Osirium PAM can use both passwords and SSH Keys for the role-based connections where the device supports keys.

In general SSH keys are the preferred method for connecting to cloud based systems such as AWS and Azure. The prime reason is that keys have a lot more entropy than any password memorable cloud-based

It’s important to remember that Osirium PAM is proxying the connection between the client and the device. As part of this process it injects the keys or credentials server side before linking the proxied connection sockets to the client.

This means that Osirium can associate SSH Keys with role based accounts. Therefore, inbound identities can be policy mapped to allow access to these accounts. Furthermore, providing that the private keys are not moved from PAM, only PAM can use this authentication method. Therefore lateral movement and bypass are negated.

SSH Key support is on a per template basis. Therefore, the device template needs to have a section like this example taken from our Ubuntu template:

<task name="”user_set_ssh_public_key”" type="”status”"></task>
<command noecho="”yes”">sudo mkdir -p ~%(username)s/.ssh/
<command noecho="”yes”">sudo chown -R %(username)s:%(username)s ~%(username)s/.ssh/
<command noecho="”yes”">sudo touch ~%(username)s/.ssh/authorized_keys
<command noecho="”yes”">sudo chown %(username)s:%(username)s ~%(username)s/.ssh/authorized_keys
<command noecho="”yes”">sudo chmod 600 ~%(username)s/.ssh/authorized_keys
<command noecho="”yes”">sudo bash -c ‘echo “%(ssh_public_key.new)s” >> ~%(username)s/.ssh/authorized_keys’
<success type="”ci_match”" value="””/"></success>
<failed type="”default”/"></failed>

<!– Safely removes the old public key if it is provided. –>
<command noecho="”yes”">sudo sed -i ‘\#%(ssh_public_key.old)s#d’ ~%(username)s/.ssh/authorized_keys
<testexists name="”ssh_public_key.old”/"></testexists>

<success type="”ci_match”" value="””/"></success>
<failed type="”default”/"></failed>

These methods are supported in both PAM Express and full version of the product, .

If you’d like to know more, please watch the video below, or Contact us.

Demo video of SSH setup for PAM

Scott’s Simple SSH Setup for Privileged Access Management

Scott runs through using Osirium PAM for Privileged Access Management using SSH keys to Ubuntu Linux and AWS Platforms.

Launch Video

Related Topics