Anonymous_User Absent Member.
Absent Member.
1135 views

Can PAM 3.0 administrate Network Devices?


Can PAM 3.0 administrate Network Devices?


--
mochacoffee
------------------------------------------------------------------------
mochacoffee's Profile: https://forums.netiq.com/member.php?userid=6175
View this thread: https://forums.netiq.com/showthread.php?t=54213

0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: Can PAM 3.0 administrate Network Devices?

Yes, and there is an entire section of documentation on it:

https://www.netiq.com/documentation/privileged-account-manager-3/

Look for the section labeled "Command Control Access to Network Devices"


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
sharfuddin2 Absent Member.
Absent Member.

Re: Can PAM 3.0 administrate Network Devices?


ab;260474 Wrote:
> Yes, and there is an entire section of documentation on it:
>
> https://www.netiq.com/documentation/privileged-account-manager-3/
>
> Look for the section labeled "Command Control Access to Network Devices"
>
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


sorry for hijacking the post. What I understand "Command Control Access
to Network Devices" provides the steps to access a Router via ssh relay,
and I don't think it serves the purpose, because if an admin user logs
in on the router then why that user run the "admin commands" via
sshrelay method ? what force the user to do so ?


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=54213

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Can PAM 3.0 administrate Network Devices?

This is a good question for sure. While there is an approach in dealing with this when there is an agent deployed on the server (TID 7017938), managing network devices is through PAM's SSH-Relay, which doesn't offer any control over direct-ssh connections to the network device that would otherwise be allowed. An approach would need to be hardening direct ssh-access to these network devices, perhaps even restricting it so it can only be done through PAM, while keeping reserved admin accounts that would be allowed direct access in case there is any potential problem with PAM. This kind of approach can be configured through 'sshd_config' where you can allow users from specific networks, etc.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.