Symantec Privileged Access Management

Tech Tip - CA Privileged Access Manager: Enable SSH Transparent Login for Device Groups

By wonsa03 posted 08-21-2017 07:43 PM

  

CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 22nd August 2017

 

Issue

You can provision a CA Privileged Access Manager device to permit execution of sudo or BeyondTrust PowerBroker pbrun using the login password for the device from the SSH Access Method applet.

Important:

  • Security Requirement: Configure sudo or pbrun on the target so that each execution requires a password from the client. Otherwise, security can be compromised.
  • Transparent login cannot be applied to Device Groups.

 

Policy setup against individual device -- Transparent Login option is available:

 

Policy setup against (Device Group) -- Transparent Login option is not available:

Cause

The SSH Transparent Login option is made available to policy against individual device ONLY when Transparent Login is configured at the device level. 

Workaround

Create a dummy RDP Application ('Hide from User' option checked) in PAM and associate that service with the Device Group:

Transparent Login option is now made available to the Device Group:

 

NOTE:

As the checking for Transparent Login configuration is at device level, the suggested workaround is practically bypassing this validation. Hence, the Transparent Login might be enabled on the Device Group level, but the Transparent Login configuration need to be done on device level.

 

Also, the suggested workaround is not suitable for 'Command String' Transparent Login.

Additional Information

2 comments
4 views

Comments

08-22-2017 02:03 PM

Hi,

 

Thanks for the tech tip, i had this requirement long back and i raised and idea also for the similar use case.

Without command string it is still not sufficing my requirement ,I hope product team will come up with feature release to enable group based policy with command string support.

 

Any ways this is still a good work around for individual use case which doesn't require command string configuration.