Logon Accounts for SSH and Telnet Connections (2024)

This topic describes how to configure logon accounts for SSH and Telnet connections.

Overview

A logon account can be used to initiate sessions to machines that do not permit direct logon. When a logon account is associated with a privileged account, it will be used to log onto the remote machine and then elevate itself to the role of the privileged user.

As different types of machines might have different logon prompts or elevation commands, you can configure how PSM for SSH will perform the logon process and the elevation to the privileged account by using the AutoLogonSequenceWithLogon Account parameter.

This parameter defines a multiline sequence that is used by PSM for SSH during the automatic sign-on process. It contains regular expression prompts and responses that define the logon process and subsequent activities. The regular expressions can include dynamic values that PSM for SSH reads from the account properties, user parameters, or client-specific parameters, in this order. You can override this configuration at platform level.

For SSH connections, the logon account can use either password or SSH key authentication. If the logon account uses SSH key authentication, the associated privileged account must use password authentication.

The following example shows the process that takes place using a logon account.

Step 1:

Link a logon account to the account that cannot be used for direct logon, but will be used to run sessions on the remote machine. The following screen shows the Account Details page of the root account that will be used to run sessions on a remote machine. In this scenario, this account cannot be used to log onto the remote machine, so the UNIXSSH-help_logon-10.10.102.26 logon account has been associated with the account.

Step 2:

PSM for SSH connects to the remote machine automatically using the associated help_logon logon account and elevates the user to the privileged account. After the user runs the PSM for SSHconnection command, a session is opened in the remote machine and the logon account is used to log on. In this example, after successfully logging on, the help_logon user issues the su command and elevates itself to the root user.

Automatic logon sequence

Define an automatic logon sequence with logon account

PSM for SSHworks only with the PSMP-SSH connection component to perform SSH connections to targets. The configurations in the PSMP-SSH connection component affect all connections made with PSM for SSH. To change the configuration for some accounts, override the PSMP-SSH settings at platform level.
For example, you can configure the PSMP-SSH connection component with a setting for SSH connections, such as an AutomaticLogonSequenceWithLogonAccount for SSH. To define this setting for Telnet, create a platform for Telnet connections that overrides AutomaticLogonSequenceWithLogonAccount with a value suitable for Telnet connections.

  1. Log onto the Password Vault Web Access as a user with permission to configure platforms.

  2. Make sure that the Connection Client capabilities are configured for a logon account:

    The logon account capability is added automatically by the PSM installation. If your first PSMinstallation was PSMv7.0, enable the logon account capability manually as described below.

    1. Click ADMINISTRATION, then in the System Configuration page click Options; the Web Access Options are displayed.

    2. Select and expand Privileged Session Management, then expand General Settings.

    3. In Connection Client Settings, expand Capabilities.

    4. Right-click Capabilities, then from the pop-up menu, select Add Logon Account; a new Logon Account parameter is created.

    5. In the Logon Account properties, make sure that the following property values are specified:

    Property Specifies
    IdLogonAccount
    DescriptionLogonAccount
    Type PasswordProtection
    IntegrationTypeEmbedded
    FormatNA

    These values are shown in the following window:

Specify the automatic logon sequence with the logon account:

For SSH connections:

To change the default automatic logon sequence with logon account for all SSH connections that will be done with the PSMP-SSH connection component:

  1. Click ADMINISTRATION, then in the System Configuration page click Options; the Web Access Options are displayed.

  2. Expand Target Settings and then expand Client Specific; a list of Client Specific parameters appears.

  3. Select AutoLogonSequenceWithLogonAccount, then in the Properties list, click the value of the Value property; the Value edit box appears.

  4. Specify the prompts and responses to include in the automatic logon process, using regular expressions and dynamic account properties to mimic the exact sequence that will be run on the remote machine.

    As prompts differ according to machine, it is important to make sure that you write the prompt exactly as the machine requires.

    Specify the command that will elevate the logon user to the user who will run sessions on the remote machine. Use regular expression prompts and responses with dynamic values, as shown in the following example:

    In each line, the text to the left of the ‘>’ (parenthesis) represents the regular expression for the prompt on the remote machine. The text to the right of the ‘>’ (parenthesis) represents the PSM for SSH response, including a dynamic reference to an account property.

    This response can include one or more dynamic references. PSM for SSH reads these references in the following order: account properties, user parameters, then client specific parameters.

    To specify ‘>’ as a character in the prompt, use the character code \x3e.

    Including the su path (/usr/bin/su) ensures that only this su file is accessed. The /usr/bin/su path is applicable for RHEL and Suse platforms. There might be platforms where the su file is located on another path, and you must replace the /usr/bin/su path with the correct su path for the platform. You can change the path in the PVWA options or on the platform configuration.
See Also
Event Notification Engine

For Telnet connections:

To define an automatic logon sequence with logon account for your specific platform. In the platform for Telnet connections, override the AutoLogonSequenceWithLogonAccount client specific parameter of the PSMP-SSH connection component as follows:

  1. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  2. Select the platform to use for Telnet connections with logon account, then click Edit; the settings page for the selected platform appears.

  3. Expand UI & Workflows, and then expand Connection Components.

  4. Select the PSMP-SSH in the Connection Components section.

    If your platform was not configured to enable connections via PSM for SSH, configure the platform to enable connections via PSM for SSHfirst. For more information, refer to Configure Platforms for PSM for SSH Connections.

  5. Expand Target Settings, and then expand Client Specific; a list of Client Specific parameters appears.

  6. Right-click on Client Specific parameters, then select Add Multiline Parameter; a new parameter is added.

  7. In the Properties list, set the value of the Name property to AutoLogonSequenceWithLogonAccount.

  8. In the Properties list, click the Value property; the Value edit box appears.

  9. Specify the logon command that enable the logon account to log onto the remote machine.

  10. Specify the command that will elevate the logon user to the user who will run sessions on the remote machine.

  11. Specify the username and password of the user who will run sessions on the remote machine.

    In each line, the text to the left of the ‘>’ (greater than sign) represents the regular expression for the prompt on the remote machine. The text to the right of the ‘>’ (greater than sign) represents the PSM response, including a dynamic reference to an account property.

    This response can include one or more dynamic references. The PSM for SSH reads these references in the following order: account properties, user parameters, then client specific parameters.

    To specify ‘>’ as a character in the prompt, use the character code \x3e.

  12. Click OK; the logon sequence is displayed in the Value property as one line.

  13. Click Apply to apply the new configurations, or

  14. Click OK to save the new configurations and return to the System Configuration page.

  15. Restart the psmpsrv service to apply the configuration changes:

  16. At a command line, run the following commands:

    • RHEL7, SUSE11, SUSE12

      service psmpsrv stop
      service psmpsrv start

    • RHEL8

      systemctl stop psmpsrv
      systemctl start psmpsrv
  17. In the Account Details page of the account that will be used to run sessions on a remote machine, associate the account that will be used to log onto the remote machine.
  18. For more information about adding a linked account to new and existing accounts, refer to Create linked accounts.

Troubleshooting

The client ‘skips’ characters while imitating the login sequence

  1. In the relevant connection component, add the SendRateValue parameter in the Client Specific target settings.

  2. Set the parameter value to higher than 100 milliseconds.

  3. Save your configuration changes and restart the psmpsrv service.

The following message appears: PSMSH059E Failed to execute login sequence: Incorrect sequence defined in configuration, or network timeout occurred

  1. Make sure that the value of the AutoLogonSequence or the AutoLogonSequenceWithLogonAccount parameter is configured correctly.

  2. Compare the specified login sequence with the login sequence from the text recording file after a session fails.

    1. From the Client Specific target settings, remove the AutoLogonSequence or the AutoLogonSequenceWithLogonAccount parameter.

    2. Run the logon sequence again to make the client text record the session from the beginning.

    3. After the session fails, copy the prompts for the login sequence from the text recording file.

    4. In the Client Specific target settings, add the AutoLogonSequence or the AutoLogonSequenceWithLogonAccount parameter again.

    5. Save your configuration changes and restart the psmpsrv service.

  3. If the specified login sequence is identical to the recorded text and the error message is still displayed, set the value of the PromptTimeout parameter to a much higher value. For example, 10000. Then save your configuration changes and restart the psmpsrv service.

Logon Accounts for SSH and Telnet Connections (2024)
Top Articles
Headphones vs Earbuds: which is best for you?
Dirty Cauliflower Rice: 5-Ingredient Kid-Friendly Healthy Recipe
What Does Spillage Refer To Cyber Awareness Challenge
(PDF) Bulletin de la Banque de France n° 128 - août 2004 · Selon l’INSEE, l’indicateur de confiance des ménages, corrigé des variations saisonnières, s’est situé en juillet, - PDFSLIDE.NET
Latest Posts
39 Outrageously Good Hanukkah Recipes That Are Seriously Worth Making Year-Round
The 5 Best Waterproof Earbuds
Article information

Author: Reed Wilderman

Last Updated:

Views: 6429

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Reed Wilderman

Birthday: 1992-06-14

Address: 998 Estell Village, Lake Oscarberg, SD 48713-6877

Phone: +21813267449721

Job: Technology Engineer

Hobby: Swimming, Do it yourself, Beekeeping, Lapidary, Cosplaying, Hiking, Graffiti

Introduction: My name is Reed Wilderman, I am a faithful, bright, lucky, adventurous, lively, rich, vast person who loves writing and wants to share my knowledge and understanding with you.