Remote Connection to SSH-based Devices Using SSH Keys

PAM360 allows you to launch remote connections to SSH command-based remote systems directly from the PAM360 web interface through SSH keys. This feature is in addition to its ability to launch remote connections using the corresponding user account's login credentials. To launch remote connections through SSH keys, you need to associate the SSH keys with the required accounts. This document discusses the procedure to achieve this.

1. Associating keys with accounts

   1.1 Creating a new SSH key and associating it with an existing account

   1.2 Associating an existing key with a new account

   1.3 Associating an existing key with an existing account

   1.4 Enabling private key login option for an existing account

2. Enabling PKI authentication option for remote password reset

1. Associating SSH Keys with Accounts

You can enable remote connections through SSH keys using the option Use private key to login to this account instead of password available while creating an account or an SSH key. However, for the remote connection to work via the private key, you need to associate the SSH keys with the required accounts. There are four different ways of associating keys with accounts before enabling the private key login.

Notes:

1. Although it is possible to associate one SSH key with multiple user accounts through the Key Actions >> Associate Keys option, as a best practice, it is recommended to associate only one SSH key per account to preserve data security.

2. We strongly recommend the Map private key to locally, if remote key association fails option only for the cases, where the target server is reachable only through a jump server.

Prerequisite

Before proceeding with the steps, check if the private key option is enabled for the Linux resource type. If not, follow the below steps to enable the option:

1. Navigate to Admin >> Resource Config >> Resource Types.
2. Click the edit icon beside the 'Linux' resource type.
3. Under Account Attributes, enable the Private Key option and click Save.

1.1 Creating a New SSH Key and Associating it with an Existing Account

1. Navigate to the Resources tab and click the resource under which the required accounts are added.
2. Select the required account and click Create and Deploy from the Key Actions drop-down at the top.

   

3. In the pop-up form that appears, enter the details such as Key Comment, Key Type and Key Length. Click Deploy to save the changes. The newly created key will be associated with the selected account.

   

4. To associate an existing key with an existing account, select the required account, navigate to Key Actions >> Associate Keys to choose the key.
5. Select the checkbox Use private key to login to this account instead of password to authorize remote connections using SSH keys instead of account credentials.
6. Select the checkbox Map private key locally, if remote key association fails to force map SSH keys to user accounts, even if the target systems are not reachable. (See Note: 2)
7. Click Associate to save changes.

   

Note: Click here this to learn how to create a key from the SSH Keys tab and then associate it with an account.

1.2 Associating an Existing Key with a New Account

You can still import an existing SSH key created using a key generation tool into PAM360, even if you do not have the SSH Keys tab activated in your environment. Create a new account and add the existing key to it. Follow the below steps:

1. Follow these steps to create the new account. In the process, select the checkbox Use private key to login to this account instead of password to authorize remote connections using SSH keys instead of account credentials.
2. Select the checkbox Map private key locally, if remote key association fails (shown in the below screenshot) to force map SSH keys to user accounts, even if the target systems are not reachable. (See Note: 2) 
3. Click Save to add the account.

   

Note: By design, the user account name and password fields cannot be left empty even when the private key option is enabled. However, you can use the random password generator available beside the Password field to create a dummy password for an account.

1.3 Associating an Existing Key with an Existing Account

You can also add an existing key to an existing account using the Import SSH Keys option. Follow the below steps:

1. Navigate to the Resources tab and click the resource name. In the Account Details pop-up window, select the required account.
2. Go to Key Actions >> Import SSH Keys. You will be prompted to browse and add the key, along with the Key name and passphrase details.

   

3. Select the checkbox Map private key locally, if remote key association fails to force map SSH keys to user accounts, even if the target systems are not reachable. (See Note: 2)
4. Click Save to import the SSH key into PAM360.

   

1.4 Enabling Private Key Login Option For an Existing Account

If the remote login using private key option is not enabled during the account creation or key association, you can enable the same by editing the account details.

Follow these steps to edit the existing account. In the process, select the checkbox Use private key to login to this account instead of password (shown in the below screenshot) to authorize remote connections using SSH keys instead of account credentials.

2. Enabling PKI Authentication Option for Remote Password Reset

Note: This step is necessary only if you want to use a particular account to carry out remote password reset. To simply launch SSH connections using SSH Keys, PKI authentication need not be enabled.

Use the PKI authentication option to carry out remote password reset through the account which launches remote connection using SSH keys. To enable this option:

1. Navigate to the Resource tab and click Resource Actions >> Configure Remote Password Reset beside the required resource.
2. Under Configure Linux Password Reset, choose the account which has the private key option enabled as the Remote Login Account.
3. Now choose Use PKI Authentication and click Save.