All pages
Powered by GitBook
1 of 3

PAM Machine

KeeperPAM resource for managing machines on-prem or in the cloud

Overview

A PAM Machine record is a type of KeeperPAM resource that represents a workload, such as a Windows or Linux server.

PAM Record Type
Supported Assets

PAM Machine

Windows/macOS/Linux Machines, EC2 Instances, Azure VMs

Features Available

The PAM Machine resource supports the following features:

  • Password rotation

  • SSH key rotation

  • Zero-trust Connections using RDP, SSH, VNC, K8s and Telnet protocols

  • TCP Tunnels

  • Session recording

  • Sharing access without sharing credentials

  • File transfer through drag-and-drop

Connecting to the PAM machine requires only that the Keeper Gateway has access to the target machine. The Keeper Vault operates independently and does not require direct connectivity to the machine, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the network architecture diagram for more details.

Creating a PAM Machine

Prior to creating a PAM Machine, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Machine contains information of an asset, such as a Windows or Linux server.

To create a PAM Machine:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Machine" for the Target

  • Click "Next" and complete all of the required information.

Creating a new PAM Machine record

PAM Machine Record Type Fields

The following table lists all the configurable fields on the PAM Machine Record Type:

Field
Description
Notes

Hostname or IP Address

Address of the machine resource

Required

Port

Port to connect on. The Gateway uses this to determine connection method.

Required Must be a port for SSH or WinRM

Keeper expects 22, 5985, 5986, or an alternative port for SSH or WinRM specified in the PAM Configuration port mapping

Administrative Credentials

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

PAM settings

This is where you configure Connection and Tunnel settings for this machine.

Required Visit this section for more details

Operating System

The target's Operating System

For your reference only

SSL Verification

When checked, verifies certificate of host when connecting with SSH

Only applies to certain databases and directories where SSL is optional

Instance Name

Azure or AWS Instance Name

Required if AWS/Azure Machine

Instance Id

Azure or AWS Instance ID

Required if AWS/Azure Machine

Provider Group

Provider Group for directories hosted in Azure

Required if Azure Machine

Provider Region

AWS region of hosted directory

Required if AWS Machine

PAM Settings and Administrative Credentials

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.

PAM Settings and Administrative Credentials

PAM Settings

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required

Protocol

Native protocol used for connecting the session from the Gateway to the target

Required

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters (multiple)

Connection-specific protocol settings which can vary based on the protocol type

Depends on protocol. We recommend specifying the Connection Port at a minimum.

PAM Settings for a PAM Machine resource

Below are a couple examples of PAM Machine records with Connections and Tunnels activated.

PAM Machine Record - Windows
PAM Machine Record - Linux

Examples

Visit the following pages to set up:

  • Linux Machine

  • Azure Virtual Machine

Example: Linux Machine

Configuring SSH Server as a PAM Machine Record

Overview

In this example, you'll learn how to configure a Linux Machine in your Keeper Vault as a PAM Machine record.

Prerequisites

Prior to proceeding with this guide, make sure you have

  1. Installed and configured the Keeper Gateway

  2. Set up a PAM Configuration for your target Environment

PAM Machine Record

Machines such as a Linux Machines can be configured on the PAM Machine record type.

Creating a PAM Machine

To create a PAM Database:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Machine" for the Target

  • Click "Next" and complete all of the required information.

Linux Machine Example

Configure a Linux Machine on the PAM Machine Record

Suppose I have a local Linux Virtual Machine with the hostname "linux-machine", the following table lists all the configurable fields and their respective values:

Field
Description
Value

Title (Required)

Title of the PAM Machine Record

Linux Machine

Hostname or IP Address (Required)

Address or RDP endpoint or Server name of the Machine Resource

linux-machine

Port (Required)

Port to connect to the Linux Resource

22

Operating System

The target's Operating System

linux

Instance Name

Azure or AWS Instance Name

Required if AWS/Azure Machine

Instance ID

Azure or AWS Instance ID

Required if AWS/Azure Machine

Provider Group

Azure or AWS Provider Group

Required if a managed Azure Machine

Provider Region

Azure or AWS Provider Region

Required if a managed AWS Machine

Configuring PAM Settings on the PAM Machine

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the Linux Machine:

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required - This is the PAM configuration you created in the prerequisites

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

Protocol

Native protocol used for creating a session from the Gateway to the target

Required - for this example: "SSH"

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters

Connection-specific protocol settings which can vary based on the protocol type.

See this section for SSH protocol settings. We recommend specifying the Connection Port at a minimum. E.g. "22" for SSH.

Administrative Credential Record

The Admin Credential Record in the PAM Machine links the admin user to the PAM Machine record in your Keeper Vault. This admin user is used for performing password rotations and authenticating connections.

User Accounts can be configured on the PAM User record. Visit this page for more information on the PAM User.

Setting a Non Admin User as the Administrative Credential Record

If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.

Sharing PAM Machine Records

PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.

When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Linux Machine, the recipient can connect to the Linux Machine on the PAM Machine record without having direct access to the linked credentials.

  • Learn more about Sharing and Access Control

Example: Azure Windows VM

Configuring an Azure Windows VM as a PAM Machine Record

Overview

In this example, you'll learn how to configure a Azure Windows VM in your Keeper Vault as a PAM Machine record.

Prerequisites

Prior to proceeding with this guide, make sure you have

  1. Installed and configured the Keeper Gateway

  2. Set up a PAM Configuration for your target Environment

PAM Machine Record

Machines such as a Azure Virtual Machines can be configured on the PAM Machine record type.

Creating a PAM Machine

To create a PAM Database:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Machine" for the Target

  • Click "Next" and complete all of the required information.

Example of Azure Windows VM

Configure a Windows Machine on the PAM Machine Record

Suppose I have a Azure Virtual Machine with the hostname "10.0.1.4", the following table lists all the configurable fields and their respective values:

Field
Description
Value

Title (Required)

Title of the PAM Machine Record

Windows VM

Hostname or IP Address (Required)

Address or RDP endpoint or Server name of the Machine Resource

10.0.1.4

Port (Required)

Port to connect to the Azure VM for rotation. 22 for SSH, 5986 for WinRM

5986

Operating System

The target's Operating System

Set to: Windows

Instance Name

Azure or AWS Instance Name

Required if AWS/Azure Machine webserver-prod-01

Instance ID

Azure or AWS Instance ID

Required if AWS/Azure Machine

Provider Group

Azure or AWS Provider Group

Required if a managed Azure Machine

Provider Region

Azure or AWS Provider Region

Required if a managed AWS Machine

Configuring PAM Settings on the PAM Machine

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the Azure Virtual Machine:

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required - This is the PAM configuration you created in the prerequisites

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

Protocol

Native protocol used for connecting from the Gateway to the target

Required - for this example: "RDP"

Session Recording

Options for recording sessions and typescripts

See session recording

Connection Parameters

Connection-specific protocol settings which can vary based on the protocol type

See this section for RDP protocol settings We recommend specifying the Connection Port at a minimum. E.g. "3389" for RDP.

Administrative Credential Record

The Admin Credential Record in the PAM Machine links the admin user to the PAM Machine record in your Keeper Vault. This admin user is used for performing password rotations and authenticating connections.

User Accounts can be configured on the PAM User record. Visit this page for more information.

Setting a Non Admin User as the Administrative Credential Record

If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.

Sharing PAM Machine Records

PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.

When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Azure Virtual Machine, the recipient can connect to the Azure Virtual Machine on the PAM Machine record without having direct access to the linked credentials.

  • Learn more about Sharing and Access Control