3.2 SSH/TELNET Proxy

ssh/telnet proxy https //archbee io/docs/1s a8r9fnbldt7zdyf13d/pajdtgalutnivxukikuxa#sshtelnet proxy the single connect ssh/telnet proxy feature can be used to log and monitor ssh/telnet sessions managing devices and policy management rules are used for ssh/telnet proxies users can establish ssh connection with multiple options which are described below with a global user when a single connect user with privileged access (like root or admin) connects to devices , they can connect to those devices without knowing the privileged user password the global username should be defined to use this feature settings can be found from managing devices there are 4 ways to connect to a device with a global username global password set sapm password if there is an sapm account defined for the global user and the device that user wants to connect to global ssh key set rotating ssh key if there is an sapm account with ssh key strategy for the global user and the device that user wants to connect to when connecting to a device with a global username via an sc proxy, the priority rules applied are below if there is a defined sapm account, the sapm password or rotated ssh key is used for authentication of the globaluser as first priority if the sapm account is not defined, the global ssh key is used to connect the device as second priority if these two options are not defined in the device properties, the global password is used for the connection to the device global password has the least priority if the device requests both ssh key and password for authentication, both the ssh key and password are used for authentication in this case, the sapm account password is used as first priority and the globalpassword is used as second priority with local or ldap user if the global username is not defined in the device properties, single connect user can connect to devices that have access with single connect credentials note to ensure this connection type with local or ldap users, single connect users’ credentials should be defined in the target devices device group properties for ssh/telnet proxy property key for ssh/telnet definition addmanuallogintouserselection ssh/telnet this property only applies to ssh/telnet proxies in session manager modules default value is “false” when the value is set as “true”, the user can enter the device username and password manually addsessionusertouserselection ssh/telnet this property only applies to ssh/telnet proxies and rdp/vnc proxies in session manager modules when the “addsessionusertouserselection” property is set as “true” on a device group, users can connect to target devices in the device group with their own username which they use to log in to single connect approvalrequiredforconnection ssh/telnet this property only applies to ssh proxies and rdp proxies in session manager modules when its value set as “true”, managerial approval via e mail is requested for users to connect to devices in the device group globalusername ssh/telnet the username to use when connecting to all devices covered by the device group this username must be pre defined as a user on all devices in the device group globalpassword ssh/telnet it is the password of the “globalusername” the password to use when connecting to all devices covered by the device group globalsshkey ssh this property only applies to ssh proxies in session manager modules if connecting to devices with an ssh key is preferred, “globalsshkey” should be defined for the device group globalsshkeypassphrase ssh this property only applies to ssh proxies in session manager modules if the device to be connected has an ssh passphrase, “globalsshkeypassphrase” should be defined for thedevice group reasonrequiredforconnection ssh this property only applies to ssh proxy and rdp proxy in session manager modules when its value is set as “true”, a comment/reason field appears when users try to connect the devices in the device group the text entered here will appear in the session logs and managerial approval emails and notifications (if enabled) sessiondurationlimitminute rdp/ssh the property only applies to ssh proxies and rdp proxies in session manager modules user's sessions can be limited based on the session duration when the “addsessionusertouserselection”, “addmanuallogintouserselection” and “globalusername” properties are defined for a device group, the connection options are listed below addsessionusertouserselection addmanuallogintouserselection global user count behavior false false 0 connect with session user automatically false false 1 connect with global user automatically false false more than 1 list global users false true 0 ask username/password false true 1 list "manual login" option and global user false true more than 1 list "manual login" option and global users true false 0 connect with session user automatically true false 1 list "session user" option and global user true false more than 1 list "session user" option and global users true true 0 list "session user" option and "manual login" option true true 1 list "session user" option, "manual login" option and global user true true more than 1 list "session user" option, "manual login" option and global users dual authentication for single connect ssh/telnet proxy please ask consultation from kron technical support https //sc support\@kron com epdestek\@kron com tr ssh sessions duration based limitation settings please ask consultation from kron technical support https //sc support\@kron com epdestek\@kron com tr connection to single connect ssh proxy users can use their own ssh clients to connect to single connect ssh/telnet proxies to connect to a single connect ssh/telnet proxy, type the single connect ip address as the host ip address and 2222 as the connection port (2222 is default ssh/telnet proxy port port number can be changed by system the administrator ) assigned credentials when connecting to ssh/telnet supported devices through a single connect ssh/telnet proxy, the following credentials can be used for logging in to the remote device global username and global password or ssh key (static values) global username as an sapm account, with changed password user’s own credentials, if they are allowed to log in to the remote device different assigned credentials for each user, like john local account for the user john, julia local account for the user julia, etc for the fourth option, assigned credentials should be used the following steps should be followed log in to the single connect web gui as an admin user navigate to device management > device groups right click a device group and select show properties (this device group should be put in a device group realm with the user group including users, beforehand) save the “addassignedcredentialtouserselection” property as “true” these steps enable the assigned credential usage for a device group to set up the assigned credentials for different users, first sapm or secret data vault accounts should be saved (“sapm” is used for passwords that are being rotated by the password manager, while “secret data vault” can be used for static usernames and passwords or ssh keys) after that, these steps should be followed log in to the single connect web gui as an admin user navigate to user management > assigned credential section start typing username in “user” text box, matching users will appear just below select the one for whom another credential will be assigned select “sapm” or “secret data vault” as the credential source (“sapm” is used for passwords that are being rotated by password manager, while “secret data vault” can be used for static usernames and passwords) according to the selection either select the “sapm username” or “secret data vault” name save after these steps are completed, assigned credentials will be used for the connection when these single connect users that are defined in these steps are trying to open an ssh/telnet session domain user credentials while connecting to the ssh/telnet supported devices through a single connect ssh/telnet proxy, user’s own credentials which used to login single connect can be used for logging in to remote devices if the “addsessionusertouserselection” property key is set as “true” in device group properties, session user will be prompted in user selection screen while connecting to target device but some of the remote devices require fqdn addresses in addition to a username in this case the “useemailasusername” property key should be set as “true” in device group properties to use username and fqdn name together to log in to target devices ssh proxy encryption and key exchange algorithms please ask consultation from kron technical support https //sc support\@kron com epdestek\@kron com tr reason field for device connections a mandatory reason field can be enabled to be filled by users when connecting to devices this text entered here would appear in session logs and the managerial approval emails and notifications to enable this feature, the “reasonrequiredforconnection” property must be set as “true” on a device group that includes the target devices managerial approval for user connecting to device to enable managerial approval via e mail for users connecting to devices, the “approvalrequiredforconnection” property must be set as “true” on a device group that has the target devices