PAM Machine
KeeperPAM resource for managing machines on-prem or in the cloud
Overview
A PAM Machine record is a type of KeeperPAM resource that represents a workload, such as a Windows or Linux server.
PAM Machine
Windows/macOS/Linux Machines, EC2 Instances, Azure VMs
Features Available
The PAM Machine resource supports the following features:
Password rotation
SSH key rotation
Zero-trust Connections using RDP, SSH, VNC, K8s and Telnet protocols
TCP Tunnels
Session recording
Sharing access without sharing credentials
File transfer through drag-and-drop
Connecting to the PAM machine requires only that the Keeper Gateway has access to the target machine. The Keeper Vault operates independently and does not require direct connectivity to the machine, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the network architecture diagram for more details.
Creating a PAM Machine
Prior to creating a PAM Machine, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Machine contains information of an asset, such as a Windows or Linux server.
To create a PAM Machine:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Machine" for the Target
Click "Next" and complete all of the required information.
PAM Machine Record Type Fields
The following table lists all the configurable fields on the PAM Machine Record Type:
Hostname or IP Address
Address of the machine resource
Required
Port
Port to connect on. The Gateway uses this to determine connection method.
Required Must be a port for SSH or WinRM
Keeper expects 22, 5985, 5986, or an alternative port for SSH or WinRM specified in the PAM Configuration port mapping
Administrative Credentials
Linked PAM User credential used for connection and administrative operations
Required Visit this section for more details
PAM settings
This is where you configure Connection and Tunnel settings for this machine.
Required Visit this section for more details
Operating System
The target's Operating System
For your reference only
SSL Verification
When checked, verifies certificate of host when connecting with SSH
Only applies to certain databases and directories where SSL is optional
Instance Name
Azure or AWS Instance Name
Required if AWS/Azure Machine
Instance Id
Azure or AWS Instance ID
Required if AWS/Azure Machine
Provider Group
Provider Group for directories hosted in Azure
Required if Azure Machine
Provider Region
AWS region of hosted directory
Required if AWS Machine
PAM Settings and Administrative Credentials
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.
PAM Settings
PAM Configuration
Associated PAM Configuration record which defines the environment
Required
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required
Protocol
Native protocol used for connecting the session from the Gateway to the target
Required
Connection Parameters (multiple)
Connection-specific protocol settings which can vary based on the protocol type
Depends on protocol. We recommend specifying the Connection Port at a minimum.
Below are a couple examples of PAM Machine records with Connections and Tunnels activated.
Examples
Visit the following pages to set up:
Last updated
Was this helpful?