PAM Machine
KeeperPAM resource for managing machines on-prem or in the cloud
Overview
A PAM Machine record is a type of KeeperPAM resource that represents a workload, such as a Windows or Linux server.
PAM Machine
Windows/macOS/Linux Machines, EC2 Instances, Azure VMs
Features Available
The PAM Machine resource supports the following features:
Password rotation
SSH key rotation
Zero-trust Connections using RDP, SSH, VNC, K8s and Telnet protocols
TCP Tunnels
Session recording
Sharing access without sharing credentials
File transfer through drag-and-drop
Connecting to the PAM machine requires only that the Keeper Gateway has access to the target machine. The Keeper Vault operates independently and does not require direct connectivity to the machine, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the network architecture diagram for more details.
Creating a PAM Machine
Prior to creating a PAM Machine, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Machine contains information of an asset, such as a Windows or Linux server.
To create a PAM Machine:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Machine" for the Target
Click "Next" and complete all of the required information.
PAM Machine Record Type Fields
The following table lists all the configurable fields on the PAM Machine Record Type:
Hostname or IP Address
Address of the machine resource
Required
Port
Port to connect on. The Gateway uses this to determine connection method.
Required Must be a port for SSH or WinRM
Keeper expects 22, 5985, 5986, or an alternative port for SSH or WinRM specified in the PAM Configuration port mapping
Administrative Credentials
Linked PAM User credential used for connection and administrative operations
Required Visit this section for more details
PAM settings
This is where you configure Connection and Tunnel settings for this machine.
Required Visit this section for more details
Operating System
The target's Operating System
For your reference only
SSL Verification
When checked, verifies certificate of host when connecting with SSH
Only applies to certain databases and directories where SSL is optional
Instance Name
Azure or AWS Instance Name
Required if AWS/Azure Machine
Instance Id
Azure or AWS Instance ID
Required if AWS/Azure Machine
Provider Group
Provider Group for directories hosted in Azure
Required if Azure Machine
Provider Region
AWS region of hosted directory
Required if AWS Machine
PAM Settings and Administrative Credentials
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.
PAM Settings
PAM Configuration
Associated PAM Configuration record which defines the environment
Required
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required
Protocol
Native protocol used for connecting the session from the Gateway to the target
Required
Connection Parameters (multiple)
Connection-specific protocol settings which can vary based on the protocol type
Depends on protocol. We recommend specifying the Connection Port at a minimum.
Below are a couple examples of PAM Machine records with Connections and Tunnels activated.
Examples
Visit the following pages to set up:
Example: Linux Machine
Configuring SSH Server as a PAM Machine Record
Overview
In this example, you'll learn how to configure a Linux Machine in your Keeper Vault as a PAM Machine record.
Prerequisites
Prior to proceeding with this guide, make sure you have
PAM Machine Record
Machines such as a Linux Machines can be configured on the PAM Machine record type.
Creating a PAM Machine
To create a PAM Database:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Machine" for the Target
Click "Next" and complete all of the required information.
Configure a Linux Machine on the PAM Machine Record
Suppose I have a local Linux Virtual Machine with the hostname "linux-machine", the following table lists all the configurable fields and their respective values:
Title (Required)
Title of the PAM Machine Record
Linux Machine
Hostname or IP Address (Required)
Address or RDP endpoint or Server name of the Machine Resource
linux-machine
Port (Required)
Port to connect to the Linux Resource
22
Operating System
The target's Operating System
linux
Instance Name
Azure or AWS Instance Name
Required if AWS/Azure Machine
Instance ID
Azure or AWS Instance ID
Required if AWS/Azure Machine
Provider Group
Azure or AWS Provider Group
Required if a managed Azure Machine
Provider Region
Azure or AWS Provider Region
Required if a managed AWS Machine
Configuring PAM Settings on the PAM Machine
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the Linux Machine:
PAM Configuration
Associated PAM Configuration record which defines the environment
Required - This is the PAM configuration you created in the prerequisites
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required Visit this section for more details
Protocol
Native protocol used for creating a session from the Gateway to the target
Required - for this example: "SSH"
Connection Parameters
Connection-specific protocol settings which can vary based on the protocol type.
See this section for SSH protocol settings. We recommend specifying the Connection Port at a minimum. E.g. "22" for SSH.
Administrative Credential Record
The Admin Credential Record in the PAM Machine links the admin user to the PAM Machine record in your Keeper Vault. This admin user is used for performing password rotations and authenticating connections.
User Accounts can be configured on the PAM User record. Visit this page for more information on the PAM User.
Setting a Non Admin User as the Administrative Credential Record
If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.
Sharing PAM Machine Records
PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.
When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Linux Machine, the recipient can connect to the Linux Machine on the PAM Machine record without having direct access to the linked credentials.
Learn more about Sharing and Access Control
Example: Azure Windows VM
Configuring an Azure Windows VM as a PAM Machine Record
Overview
In this example, you'll learn how to configure a Azure Windows VM in your Keeper Vault as a PAM Machine record.
Prerequisites
Prior to proceeding with this guide, make sure you have
PAM Machine Record
Machines such as a Azure Virtual Machines can be configured on the PAM Machine record type.
Creating a PAM Machine
To create a PAM Database:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Machine" for the Target
Click "Next" and complete all of the required information.
Configure a Windows Machine on the PAM Machine Record
Suppose I have a Azure Virtual Machine with the hostname "10.0.1.4", the following table lists all the configurable fields and their respective values:
Title (Required)
Title of the PAM Machine Record
Windows VM
Hostname or IP Address (Required)
Address or RDP endpoint or Server name of the Machine Resource
10.0.1.4
Port (Required)
Port to connect to the Azure VM for rotation. 22 for SSH, 5986 for WinRM
5986
Operating System
The target's Operating System
Set to: Windows
Instance Name
Azure or AWS Instance Name
Required if AWS/Azure Machine
webserver-prod-01
Instance ID
Azure or AWS Instance ID
Required if AWS/Azure Machine
Provider Group
Azure or AWS Provider Group
Required if a managed Azure Machine
Provider Region
Azure or AWS Provider Region
Required if a managed AWS Machine
Configuring PAM Settings on the PAM Machine
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential. The following table lists all the configurable fields and their respective values for the Azure Virtual Machine:
PAM Configuration
Associated PAM Configuration record which defines the environment
Required - This is the PAM configuration you created in the prerequisites
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required Visit this section for more details
Protocol
Native protocol used for connecting from the Gateway to the target
Required - for this example: "RDP"
Connection Parameters
Connection-specific protocol settings which can vary based on the protocol type
See this section for RDP protocol settings We recommend specifying the Connection Port at a minimum. E.g. "3389" for RDP.
Administrative Credential Record
The Admin Credential Record in the PAM Machine links the admin user to the PAM Machine record in your Keeper Vault. This admin user is used for performing password rotations and authenticating connections.
User Accounts can be configured on the PAM User record. Visit this page for more information.
Setting a Non Admin User as the Administrative Credential Record
If you prefer not to authenticate a connection using the admin credential, you can optionally designate a regular user of the resource as the admin credential.
Sharing PAM Machine Records
PAM Machine records can be shared with other Keeper users within your organization. However, the recipient must have the appropriate PAM enforcement policies in place to utilize KeeperPAM features on the shared PAM records.
When sharing a PAM Machine record, the linked admin credentials will not be shared. For example, if the PAM Machine is configured with a Azure Virtual Machine, the recipient can connect to the Azure Virtual Machine on the PAM Machine record without having direct access to the linked credentials.
Learn more about Sharing and Access Control