Connecting to a Unix Host with Elevated Privileges
This Quick Take video demonstrates one of the fundamental Xton Access Manager (XTAM) function – connecting to a Unix host with elevated privileges without exposing credentials used to connect. The reason why this case is special is because in Unix environment for the security purposes it is typical to block the option to login to the system using account with elevated privileges (root) from remote location. The usual technique to access the operating system with this account is to remote in using a low privileged account first and issue a switch user command to the privileged account after login. In a generic case, the end user needs to know two sets of credentials: one is of the low privileged account to remote in and the other one is for the privileged account to switch to after remoting in.
XTAM manages this case automatically using special record type: Unix Host with SU. This record type allows host owners to configure a record about this host that contains two sets of credentials. When logging in XTAM will use the first set of credentials to remote to the destination host. XTAM will use the second set of credentials to switch to the account with elevated privileges.
The video below demonstrates several key capabilities
- Creating a record describing Unix Host with SU
- Sharing a record with the ability to connect but without the option to see passwords
- Connecting to a remote host to gain access to a Unix shell using privileged account without entering either of the two sets of credentials
The video itself is self-explanatory. However, below are several important focus points to highlight
- Remote Unix console is displayed in the client browser directly using HTML5. There is no special software required on the client side including ActiveX, applets or anything else. The connection looks the same in any modern HTML5 browser on Windows or Linux desktop or mobile device. This approach simplifies deployment and maintenance of Xton Access Manager and provides better control over sessions.
- Xtom Access Manager does not transmit the key used to connect to a remote console to the client browser. The credentials are used by Xton server to connect to a remote console but it never transferred to the client desktop.
- The session could be recorded to play back by administrators or auditors later
- An auditor or an administrator might join or terminate the session while it is in progress
- A user might open multiple sessions to different remote computers or devices at the same time.
- A user might be granted permissions to connect to a remote Unix console with or without recording a session. In this case the user might choose the connection type. Alternatively, a user might be granted permissions to connect to a remote computer with session recording only. In this case the only Connect button would be available for the user on the Xton GUI