Accounts – Part 2

By the end of this session, you will be able to:

• Describe and configure linked accounts:
– Logon accounts

– Reconcile accounts
Agenda • Describe and configure SSH key
management

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 There are two types of linked accounts commonly
Linked Accounts used and supported by default for most platforms:
• Logon account
• Reconcile account

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Logon Account

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Using username "root". The root user is often prevented
[email protected]'s password: from logging in remotely as part of
best practices
Access denied (/etc/ssh/sshd_config >
PermitRootLogin no)

login as: logon01

The solution is to log in as a user [email protected]'s password:
with the authorization to switch to [logon01@centos-target01 ~]$ su - root
root in order to perform the Password:
password change
[root@centos-target01 ~]# passwd
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated
successfully.
5
[root@centos-target01 ~]#
Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com
 If the SSH policy on the target
machine forbids root log on,
the CPM will not be able to
verify or change the root
password

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • The solution is to onboard a
non-privileged account with
the authorization to switch to
root in order to perform the
password change. This
account is the Logon
Account
• To use a Logon Account,
you need to link it to the root
account

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • Now that we have specified
a logon account, when we
re-run a password change,
we will see that the
PasswordManager user has
changed the password.

• Note that the logon account

is also used when
connecting to the target
system through the PSM

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 The logon account can
be set on the individual
account or via the
Platform

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Reconcile Accounts

10

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Reconciliation is used for
situations where we don’t know
a password – for example, if
the password in the Vault and
on the Target machine have
somehow become
unsynchronized – or if the use
of individual passwords would
be too onerous – you have a
fleet of Windows servers, each
with its own local admin
password, and you want to
onboard them all at once, not
11
one by one.
Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com
cyberark.com
 The verification process will
discover passwords that are
not synchronized with their
corresponding password in the
Vault and we can configure the
CPM to reset the password in
the Vault and on the Target

12

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Manual reconciliation is
enabled by default.
Automatic reconciliation
must be enabled.

A reconcile account is
typically a Domain account
with sufficient rights to force
a password change
13

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Vault CPM Target
Scan Vault for Accounts

Current credentials Login using current credentials

Account flagged Failure

Scan Vault for Accounts

Connect with reconcile account
Current credentials & run password reset
Generate
Password

Success or failure

Login using new credentials

Store new credentials Success or failure 14

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 15

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • Used when a user is prevented from logging on and the password is known
Logon
• Used on a regular basis – i.e., it is common to block root access via SSH
Account
• A ‘super user’ such as root should not be used as a logon account

• Used for ‘lost’ or unknown passwords

Reconcile • Should be used infrequently
Account • Needs to have elevated privileges (i.e. Domain Admin)
• This account is usually a service account reserved for this purpose

16

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 SSH Key Management

17

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

• Client launches the [root@centos-target01 ~]# ssh [email protected]

connection.
• Server presents its public
key.
• Client and server negotiate
a symmetric session key.
All further communication is
The authenticity of host '10.0.1.16 (10.0.1.16)' can't be
established.
RSA key fingerprint is
b0:38:8a:73:92:14:2a:92:f4:fa:25:68:5b:4e:80:77.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.1.16' (RSA) to the list
of known hosts.

[email protected]'s password: ********
encrypted with the [root@psmp-psmgw ~]#
symmetric session key.
• User enters the account root
password and the Server
SSH
authenticates it.
John Linux Server
192.168.47.172

User Trust Target Server

cyberark.com
 To authenticate with SSH keys, the user must first generate a public/private key-pair locally on her
machine and then install the public key in her user directory on the target server (or servers)
through a password authenticated session.

• Once that is done, the user can authenticate using the SSH keys.
• She launches a connection to the remote server.
• The server then encrypts a random prime number with the user’s public key and
transmits that back to the user, who must then decrypt the number with her Private Key Public Key
corresponding private key.
• She then generates a hash of the prime number and returns it to the server.
• The server compares it with its own hash of the prime.
• If they match, then this proves that the user must have the private half of the key-pair
(because only the private key can decrypt what has been encrypted with the public key.)
• The server therefore allows the connection to be established. 19

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

• SSH keys allow a substantially longer secret between client and server than a password.
• The secret is never transmitted over the network.
• One private key can be used to access multiple systems

192.168.41.37
FTP primary Server

root

192.168.41.38
FTP backup Server
192.168.40.4
Billing Application

192.168.40.5
Billing backend Server
cyberark.com
• One private key can be used to access multiple systems. If it is compromised, all the systems
that trust it are vulnerable
• SSH keys are more difficult to change than passwords

192.168.41.37
FTP primary Server

root

192.168.41.38
FTP backup Server
192.168.40.4
Billing Application

192.168.40.5
Billing backend Server
cyberark.com
 • Creates unique key-pairs for each target system.
• Private keys are stored in the Vault, not on user workstations.
• The CPM changes key-pairs often and automatically disseminates public keys to target
systems.
• End users retrieve the private key from the Vault to authenticate to the target system.

root

192.168.41.38
FTP backup Server
192.168.40.4
Billing Application

22

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 SSH keys can share a Safe with
passwords, but they need their
own Platforms

You can select the file containing the

private key or copy and paste it.

Because entering the SSH keys

into CyberArk exposes them,
the old keys can no longer be
considered secure and should
be rotated immediately. 23

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 You can rotate the SSH keys
using the Change button, just
like with passwords 24

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Users who have the Retrieve
Accounts permission can retrieve
a copy of the private key

Users who have the Use Accounts

permission can click on the Connect
button to launch the session directly
25
from the PVWA

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 If you have applications that authenticate
using SSH keys, you can use CyberArk
PAS to push private keys to those servers

26

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Summary

27

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

Summary
In this session, we discussed:

How to configure linked accounts

How to use the SSH key manager

28

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

Additional Resources You may now complete the following
exercises:
eLearning
• Linked Accounts
Linked Accounts (login required)
– Securing SSH Accounts Using a Logon
account
– Securing Windows Server Local
Accounts via a Reconcile Account

• Securing Unix Accounts With SSH

Keys
– Generating a Key-Pair
– Verify you can login with the Private Key
– Duplicating a Platform
– Add an Account with an SSH Key
29

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com