# SSH Connections

## Overview

KeeperPAM enables zero-trust privileged session management for target infrastructure using the SSH protocol. This guide explains how to set up SSH connections on your PAM Machine Records in the Keeper Vault. Secure SSH sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.

## Prerequisites

Prior to following this guide, familiarize yourself with the prerequisites on the Connection's [Getting Started page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/connections/getting-started).

The following PAM records are needed in order to successfully setup this protocol:

<table><thead><tr><th width="211">PAM Record</th><th>Definition</th></tr></thead><tbody><tr><td><a href="../../getting-started/pam-configuration">PAM Configuration</a></td><td>The PAM Configuration contains information of your target infrastructure</td></tr><tr><td><a href="../../getting-started/pam-resources/pam-machine">PAM Machine</a> Record</td><td>The PAM Machine record contains information of the endpoint you want to establish an SSH protocol connection to.</td></tr><tr><td><a href="https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-user">PAM User</a> Record</td><td>The PAM User record contains the user credentials that will be used to connect to the endpoint</td></tr></tbody></table>

This guide will use a Linux server to represent a PAM Machine record.

## PAM Settings - Configuring SSH Protocol

### **Accessing Connection Settings**

After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:

1. Editing the PAM Record
2. Clicking on "Set Up" in the PAM Settings section
3. Navigate to the "Connection" section in the prompted window

### Configuring Connection Settings

Prior to configuring the SSH protocol settings on the PAM Settings screen, the following fields are all **required** and need to be configured:

<table><thead><tr><th width="293">Field</th><th>Description</th></tr></thead><tbody><tr><td>PAM Configuration</td><td>This is the PAM Configuration that contains the details of your target infrastructure and provides access to the target configured on the PAM Record.</td></tr><tr><td>Administrative Credential Record</td><td>This is the linked <a href="https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-user">PAM User</a> that will be used to authenticate to the target and perform administrative operations on it.</td></tr></tbody></table>

The following table lists all the configurable connection settings for the SSH protocol on the PAM Settings:

<table><thead><tr><th width="295">Field</th><th>Definition</th></tr></thead><tbody><tr><td>Protocol</td><td><p><strong>Required</strong></p><p>The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the SSH protocol should be selected</p></td></tr><tr><td>Enable Connection</td><td><p><strong>Required</strong></p><p>To enable connection for this record, this toggle needs to be enabled</p></td></tr><tr><td>Graphical Session Recording</td><td>When enabled, graphical session recordings will be enabled for this record</td></tr><tr><td>Text Session Recording (Typescript)</td><td>When enabled, text session recordings (typescript) will be enabled for this record</td></tr><tr><td>Include Key Events</td><td>When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.</td></tr><tr><td>Connection Port</td><td>The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port.<br><br>For SSH, the default port is 22</td></tr><tr><td>Launch Credentials</td><td>When configured, these credentials will be used to authenticate the connection. More details <a href="#connection-authentication-methods">here</a></td></tr><tr><td>Allow users to select credentials from their vault</td><td>When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details <a href="#connection-authentication-methods">here</a></td></tr><tr><td>Rotate launch credentials upon session termination</td><td>When enabled, the configured launch credentials will be automatically rotated when the session is closed</td></tr><tr><td>Public Host Key (Base64)</td><td>The known hosts entry for the SSH server, in the same format as would be specified within an OpenSSH <code>known_hosts</code> file. If not provided, no verification of host identity will be performed.</td></tr><tr><td>Color Scheme</td><td><p>The color scheme to use for the terminal emulator used by SSH connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:</p><ul><li>"black on white" - Black text over a white background</li><li>"gray on black" - Gray text over a black background (the default)</li><li>"green on black" - Green text over a black background</li><li>"white on black" - White text over a black background</li><li>"Custom" - custom color scheme</li></ul><p>Default value is "white-black"</p></td></tr><tr><td>Font Size</td><td>Font size displayed for the terminal session</td></tr><tr><td>Font Name</td><td>The name of the font to use. If not specified, the default of "monospace" will be used instead. <strong>This must be the name of a font installed on the server running guacd, and should be a monospaced font.</strong> If a non-monospaced font is used, individual glyphs may render incorrectly.</td></tr><tr><td>Maximum scrollback size</td><td>The maximum number of rows to allow within the terminal <code>scrollback</code> buffer. By default, the <code>scrollback</code> buffer will be limited to a maximum of 1000 rows.</td></tr><tr><td>SFTP</td><td>If enabled, the user can drag and drop files into the terminal session to transfer one or more files.</td></tr><tr><td>File Browser Root Directory</td><td>If SFTP is enabled, file transfers will be saved to the specified folder path.</td></tr><tr><td>Can copy to clipboard</td><td>If enabled, text copied within the connected protocol session will be accessible by the user.</td></tr><tr><td>Can paste from clipboard</td><td>If enabled, user can paste text from clipboard within the connected protocol session.</td></tr><tr><td>Read-only</td><td>Whether this connection should be <code>read-only</code>. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.</td></tr></tbody></table>

### Session / Environment parameters <a href="#id-.sshv2.x-session-environmentparameters" id="id-.sshv2.x-session-environmentparameters"></a>

By default, SSH sessions will start an interactive shell. The shell which will be used is determined by the SSH server, normally by reading the user's default shell previously set with `chsh` or within `/etc/passwd`. If you wish to override this and instead run a specific command, you can do so by specifying that command in the configuration of the SSH connection.

| Field                     | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Execute command           | The command to execute over the SSH session, if any. If not specified, the SSH session will use the user's default shell.                                                                                                                                                                                                                                                                                                                                                                                                                        |
| Language/Locale ($LANG)   | <p>The specific locale to request for the SSH session. This may be any value accepted by the <code>LANG</code> environment variable of the SSH server. If not specified, the SSH server's default locale will be used.</p><p><strong>As this parameter is sent to the SSH server using the <code>LANG</code> environment variable, the parameter will only have an effect if the SSH server allows the <code>LANG</code> environment variable to be set by SSH clients.</strong></p>                                                             |
| Time zone ($TZ)           | <p>The time zone to request for the SSH session. This may be any value accepted by the <code>TZ</code> environment variable of the SSH server, typically the standard names defined by the IANA time zone database. If not specified, the SSH server's default time zone will be used.</p><p><strong>As this parameter is sent to the SSH server using the <code>TZ</code> environment variable, the parameter will only have an effect if the SSH server allows the <code>TZ</code> environment variable to be set by SSH clients.</strong></p> |
| Server keepalive interval | The interval in seconds between which keepalive packets should be sent to the SSH server, where "0" indicates that no keepalive packets should be sent at all (the default behavior). The minimum legal value is "2".                                                                                                                                                                                                                                                                                                                            |

### Terminal behavior parameters <a href="#id-.sshv2.x-terminalbehaviorparameters" id="id-.sshv2.x-terminalbehaviorparameters"></a>

In most cases, the default behavior of the Keeper Connection Manager terminal emulator works without modification. However, when connecting to certain systems (particularly operating systems other than Linux), the terminal behavior may need to be tweaked to allow it to operate properly. Keeper's SSH support provides parameters for controlling the control code sent for backspace, as well as the terminal type claimed via the `TERM` environment variable.

| Field               | Description                                                                                                                                                                                                                                                                                                                                                                               |
| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Backspace key sends | The integer value of the terminal control code that should be sent when backspace is pressed. Under most circumstances this should not need to be adjusted; however, if, when pressing the backspace key, you see control characters (often either ^? or ^H) instead of seeing the text erased, you may need to adjust this parameter. By default, the control code 127 (Delete) is sent. |
| Terminal type       | The terminal type string that should be passed to the SSH server. This value will typically be exposed within the SSH session as the TERM environment variable and will affect the control characters sent by applications. By default, the terminal type string "linux" is used.                                                                                                         |

## Connection Authentication Methods

Keeper Connections can be authenticated using one of the following methods:

* [**Launch Credential**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/authentication-methods#launch-credential)\
  The session to the target is authenticated using the "Launch Credentials" configured directly on the PAM Machine, PAM Database, or PAM Directory record types. The user does not need access to the credentials in order to launch the connection.
* [**Personal/Private Credential**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/authentication-methods#personal-private-credentials)\
  When "Allow users to select credentials from the vault" is enabled, users can choose to authenticate the session to the target using a personal/private credential stored securely in their own Keeper Vault.
* [**Ephemeral Accounts**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/authentication-methods#ephemeral-account)\
  When the ephemeral account feature is enabled on the PAM Machine or PAM database resources, a system-generated, time-limited privileged account is created specifically for the session. This account is deleted automatically after the session ends, eliminating standing privilege. This method is used for [Just-In-Time access](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/just-in-time-access-jit) with no persistent account on the target system.

## Starting a Connection

Once you have configured the SSH Protocol connection on your PAM Machine Record, your record will contain the following connection banner with the "Launch" Button:

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FF3pvzsbKBHZ8Wj98YiMM%2FconnectionRecord.png?alt=media&#x26;token=9811c113-c5f3-4486-b284-12e54de8b47c" alt="" width="392"><figcaption></figcaption></figure>

In the above image, a Linux server has been configured on the PAM Machine Record. When clicking launch, the Vault Client will render a window with the established connection protocol to the specified target:

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FtiIvkE75oiwZ6sP4iSjH%2FScreenshot%202024-12-29%20at%207.47.48%E2%80%AFPM.png?alt=media&#x26;token=ca9a92df-4ad8-4d26-ad5e-35223ebf2f3b" alt=""><figcaption><p>SSH Session Launching</p></figcaption></figure>

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FoGptJrsRae6sNNFv5Mag%2FScreenshot%202024-12-29%20at%205.50.21%E2%80%AFPM.png?alt=media&#x26;token=daf886ac-f3c9-43d8-8dbe-1280366f9791" alt=""><figcaption><p>SSH Session Active</p></figcaption></figure>

### File Transfers

#### Transfer In

If the SFTP file transfer feature is enabled, the user can drag and drop files into the terminal session to transfer the files to the machine.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FGUHA9hRGHzUZ07N2oMSA%2FScreenshot%202025-02-09%20at%208.15.45%E2%80%AFPM.png?alt=media&#x26;token=55f1b1fa-2a39-430e-b991-cceda12355ad" alt=""><figcaption><p>SFTP File Transfer Options</p></figcaption></figure>

Keeper supports one or more files transferred simultaneously through drag-and-drop.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F53Sn5P6KscJtt7usRQWh%2Fdrag-and-drop.png?alt=media&#x26;token=e07ef4fa-c6ad-49e0-acb4-64e0a042dd36" alt=""><figcaption></figcaption></figure>

While the files are being uploaded to the target machine, a file transfer status is displayed in the dock area of the Keeper Vault:

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FPAOewYiPjJuOgJsngzSX%2Fupload-progress.png?alt=media&#x26;token=50307229-bdbe-4704-bd53-f8485bda7681" alt=""><figcaption><p>File Upload Status</p></figcaption></figure>

#### Transfer Out

{% hint style="warning" %}
Ensure SFTP is enabled in the record's Connection Settings prior to initiating a transfer out in order for it to work.
{% endhint %}

To transfer files from the SSH remote connection to the local filesystem, you can download a tool called `guacctl` into the remote system and use it for performing outbound transfers.

Download `guacctl` and set as executable:

```
wget https://raw.githubusercontent.com/apache/guacamole-server/master/bin/guacctl
chmod +x guacctl
```

Initiate the file download using this syntax:

```
./guacctl -d <filename>
```

### SSH to Windows Servers

The SSH protocol can also be used to access Windows servers for execution of PowerShell commands or other administrative actions.

* Learn more on how to [activate SSH on Windows](https://docs.keeper.io/en/keeperpam/references/setting-up-ssh#windows)

## Session Recordings - SSH Protocol

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fm3ujLVowAlLGqlZ6ecVJ%2FScreenshot%202025-01-21%20at%2012.17.55%E2%80%AFPM.png?alt=media&#x26;token=3bac50e6-864a-4deb-ab79-e0b8a871a8ae" alt=""><figcaption><p>SSH Session Recordings</p></figcaption></figure>

For this protocol, both graphical and the full, raw text text content of terminal sessions, including timing information, are recorded. For more information on recordings and how to access these recordings, visit this [page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/session-recording-and-playback).

* Learn more about [Session Recording and Playback](https://docs.keeper.io/en/keeperpam/privileged-access-manager/session-recording-and-playback)

## Connection Templates

The PAM record type with your target system can also be configured as a Connection template. These templates serve as reusable record types for launching sessions to target systems without needing to predefine a specific hostname or credential. For more information, visit the following:

{% content-ref url="<https://github.com/Keeper-Security/gitbook-secrets-manager/blob/master/privileged-access-manager/connections/connection-templates/README.md>" %}
<https://github.com/Keeper-Security/gitbook-secrets-manager/blob/master/privileged-access-manager/connections/connection-templates/README.md>
{% endcontent-ref %}