Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            How to manage SSH keys for CyberArk Vault users

            Modified on Sun, 9 Aug, 2020 at 10:18 AM

            Problem:


            When configuring or using PKI authentication in CyberArk and you require to use that auth method for components other then PVWA, additional steps are required to get this working.


            Solution:


            CyberArk can be used with both vault local or LDAP users, each of which has its own way of how to manage and access they key. Local users store the key internally and those can be accessed or modified via REST API while LDAP users store the key in an Active Directory attribute. Follow the steps below to configure the required user type.

            Additional info on the matter can be found here:

            https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Configuring-Management-of-Users-Public-SSH-Keys.htm


            Note: Only 1 type of configuration can work at a time, as you point the vault to either look at the vault or LDAP attribute for the key management.

            CyberArk Local users

            1. Log in to the PVWA, go to Administration > Options and navigate to Privileged Session Management > General Settings > Server Settings. and make sure that LDAPUserSSHKeysManagement is set to Vault:
            2. Create a key pair using one of the allowed and supported methods
            3. Use the CyberArk REST API and upload the public key from step 1 to the relevant user in CyberArk

            CyberArk LDAP Users

            1. Log in to the PVWA, go to Administration > Options and navigate to Privileged Session Management > General Settings > Server Settings. and make sure that LDAPUserSSHKeysManagement is set to LDAP:
            2. Create a key pair using one of the allowed and supported methods
            3. Extract the public ssh-rsa key from the cert. Example on how to do that  using PUTTY-CAC
              1. Get the latest version of Putty-CAC from here:
                https://github.com/NoMoreFood/putty-cac/releases
              2. Run Putty-CAC, go to the Connection > SSH > Certificate and press Set CAPI Cert button. In pop-up window select certificate, which is stored in smart-card, and press OK.
              3. Press Copy to Clipboard button, and paste it to the notepad. You need only ssh public key, which starts from ssh-rsa AAAAB3Nza... and 'till CAPI:... You don't need CAPI and everything after that
            4. Open the Active Directory Users and Computers, Find user account, open it's properties. Go to the Attribute Editor tab
            5. Find altSecurityIdentities attribute, and if you don't using it somewhere, paste SSH key there (ssh-rsa AAAAB3NzaC1yc2...). If it is used - then you need to create new attribute or use another unused attribute.
            6. Go to PVWA Options > LDAP Integration, and in MicrosoftADProfile.ini set UserSSHPublicKey to the attribute name, in which public SSH key is stored. In our case - altSecurityIdentities.
            7. Restart the PSMP service -> service psmpsrv restart
            8. In the PrivateArk Client delete transparent user, which you are testing. It will be recreated automatically when it will login for the first time.
              Note: At this moment in time, I didn't find a way on how to get this to work with an existing user.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0