How to configure/integrate WinScp client with CA PAM? I tried doing it and was able to configure but if I disable application protocol at TCP services, in dash board user is getting additional popup with view credential option.
Bipin, What is the motivation for disabling the application protocol? This says that you want to use PAM just as a router for the connection. There would be no session recording. I can see that the additional link to the credentials in the case where you select Disabled as application protocol is a potential concern. But I would like to understand the use case first.
Use case is simple. Use WinScp via PAM to transfer files and session should get recorded.
Which Protocol should I select from WinScp and what is the parameters I should put inside Client application path to launch winscp? I don't see SFTP or SCP protocols in application protocol drop down list. Please suggest.
Use Application Protocol SSH.
Thank you, Please tell me the client parameter value to put.
One example would be "C:\Test\WinSCP.exe" sftp://<Local IP>:<First Port> /sessionname=<Device Name>
I modified a little bit and it works fine, but I don't see the session is getting recorded, anything I'm missing here ?
Hi Bipin, I have to correct myself. What I said worked in older releases, but in the latest releases we block secure file transfers using the SSH proxy. The options are as follows:
- Enable SSH Terminal File Transfer in Global Settings. This will allow you to transfer files using the build-in SSH access method (Mindterm). Since the SSH access method includes auto-login, no credentials are needed by the user for file transfers.
- Associate the sftpsftp service with a device and enable in a policy. This will open a port on a local IP address that you can connect your own file transfer client like WinSCP to. The popup showing local IP and Port will include a Credential link if an account is configured in policy for login. The user has to view the credential and use it for logon.
- Define a TCP service like you described with application protocol Disabled. This is similar to the previous option except that PAM will launch your local client for you.
- Associate the sftpsftpemb service with a device and enable in a policy. This is a mix of the previous two as it will use an embedded WinSCP client, see e.g. https://docops.ca.com/ca-privileged-access-manager/3-2/EN/implementing/provision-your-server/provisioning-devices/device-features
At this time none of the options will record file transfers for you. There is one open idea on this topic: https://communities.ca.com/ideas/235737556-logging-file-transfer-transaction-for-ftp-service-on-ca-pam
If you had users launching a WinSCP session from a Windows jump server, the RDP session recording would capture all file transfer activity of course.
Thank you for the detailed explanations. as you mentioned none of the methods supports session recording. we can use applet based built in SCP/SFTP features but there are so many issues we have seen with SSH applet. Many features are missing in SSH applet which are supported by Putty client. Reason we're leaning towards Putty client rather than using default applet.
Is there any scope that FTP/SFTP support will be enabled in PAM later version with session recording support ? we can not rely on built in SSH until all the applet issues are resolved.
Appreciate your help.
Hi Bipin, Please vote up the enhancement request I pointed you to, or create a new idea if you don't think the description matches what you are looking for.
I did voted and responded to the enhancement requests. thanks