for SSH will log on to a device using the AutoLogonSequence parameter. This parameter defines a multi-line sequence that is used by PSM for SSH during the automatic logon process and contains regular expression prompts and responses that define the process. The regular expressions can include dynamic values that PSM for SSH reads from the account properties, user parameters, or client-specific parameters, in this order. You can override this configuration at platform level.
| 3. | Client specific parameters |
Create new PSM-SSH Connection Components
Basicallly what you need to is to copy existing default bulit-in Connection Components, paste in then modify it to whatever you needs.
1 Privilege Cloud – Administration – Configuration Options – Connection Components
Copy PSM-SSH connectior and paste for a new one.
2 AllowSelectHTML5
Type value: CyberArk.TransparentConnection.BooleanUserParameter, CyberArk.PasswordVault.TransparentConnection
3 AutoLogonSequenceWithLogonAccount
You can change default settings now or later.
.*\@.*~\$ >exec /usr/bin/su - {Username}
Password:>{Password}
.*\@.*~\$ >exec sudo -i
.*>{Password}
Some linux platform will be able to use default regex value. It depends. But you can put multiple line of commands in.
4 Save and wait 10 minutes for PSM service to pick up the changes.
You can also manually restart the PSM service to get this change to take into effect immediately. The PSM is installed on a Windows system as an automatic system service called CyberArk Privileged Session Manager. It can be stopped and started through the standard Windows service management tools.
Modify PSM Connectors’ Priority
If you have multiple Connection Compnents, the first one in the list will be shown as default, which will be used when user clicked Connect button.
The order shows in the dropdown menu will be based on this Platform’s Connection Components list. Admin for this platform will be able to move the connectors up / down using mouse’s right click drop down menu.
The list in Connect button for your account. In this example, the default is RDP PSM Connector:
-
Log onto the Password Vault Web Access as a user with permission to configure platforms.
-
Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.
-
Select the platform in which you will enable PSM for SSH, then click Edit; the settings page for the selected platform appears.
-
Expand UI & Workflows, and then expand Connection Components, and make sure that the PSM-SSH Connection Component is defined and enabled. Further, to enable users to copy files with PSM for SSH make sure that the PSM-SCPand PSM-SFTP Connection Components are defined and enabled.
-
Expand UI & Workflows, and then select Privileged Session Management; the PSM parameters are displayed with their default values.
-
To enable PSM to use accounts that are required to initiate PSM connections without requiring confirmation, even if the Safes are configured for Dual Control, change the value of DisableDualControlForPSMConnections to Yes.
-
Click Apply to save the new parameter values and stay in the same page,
or,
Click OK to save them and return to the System Configuration page.
1 Duplicate Unix via SSH platform.
2 Add new connector into platform
3 Onboard two accounts: one privilege account and one logon account
Regex Value
If you are getting a freezing screen, and “059E Failed to execute login sequence” error, just like below, it most likely your auto logon sequece is having issue on Regex.
Note: https://cyberark.my.site.com/s/article/PSM-059E-Failed-to-execute-login-sequence
The error is received, when the incoming prompt doesn’t match the defined regular expression.
The default is:
==
\[.*\@.* ~]\$ >exec su – {Username}
Password:>{Password}
==
Change the regex to a more inclusive value.
For Prompts ending with the # character (Usually AIX machines): .*\#
For Prompts ending with the $ character (Usually Unix and Linux): .*\$
Note: It is less recommended to use the inclusive RegEx due to security concerns, therefore it is not applied for general use, and should be used only when the default or a specific value fail.
To change the default automatic logon sequence with logon account for all SSH connections that will be done with the PSMP-SSH connection component:
-
Click ADMINISTRATION, then in the System Configuration page click Options; the Web Access Options are displayed.
-
Expand Target Settings and then expand Client Specific; a list of Client Specific parameters appears.
-
Select AutoLogonSequenceWithLogonAccount, then in the Properties list, click the value of the Value property; the Value edit box appears.
-
Specify the prompts and responses to include in the automatic logon process, using regular expressions and dynamic account properties to mimic the exact sequence that will be run on the remote machine.
As prompts differ according to machine, it is important to make sure that you write the prompt exactly as the machine requires.
Specify the command that will elevate the logon user to the user who will run sessions on the remote machine. Use regular expression prompts and responses with dynamic values, as shown in the following example:
In each line, the text to the left of the ‘>’ (parenthesis) represents the regular expression for the prompt on the remote machine. The text to the right of the ‘>’ (parenthesis) represents the PSM for SSH response, including a dynamic reference to an account property.
This response can include one or more dynamic references. PSM for SSH reads these references in the following order: account properties, user parameters, then client specific parameters.
To specify ‘>’ as a character in the prompt, use the character code \x3e.
Default PSM-SSH Connection Components Value:
\[.*\@.* ~]\$ >exec su - {Username}
Password:>{Password}
Change to:
.*\@.*~\$ >exec /usr/bin/su - {Username}
Password:>{Password}
.*\@.*~\$ >exec sudo -i
.*>{Password}
Troubleshooting
Some error screenshots from CyberArk PSM.
The further logs can be found from PSM installation folder for troubleshooting purpose.
![[5 Mins Docker] Deploy Your Own Online Toolbox – IT-Tools – 51 Security](https://i1.wp.com/it-tools.tech/banner.png?w=1200&resize=1200,0&ssl=1 "[5 Mins Docker] Deploy Your Own Online Toolbox – IT-Tools – 51 Security")
![[5 Minutes Docker Series] Deploy A Free File List App for Multiple Cloud Storages – Alist – 51 Security](https://i1.wp.com/p.51sec.org/file/netsec/2022/12/cloud%20drive%20corner%20500x500.png?w=1200&resize=1200,0&ssl=1 "[5 Minutes Docker Series] Deploy A Free File List App for Multiple Cloud Storages – Alist – 51 Security")