Example: Linux Machine

Configuring SSH Server as a PAM Machine Record

Overview

In this example, you'll learn how to configure a Linux Machine in your Keeper Vault as a PAM Machine record.

Prerequisites

Prior to proceeding with this guide, make sure you have

PAM Machine Record

Machines such as a Linux Machines can be configured on the PAM Machine record type.

Creating a PAM Machine

To create a PAM Database:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "Machine" for the Target

  • Click "Next" and complete all of the required information.

Configure a Linux Machine on the PAM Machine Record

Suppose I have a local Linux Virtual Machine with the hostname "local-linux-machine", the following table lists all the configurable fields and their respective values:

Field
Description
Value

Title (Required)

Title of the PAM Machine Record

Local Linux Machine

Hostname or IP Address (Required)

Address or RDP endpoint or Server name of the Machine Resource

local-linux-machine

Port (Required)

Port to connect to the Linux Resource

22

Operating System

The target's Operating System

linux

Instance Name

Azure or AWS Instance Name

Required if AWS/Azure Machine

Instance ID

Azure or AWS Instance ID

Required if AWS/Azure Machine

Provider Group

Azure or AWS Provider Group

Required if a managed Azure Machine

Provider Region

Azure or AWS Provider Region

Required if a managed AWS Machine

Configuring PAM Settings on the PAM Machine

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the Linux Machine:

Field
Description
Required

PAM Configuration

Associated PAM Configuration record which defines the environment

Required - This is the PAM configuration you created in the prerequisites

Administrative Credential Record

Linked PAM User credential used for connection and administrative operations

Required Visit this section for more details

Protocol

Native protocol used for creating a session from the Gateway to the target

Required - for this example: "SSH"

Session Recording

Options for recording sessions and typescripts

Connection Parameters

Connection-specific protocol settings which can vary based on the protocol type.

See this section for SSH protocol settings. We recommend specifying the Connection Port at a minimum. E.g. "22" for SSH.

Administrative Credential Record

The Admin Credential Record in the PAM Machine links the admin user to the PAM Machine record in your Keeper Vault. This admin user is used for performing password rotations and authenticating connections.

User Accounts can be configured on the PAM User record. Visit this page for more information on the PAM User.

Setting a Non Admin User as the Administrative Credential Record

If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.

Sharing PAM Machine Records

PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.

When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Linux Machine, the recipient can connect to the Linux Machine on the PAM Machine record without having direct access to the linked credentials.

Last updated

Was this helpful?