Get Started!

˂ Return to FAQ

Creating secure PAM SSH sessions using your own desktop client side applications like PuTTY, SecureCRT or WinSCP

Ever find yourself stuck between the needs (and demands) of your Administrators, Developers and Contractors and the needs (and demands) of your Security department, Auditors and your CISO?

Your Administrators need quick, easy and efficient access to your business’s privileged accounts and systems, with minimal disruptions to their workflow in order to excel at their job. And trying to get them to use some other piece of software is absolutely out of the question.

On the other hand, your have Auditors and upper management demanding that you secure accounts, keys and access to all of these same systems. They want (and demand) Audit reports, granular permissions, constant notifications and other safe-guards so your business does not become the next victim of a security breach.

Enter Xton Access Manager which satisfies the very legitimate wants and demands of both sides. Quick, easy and secure native client based password-less access using their own desktop SSH clients (like PuTTY, OpenSSH and SecureCRT) while enforcing audit events, notifications, permissions, access request and password rotation.

To learn about how XTAM can provide secure SSH Tunnel access, please read our SSH Tunnel article.

The following sections describe how to create secure SSH records in XTAM and then how to use these records in your native desktop clients.

Enabling SSH Proxy in XTAM

1

Login to XTAM with a System Administrator account

2

Navigate to Administration > Setting > Parameters

3

Locate and modify the following settings:

3a

SSH Proxy: Switch this option to Enabled and click the Save button to its right.

3b

SSH Proxy Port: Use or change the port value that XTAM will use for SSH proxy and click the Save button to its right.

XTAM SSH Proxy Admin Options

4

Once both settings have been updated and saved, restart the PamManagement service (Windows) or pammanager service (Unix/Linux).

5

When the services is fully restarted (can take 1-5 minutes), the SSH proxy module is online.

 

Creating a SSH session record in XTAM

1

In XTAM, create a new record using one of the available Unix types. This includes Unix Host (user and password auth), Unix Host with Key (user and ssh key auth), Unix Host with Protected Key (user, ssh key and passphrase auth), Unix Host with SU (user and password with switch user) or any custom record type for utilizes the SSH protocol.

2

Populate all the fields with your endpoint’s connection details.

3

Click the Save and Return button.

Your record is now saved and under management in XTAM. All access to this record will be captured in the audit log, including Active and Completed sessions as well as keystrokes. Permissions and workflows can also be applied to your users or groups ensuring only authorized personnel can access to the record. Your CISO, Auditors and Security team are now smiling.

 

Using your SSH session record in a native SSH Client

Now its time to make your Administrators, Developers and Contractors happy too.

1

Open your local SSH client (we will use PuTTY in our example but most other SSH clients function similarly) and create a new session

2

In the Host Name field, enter the hostname of your XTAM server (for example: xtam.company.com)

3

In the Port field, enter the port number you assigned in the XTAM configuration from the previous section (default port in XTAM is 2022)

4

For the Connection Type, select SSH.

5

Save the session and then Open the SSH connection

XTAM PuTTY Session Connection

6

When PuTTY prompts for a login as account, enter a user string as described below:

If you do not know the record ID or Name, you can access the XTAM SSH Proxy Interface to display and select from a list of available records for connection. You can access this Proxy Interface simply be not specifying a record ID or Name. For additional information, please read the XTAM SSH Proxy Interface article.

 
YourXTAMLoginName#XTAMrecordName or YourXTAMLoginName#XTAMrecordID
 
For example, if your login to XTAM was the username bwilliams and the XTAM record that contains the SSH details has the name Unix Production Server and ID 41603, then the login string would be bwilliams#Unix Production Server or bwilliams#41603

When using the record Name to define the connection string, the record Name must be unique in XTAM. If the name is not unique, the connection will fail and you should use its record ID instead.

XTAM PAM PuTTY Login As Prompt

A # (hash), % (percent) or : (colon) character may be used as a separate between the login and recordID values.
The record’s ID can be found in the URL when viewing the record’s Details (https://xtam.company.com/xtam/records/record_view/41603/type.

7

Press your Enter key

8

You will now observe an Authentication Banner is displayed to illustrate that the session is being provided via the XTAM Secure Shell Proxy

XTAM PAM PuTTY Authentication Banner

9

At the Password prompt, enter the password for your XTAM login

MFA/SAML logins are not currently supported for SSH Proxy Sessions using native tools, instead you should use browser sessions.

XTAM PAM PuTTY Password Prompt

10

Press your Enter key to complete the authentication process

11

After a few moments, you will be connected to the remote SSH endpoint using the secured connection details in the referenced XTAM record.

XTAM PAM PuTTY Active Session

12

To confirm that the session is being provided via XTAM, you can navigate to the Session tab of this record and note that there is now an Active session using this record. You can also execute commands in the PuTTY session and see them appear in the XTAM event log.

XTAM PuTTY Active Session Log Event

XTAM PuTTY Active Session Keystroke Event Report

 

Example using Command or Terminal Prompt

XTAM SSH Proxy Terminal Command Prompt Configuration

 

Example using SecureCRT

XTAM SecureCRT Configuration

 

Example using WinSCP

XTAM WinSCP Configuration

 

Copyright © 2018 Xton Technologies, LLC. All rights reserved.