# PAM Machine

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FETnLSTu5qYNj0xwMltI2%2FKeeperPAM%20Machine.jpg?alt=media&#x26;token=7f69333a-8f02-410f-8542-1882216994b6" alt=""><figcaption></figcaption></figure>

## Overview

A PAM Machine record is a type of KeeperPAM resource that represents a workload, such as a Windows or Linux server.

<table><thead><tr><th width="215">PAM Record Type</th><th>Supported Assets </th></tr></thead><tbody><tr><td>PAM Machine </td><td>Windows/macOS/Linux Machines, EC2 Instances, Azure VMs, GCP Compute Engine instances</td></tr></tbody></table>

## Features Available

The PAM Machine resource supports the following features:

* Password rotation
* SSH key rotation
* Zero-trust Connections using RDP, SSH, VNC, K8s and Telnet protocols
* TCP Tunnels
* Session recording
* Sharing access without sharing credentials
* File transfer through drag-and-drop

{% hint style="info" %}
Connecting to the PAM machine requires only that the Keeper Gateway has access to the target machine. The Keeper Vault operates independently and does not require direct connectivity to the machine, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the [network architecture diagram](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/architecture/system-architecture) for more details.
{% endhint %}

## Creating a PAM Machine&#x20;

Prior to creating a PAM Machine, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Machine contains information of an asset, such as a Windows or Linux server.

To create a PAM Machine:

* Click on **Create New**&#x20;
* Depending on your use case, click on "Rotation", "Tunnel", or "Connection"&#x20;
* On the prompted window:
  * Select "**New Record**"&#x20;
  * Select the Shared Folder you want the record to be created in&#x20;
  * Specify the Title
  * Select "**Machine**" for the Target&#x20;
* Click "**Next**" and complete all of the required information.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FYzn7xA4rI6mcsTSwW1pz%2FScreenshot%202024-12-26%20at%205.30.05%E2%80%AFPM.png?alt=media&#x26;token=a4e98fcc-37b0-4906-843e-b1bcd5bf5b4f" alt=""><figcaption><p>Creating a new PAM Machine record</p></figcaption></figure>

## PAM Machine Record Type Fields

The following table lists all the configurable fields on the PAM Machine Record Type:

<table><thead><tr><th width="168">Field</th><th width="253">Description</th><th>Notes</th></tr></thead><tbody><tr><td>Hostname or IP Address</td><td>Address of the machine resource</td><td><strong>Required</strong></td></tr><tr><td>Port</td><td>Port to connect on. The Gateway uses this to determine connection method.</td><td><p><strong>Required</strong><br>Must be a port for SSH or WinRM</p><p>Keeper expects 22, 5985, 5986, or an alternative port for SSH or WinRM specified in the PAM Configuration port mapping</p></td></tr><tr><td>Administrative Credentials </td><td>Linked PAM User credential used for connection and administrative operations</td><td><strong>Required</strong> <br>Visit this <a href="#pam-settings-and-administrative-credentials">section</a> for more details </td></tr><tr><td>PAM settings </td><td>This is where you configure Connection and Tunnel settings for this machine.</td><td><strong>Required</strong> <br>Visit this <a href="#pam-settings-and-administrative-credentials">section</a> for more details </td></tr><tr><td>Operating System</td><td>The target's Operating System</td><td>For your reference only</td></tr><tr><td>SSL Verification</td><td>When checked, verifies certificate of host when  connecting with SSH</td><td>Only applies to certain databases and directories where SSL is optional</td></tr><tr><td>Instance Name</td><td>Azure or AWS Instance Name</td><td><strong>Required</strong> if AWS/Azure Machine</td></tr><tr><td>Instance Id</td><td>Azure or AWS Instance ID</td><td><strong>Required</strong> if AWS/Azure Machine</td></tr><tr><td>Provider Group</td><td>Provider Group for directories hosted in Azure</td><td><strong>Required</strong> if Azure Machine</td></tr><tr><td>Provider Region</td><td>AWS region of hosted directory</td><td><strong>Required</strong> if AWS Machine</td></tr></tbody></table>

## PAM Settings and Administrative Credentials&#x20;

On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FHeovfKrm4CXGKwiIqq11%2FScreenshot%202025-01-01%20at%209.27.18%E2%80%AFAM.png?alt=media&#x26;token=b4e0a075-94bf-43da-aa25-bf684ab3a00d" alt=""><figcaption><p>PAM Settings and Administrative Credentials</p></figcaption></figure>

### PAM Settings

<table><thead><tr><th>Field</th><th width="233">Description</th><th>Required</th></tr></thead><tbody><tr><td>PAM Configuration</td><td>Associated PAM Configuration record which defines the environment</td><td><strong>Required</strong></td></tr><tr><td>Administrative Credential Record</td><td>Linked PAM User credential used for connection and administrative operations</td><td><strong>Required</strong></td></tr><tr><td>Protocol</td><td>Native protocol used for connecting the session from the Gateway to the target</td><td><strong>Required</strong></td></tr><tr><td>Session Recording</td><td>Options for recording sessions and typescripts</td><td>See <a href="../../session-recording-and-playback">session recording</a></td></tr><tr><td>Connection Parameters<br>(multiple)</td><td>Connection-specific protocol settings which can vary based on the protocol type</td><td>Depends on protocol. We recommend specifying the <strong>Connection Port</strong> at a minimum.</td></tr></tbody></table>

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FGfUUKJYQrvyHbjH6wLC9%2FScreenshot%202025-01-01%20at%209.31.08%E2%80%AFAM.png?alt=media&#x26;token=acd71242-e88f-4283-8aa9-7d68c5dd96ae" alt=""><figcaption><p>PAM Settings for a PAM Machine resource</p></figcaption></figure>

Below are a couple examples of PAM Machine records with Connections and Tunnels activated.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FrSy701IpEDZQukD6q7kh%2FScreenshot%202025-01-01%20at%209.39.22%E2%80%AFAM.png?alt=media&#x26;token=35cfb79d-a8b8-4e57-87b3-84921ab720d9" alt=""><figcaption><p>PAM Machine Record - Windows</p></figcaption></figure>

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F3RtXTHeGIFJVRWtkORwj%2FScreenshot%202025-01-01%20at%209.41.18%E2%80%AFAM.png?alt=media&#x26;token=e3686b71-94f2-4d91-b43b-b7c9644142df" alt=""><figcaption><p>PAM Machine Record - Linux</p></figcaption></figure>

## Examples

Visit the following pages to set up:

* [Linux Machine](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-machine/example-linux-machine)
* [Azure Virtual Machine](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-machine/example-azure-virtual-machine)