SSH Connections
Keeper Connections - SSH Protocol
Last updated
Was this helpful?
KeeperPAM and Secrets Manager
Keeper Connections - SSH Protocol
Last updated
Was this helpful?
KeeperPAM enables zero-trust privileged session management for target infrastructure using the SSH protocol. This guide explains how to set up SSH connections on your PAM Machine Records in the Keeper Vault. Secure SSH sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's .
The following PAM records are needed in order to successfully setup this protocol:
This guide will use a Linux server to represent a PAM Machine record.
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Prior to configuring the SSH protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable connection settings for the SSH protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the SSH protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Text Session Recording (Typescript)
When enabled, text session recordings (typescript) will be enabled for this record
Include Key Events
When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For SSH, the port is 22
Public Host Key (Base64)
The known hosts entry for the SSH server, in the same format as would be specified within an OpenSSH known_hosts file. If not provided, no verification of host identity will be performed.
Color Scheme
The color scheme to use for the terminal emulator used by SSH connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:
"black on white" - Black text over a white background
"gray on black" - Gray text over a black background (the default)
"green on black" - Green text over a black background
"white on black" - White text over a black background
"Custom" - custom color scheme
Default value is "white-black"
Font Size
Font size displayed for the terminal session
SFTP
If enabled, the user can drag and drop files into the terminal session to transfer one or more files.
File Browser Root Directory
If SFTP is enabled, file transfers will be saved to the specified folder path.
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user.
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session.
Once you have configured the SSH Protocol connection on your PAM Machine Record, your record will contain the following connection banner with the "Launch" Button:
In the above image, a Linux server has been configured on the PAM Machine Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target:
If the SFTP file transfer feature is enabled, the user can drag and drop files into the terminal session to transfer the files to the machine.
Keeper supports one or more files transferred simultaneously through drag-and-drop.
While the files are being uploaded to the target machine, a file transfer status is displayed in the dock area of the Keeper Vault:
To transfer files from the SSH remote connection to the local filesystem, you can download a tool called guacctl into the remote system and use it for performing outbound transfers.
Download guacctl and set as executable:
Initiate the file download using this syntax:
The SSH protocol can also be used to access Windows servers for execution of PowerShell commands or other administrative actions.
Learn more on how to
The PAM Configuration contains information of your target infrastructure
Record
The PAM Machine record contains information of the endpoint you want to establish an SSH protocol connection to.
Record
The PAM User record contains the user credentials that will be used to connect to the endpoint
For this protocol, both graphical and the full, raw text text content of terminal sessions, including timing information, are recorded. For more information on recordings and how to access these recordings, visit this .
Learn more about
PAM Configuration
This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.
Administrative Credential Record
This is the linked that will be used to authenticate to the target and perform administrative operations on it.
