SSH Connections

Keeper Connections - SSH Protocol

Overview

KeeperPAM enables zero-trust privileged session management for target infrastructure using the SSH protocol. This guide explains how to set up SSH connections on your PAM Machine Records in the Keeper Vault. Secure SSH sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.

Prerequisites

Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.

The following PAM records are needed in order to successfully setup this protocol:

PAM Record
Definition

PAM Configuration

The PAM Configuration contains information of your target infrastructure

PAM Machine Record

The PAM Machine record contains information of the endpoint you want to establish an SSH protocol connection to.

PAM User Record

The PAM User record contains the user credentials that will be used to connect to the endpoint

This guide will use a Linux server to represent a PAM Machine record.

PAM Settings - Configuring SSH Protocol

Accessing Connection Settings

After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:

  1. Editing the PAM Record

  2. Clicking on "Set Up" in the PAM Settings section

  3. Navigate to the "Connection" section in the prompted window

Configuring Connection Settings

Prior to configuring the SSH protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:

Field
Description

PAM Configuration

This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.

Administrative Credential Record

This is the linked PAM User that will be used to authenticate to the target and perform administrative operations on it.

The following table lists all the configurable connection settings for the SSH protocol on the PAM Settings:

Field
Definition

Protocol

Required

The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the SSH protocol should be selected

Enable Connection

Required

To enable connection for this record, this toggle needs to be enabled

Graphical Session Recording

When enabled, graphical session recordings will be enabled for this record

Text Session Recording (Typescript)

When enabled, text session recordings (typescript) will be enabled for this record

Include Key Events

When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.

Connection Port

The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For SSH, the default port is 22

Launch Credentials

When configured, these credentials will be used to authenticate the connection. More details here

Allow users to select credentials from their vault

When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details here

Rotate launch credentials upon session termination

When enabled, the configured launch credentials will be automatically rotated when the session is closed

Public Host Key (Base64)

The known hosts entry for the SSH server, in the same format as would be specified within an OpenSSH known_hosts file. If not provided, no verification of host identity will be performed.

Color Scheme

The color scheme to use for the terminal emulator used by SSH connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:

  • "black on white" - Black text over a white background

  • "gray on black" - Gray text over a black background (the default)

  • "green on black" - Green text over a black background

  • "white on black" - White text over a black background

  • "Custom" - custom color scheme

Default value is "white-black"

Font Size

Font size displayed for the terminal session

Font Name

The name of the font to use. If not specified, the default of "monospace" will be used instead. This must be the name of a font installed on the server running guacd, and should be a monospaced font. If a non-monospaced font is used, individual glyphs may render incorrectly.

Maximum scrollback size

The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.

SFTP

If enabled, the user can drag and drop files into the terminal session to transfer one or more files.

File Browser Root Directory

If SFTP is enabled, file transfers will be saved to the specified folder path.

Can copy to clipboard

If enabled, text copied within the connected protocol session will be accessible by the user.

Can paste from clipboard

If enabled, user can paste text from clipboard within the connected protocol session.

Read-only

Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.

Session / Environment parameters

By default, SSH sessions will start an interactive shell. The shell which will be used is determined by the SSH server, normally by reading the user's default shell previously set with chsh or within /etc/passwd. If you wish to override this and instead run a specific command, you can do so by specifying that command in the configuration of the SSH connection.

Field
Description

Execute command

The command to execute over the SSH session, if any. If not specified, the SSH session will use the user's default shell.

Language/Locale ($LANG)

The specific locale to request for the SSH session. This may be any value accepted by the LANG environment variable of the SSH server. If not specified, the SSH server's default locale will be used.

As this parameter is sent to the SSH server using the LANG environment variable, the parameter will only have an effect if the SSH server allows the LANG environment variable to be set by SSH clients.

Time zone ($TZ)

The time zone to request for the SSH session. This may be any value accepted by the TZ environment variable of the SSH server, typically the standard names defined by the IANA time zone database. If not specified, the SSH server's default time zone will be used.

As this parameter is sent to the SSH server using the TZ environment variable, the parameter will only have an effect if the SSH server allows the TZ environment variable to be set by SSH clients.

Server keepalive interval

The interval in seconds between which keepalive packets should be sent to the SSH server, where "0" indicates that no keepalive packets should be sent at all (the default behavior). The minimum legal value is "2".

Terminal behavior parameters

In most cases, the default behavior of the Keeper Connection Manager terminal emulator works without modification. However, when connecting to certain systems (particularly operating systems other than Linux), the terminal behavior may need to be tweaked to allow it to operate properly. Keeper's SSH support provides parameters for controlling the control code sent for backspace, as well as the terminal type claimed via the TERM environment variable.

Field
Description

Backspace key sends

The integer value of the terminal control code that should be sent when backspace is pressed. Under most circumstances this should not need to be adjusted; however, if, when pressing the backspace key, you see control characters (often either ^? or ^H) instead of seeing the text erased, you may need to adjust this parameter. By default, the control code 127 (Delete) is sent.

Terminal type

The terminal type string that should be passed to the SSH server. This value will typically be exposed within the SSH session as the TERM environment variable and will affect the control characters sent by applications. By default, the terminal type string "linux" is used.

Connection Authentication Methods

Keeper Connections can be authenticated using one of the following methods:

  • Launch Credential The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.

  • Personal/Private Credential When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.

  • Ephemeral Accounts When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for Just-In-Time access with no persistent account on the target system.

Starting a Connection

Once you have configured the SSH Protocol connection on your PAM Machine Record, your record will contain the following connection banner with the "Launch" Button:

In the above image, a Linux server has been configured on the PAM Machine Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target:

SSH Session Launching
SSH Session Active

File Transfers

Transfer In

If the SFTP file transfer feature is enabled, the user can drag and drop files into the terminal session to transfer the files to the machine.

SFTP File Transfer Options

Keeper supports one or more files transferred simultaneously through drag-and-drop.

While the files are being uploaded to the target machine, a file transfer status is displayed in the dock area of the Keeper Vault:

File Upload Status

Transfer Out

To transfer files from the SSH remote connection to the local filesystem, you can download a tool called guacctl into the remote system and use it for performing outbound transfers.

Download guacctl and set as executable:

wget https://raw.githubusercontent.com/apache/guacamole-server/master/bin/guacctl
chmod +x guacctl

Initiate the file download using this syntax:

./guacctl -d <filename>

SSH to Windows Servers

The SSH protocol can also be used to access Windows servers for execution of PowerShell commands or other administrative actions.

Session Recordings - SSH Protocol

SSH Session Recordings

For this protocol, both graphical and the full, raw text text content of terminal sessions, including timing information, are recorded. For more information on recordings and how to access these recordings, visit this page.

Connection Templates

The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:

Connection Templates
PreviousSession ProtocolsNextRDP Connections

Last updated

Was this helpful?