PAM Administration Accounts – Part 2 PDF
Document Details
Uploaded by FancySarod
CyberArk University
2023
Tags
Summary
This presentation discusses PAM Administration, specifically focusing on linked accounts and SSH key management. It explores logon and reconcile accounts, root account best practices, resolving root password issues, and the process for managing SSH keys within the CyberArk platform.
Full Transcript
PAM Administration Accounts – Part 2 © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session, you will be able to: 1. Describe and configure link...
PAM Administration Accounts – Part 2 © 2023 CyberArk Software Ltd. All rights reserved Agenda By the end of this session, you will be able to: 1. Describe and configure linked accounts: Logon accounts Reconcile accounts 2. Describe and configure SSH key management © 2023 CyberArk Software Ltd. All rights reserved Linked Accounts There are two types of linked accounts commonly used and supported by default for most platforms: Logon account Reconcile account © 2023 CyberArk Software Ltd. All rights reserved Logon Account © 2023 CyberArk Software Ltd. All rights reserved Root Account Best Practices Using username "root". The root user is often prevented from logging in remotely as part of [email protected]'s password: best practices (/etc/ssh/sshd_config Access denied > PermitRootLogin no) login as: logon01 The solution is to log in as a [email protected]'s password: user with the authorization to [logon01@centos-target01 ~]$ su - root switch to root in order to perform Password: the password change [root@centos-target01 ~]# passwd Changing password for user root. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@centos-target01 ~]# © 2023 CyberArk Software Ltd. All rights reserved Root Password Change Failure If the SSH policy on the target machine forbids root log on, the CPM will not be able to verify or change the root password © 2023 CyberArk Software Ltd. All rights reserved Associate Logon Account The solution is to onboard a non-privileged account that we can use to connect and then switch to root in order to perform the password change. This account is the Logon Account To use a Logon Account, you need to link it to the root account © 2023 CyberArk Software Ltd. All rights reserved Root Password Change Success Now that we have specified a logon account, when we re-run a password change, we will see that the PasswordManager user has changed the password. Note that the logon account is also used when connecting to the target system through the PSM © 2023 CyberArk Software Ltd. All rights reserved Reconcile Accounts © 2023 CyberArk Software Ltd. All rights reserved Reconciliation – Unknown Password Reconciliation is used for situations where we don’t know a password or if the use of individual passwords would be too onerous © 2023 CyberArk Software Ltd. All rights reserved Reconciliation – Unknown Password The verification process will discover passwords that are not synchronized with their corresponding password in the Vault and we can configure the CPM to reset the password in the Vault and on the Target © 2023 CyberArk Software Ltd. All rights reserved Associating a Reconcile Account Manual reconciliation is enabled by default. Automatic reconciliation must be enabled. A reconcile account is typically a Domain account with sufficient rights to perform a password change © 2023 CyberArk Software Ltd. All rights reserved Failed Verify and Reconcile Process Vault CPM Target Scan Vault for Accounts Current credentials Login using current credentials Account flagged Failure Scan Vault for Accounts Connect with reconcile account Current credentials & run password reset Generate Password Success or failure Login using new credentials Store new credentials Success or failure © 2023 CyberArk Software Ltd. All rights reserved Manual Reconciliation © 2023 CyberArk Software Ltd. All rights reserved Logon Account vs. Reconcile Account Used when a user is prevented from logging on and the password is known Logon Used on a regular basis – i.e., it is common to block root access via SSH Account A ‘super user’ such as root should not be used as a logon account Used for ‘lost’ or unknown passwords Reconcile Should be used infrequently Account Needs to have elevated privileges (member of local administrators) This account is usually a service account reserved for this purpose © 2023 CyberArk Software Ltd. All rights reserved SSH Key Management © 2023 CyberArk Software Ltd. All rights reserved SSH – Password Authentication [root@centos-target01 ~]# ssh [email protected] The authenticity of host '10.0.1.16 (10.0.1.16)' can't be established. Client launches the RSA key fingerprint is connection. b0:38:8a:73:92:14:2a:92:f4:fa:25:68:5b:4e:80:77. Are you sure you want to continue connecting (yes/no)? yes Server presents its public key. Warning: Permanently added '10.0.1.16' (RSA) to the list of known hosts. Client and server negotiate a [email protected]'s password: ******** symmetric session key. All [root@psmp-psmgw ~]# further communication is encrypted with the symmetric session key. root SSH User enters the account John Linux Server password and the Server 192.168.47.172 authenticates it. USER TRUST TARGET SERVER © 2023 CyberArk Software Ltd. All rights reserved SSH – Asymmetric Key Authentication To authenticate with SSH keys, the user must first generate a public/private key-pair locally on her machine and then install the public key in her user directory on the target server (or servers) through a password authenticated session. Once that is done, the user can authenticate using the SSH keys. She launches a connection to the remote server. The server then encrypts a random prime number with the user’s public key and transmits that back to the user, who must then decrypt the number with her corresponding private key. Private Key Public Key She then generates a hash of the prime number and returns it to the server. The server compares it with its own hash of the prime. If they match, then this proves that the user must have the private half of the key-pair The server therefore allows the connection to be established. © 2023 CyberArk Software Ltd. All rights reserved SSH Key Advantages SSH keys allow a substantially longer secret between client and server than a password. The secret is never transmitted over the network. One private key can be used to access multiple systems 192.168.41.37 FTP primary Server root 192.168.41.38 FTP backup Server 192.168.40.4 Billing Application 192.168.40.5 Billing backend Server © 2023 CyberArk Software Ltd. All rights reserved SSH Key Disadvantages One private key can be used to access multiple systems. If it is compromised, all the systems that trust it are vulnerable SSH keys are more difficult to change than passwords 192.168.41.37 FTP primary Server root 192.168.41.38 FTP backup Server 192.168.40.4 Billing Application 192.168.40.5 Billing backend Server © 2023 CyberArk Software Ltd. All rights reserved SSH Key Manager Creates unique key-pairs for each target system. Private keys are stored in the Vault, not on user workstations. The CPM changes key-pairs often and automatically disseminates public keys to target systems. End users retrieve the private key from the Vault to authenticate to the target system. root 192.168.41.38 FTP backup Server 192.168.40.4 Billing Application © 2023 CyberArk Software Ltd. All rights reserved Adding Keys to the Vault SSH keys can share a Safe with passwords, but they need their own Platforms You can select the file containing the private key or Because entering the SSH keys into copy and paste it. CyberArk exposes them, the old keys can no longer be considered secure and should be rotated immediately. © 2023 CyberArk Software Ltd. All rights reserved Rotate Keys You can rotate the SSH keys using the Change button, just like with passwords © 2023 CyberArk Software Ltd. All rights reserved Retrieve / Connect Users who have the Retrieve Accounts permission can retrieve a copy of the private key Users who have the Use Accounts permission can click on the Connect button to launch the session directly from the PVWA © 2023 CyberArk Software Ltd. All rights reserved Push Private Keys to Application Servers If you have applications that authenticate using SSH keys, you can use CyberArk PAM to push private keys to those servers © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this session, we discussed: How to configure linked accounts How to use the SSH key manager © 2023 CyberArk Software Ltd. All rights reserved Online Training Linked Accounts (login required) Additional You may now complete the following exercises: Resources Linked Accounts Securing SSH Accounts Using a Logon account Securing Windows Server Local Accounts via a Reconcile Account Securing Unix Accounts With SSH Keys Generating a Key-Pair Verify you can login with the Private Key Duplicating a Platform Add an Account with an SSH Key