ab;260474 Wrote: > Yes, and there is an entire section of documentation on it: > > https://www.netiq.com/documentation/privileged-account-manager-3/ > > Look for the section labeled "Command Control Access to Network Devices" > > > -- > Good luck. > > If you find this post helpful and are logged into the web interface, > show your appreciation and click on the star below...
sorry for hijacking the post. What I understand "Command Control Access to Network Devices" provides the steps to access a Router via ssh relay, and I don't think it serves the purpose, because if an admin user logs in on the router then why that user run the "admin commands" via sshrelay method ? what force the user to do so ?
This is a good question for sure. While there is an approach in dealing with this when there is an agent deployed on the server (TID 7017938), managing network devices is through PAM's SSH-Relay, which doesn't offer any control over direct-ssh connections to the network device that would otherwise be allowed. An approach would need to be hardening direct ssh-access to these network devices, perhaps even restricting it so it can only be done through PAM, while keeping reserved admin accounts that would be allowed direct access in case there is any potential problem with PAM. This kind of approach can be configured through 'sshd_config' where you can allow users from specific networks, etc.