Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
sergio_chkdb Frequent Contributor.
Frequent Contributor.
205 views

Can the IP of a PAM User be configured so that he can only open his console from his computer?

Jump to solution

Hello, excellent day everyone
I would like to know if, is there any way to configure the IP of a User in the PAM so that only his PAM session is opened on his computer and he cannot do it in another? This is in order to prevent the presentation of the users and passwords and want to open them on other computers.

For your attention and support, thank you.

0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Re: Can the IP of a PAM User be configured so that he can only open his console from his computer?

Jump to solution

One option would be to nestle the access rules under a parent rule where there is a rule condition of "authorized submit hosts" that is created that restricts the host submitting the command. This is an approach briefly mentioned in the following documentation:
https://www.netiq.com/documentation/privileged-account-manager-36/npam_admin/data/bjfzqbk.html#rules_overview

For example, I might create a Host Group in Command Control called "HG-Client-SubmitHosts" with Hosts field as follows using some regex or just listing out an ip address in each line:
151.155.*.*

Then I could apply this on any rule in the cmdctrl hierarchy, e.g. IF "host IN HG-Client-SubmitHosts." This should restrict the "submit user host," which is the workstation/client the user is accessing from. So the rules shouldn't appear if trying to access from a different ip address that is not listed in this host group as specified in the cmdctrl rule conditions.

--

Another option if the user exists as a local PAM user in the Framework User Manager Console, you could modify the "Host Access Control" settings:

https://www.netiq.com/documentation/privileged-account-manager-36/npam_admin/data/user_account_settings.html#bjflv4w

"You can control where the user can access a Framework Manager console from by defining a list of ports and hosts to which access is allowed, or a list of ports and hosts to which access is denied."

If the user is from an external ldap source, that will be trickier..

--

So those are two approaches for handling granularly based on rules in cmdctrl or if a local pam user using host access control.

Alternatively, you could rely on network configuration and just restrict access based on iptables / firewall so requests are filtered that way.

5 Replies
Knowledge Partner
Knowledge Partner

Re: Can the IP of a PAM User be configured so that he can only open his console from his computer?

Jump to solution

In PAM Itself I have not seen it. BUt it is a Web application, and if you can Reverse Proxy it via something like NAM, you could possibly implement this request and apply rules by location and users if needed.

 

PAM is not entirely meant for that level of control to the console.

 

Could add Advanced Auth in front of the console and require secondary auth as well.

Micro Focus Expert
Micro Focus Expert

Re: Can the IP of a PAM User be configured so that he can only open his console from his computer?

Jump to solution

One option would be to nestle the access rules under a parent rule where there is a rule condition of "authorized submit hosts" that is created that restricts the host submitting the command. This is an approach briefly mentioned in the following documentation:
https://www.netiq.com/documentation/privileged-account-manager-36/npam_admin/data/bjfzqbk.html#rules_overview

For example, I might create a Host Group in Command Control called "HG-Client-SubmitHosts" with Hosts field as follows using some regex or just listing out an ip address in each line:
151.155.*.*

Then I could apply this on any rule in the cmdctrl hierarchy, e.g. IF "host IN HG-Client-SubmitHosts." This should restrict the "submit user host," which is the workstation/client the user is accessing from. So the rules shouldn't appear if trying to access from a different ip address that is not listed in this host group as specified in the cmdctrl rule conditions.

--

Another option if the user exists as a local PAM user in the Framework User Manager Console, you could modify the "Host Access Control" settings:

https://www.netiq.com/documentation/privileged-account-manager-36/npam_admin/data/user_account_settings.html#bjflv4w

"You can control where the user can access a Framework Manager console from by defining a list of ports and hosts to which access is allowed, or a list of ports and hosts to which access is denied."

If the user is from an external ldap source, that will be trickier..

--

So those are two approaches for handling granularly based on rules in cmdctrl or if a local pam user using host access control.

Alternatively, you could rely on network configuration and just restrict access based on iptables / firewall so requests are filtered that way.

sergio_chkdb Frequent Contributor.
Frequent Contributor.

Re: Can the IP of a PAM User be configured so that he can only open his console from his computer?

Jump to solution

Thank you very much for your answers, I will review it.

Regards

0 Likes
Knowledge Partner
Knowledge Partner

Re: Can the IP of a PAM User be configured so that he can only open his console from his computer?

Jump to solution

Actually, Tyler (who posts here, thank you very much Tyler, I greatly appreciate your help in this forum) pointed out to me, on my question about Inactivity Timeouts that the settings for stuff like this are in the FrameWork user space.

 

Is your PAM user a framewokr user, or is it an AD account passed through? If it is a Framework user, go to that console, select the user, click edit (upper right), and there is a section "Host Access Control". 

 

I think that might be what you are looking for.

0 Likes
sergio_chkdb Frequent Contributor.
Frequent Contributor.

Re: Can the IP of a PAM User be configured so that he can only open his console from his computer?

Jump to solution

Thank you

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.