Authentication Methods

Overview

Keeper Connections can be authenticated using one of the following methods:

• Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.

• Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.

• Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.

Launch Credential

When configuring the launch credential on a PAM Machine, PAM Database, or PAM Directory record types, the sessions to the target system are authenticated using the configured launch credential.

To configure the launch credential:

• Open the PAM Settings on a PAM Machine, PAM Database, or PAM Directory record type

• Navigate to the Connection Tab

• In the Launch Credentials Dropdown, choose the PAM User record to be used as the Launch credentials

• After configuring the Launch Credential, close the PAM settings by clicking "Update" and save the record.

• Enabling the "Rotate launch credentials upon session termination" checkbox will automatically rotate the launch credential after every session.

After configuring the Launch credential, the PAM Record type will show the launch credential:

Personal/Private Credentials

PAM Machine, PAM Database, and PAM Directory record types can be configured to allow users to authenticate sessions using personal/private credentials stored in their own Keeper Vault. When this is configured, users are able to select a credential from their Keeper Vault at session launch.

To enable users to use their own credential:

• Open the PAM Settings on a PAM Machine, PAM Database, or PAM Directory record type

• Navigate to the Connection Tab

• Enable the "Allow users to select credentials from their vault" checkbox:

• After enabling step 3, close the PAM settings by clicking "Update" and save the record.

When users click on the launch button, they are presented with the ability to select a credential from their Keeper Vault:

Ephemeral Account

PAM Machine, PAM Database, and PAM Directory record types can be configured to allow users to authenticate sessions using ephemeral accounts.

Ephemeral accounts is a system-generated, time-limited privileged account that is created specifically for the session. This account is temporary and deleted automatically after the session ends. This method is used for Just-In-Time access with no persistent account on the target system.

To enable ephemeral accounts:

• Open the PAM Settings on a PAM Machine, PAM Database, or PAM Directory record type

• Navigate to the "JIT" tab

• Enable "Create ephemeral account for connection"

  • Note: For machines, you will need to specify the type of system to generate the user for. For example, ephemeral account for linux will be a linux user.

  • (Optional) Enable "Elevate account during connection" to elevate the account used to authenticate the session to the specified group or role. The group or role must be valid.

• After enabling the above, close the PAM settings by clicking "Update" and save the record. Your record should look the following:

Protocol Configuration

For additional configuration details on your protocol, visit the following page: