MFA Caching Support for PSM for SSH

Question

MFA Caching Support for PSM for SSH

Opened this issue 4 years ago · 5 comments

Is your feature request related to a problem? Please describe.
v12.1 CyberArk introduced MFA caching support for PSM for SSH. It solves a user experience issue where needing to connect to multiple *NIX machines simultaneously/or back-to-back, users needed to authenticate each time. The way CYBR implemented the solution was allowing the user to authenticate once using MFA, and then generated a Private SSH key (PPK, PEM, OpenSSH) that they download an use to authenticate to multiple *NIX machines. That key has a short TTL and can be revoked on demand. There is a supported REST API command to generate this instead of needing to go the the PVWA.

Describe the solution you'd like
Create a new command set to generate this MFA cache key. Enable the ability to menu select which type of key you want to generate, whether you want to add a passphrase to the key and (possibly) enable saving of the key to the default directory used by Putty.

AndrewCopeland commented 4 years ago

Thanks :)

Answer 1 · 2021-02-22T17:42:30.000Z

Happy Birthday @AndrewCopeland 🎂

Answer 2 · 2021-02-23T19:16:53.000Z

What endpoint would be used to generate the SSH Private key that can be used to connect to the target devices?

I am having a hard time finding it here:
https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/API-account-actions-LP.htm?tocpath=Developer%7CREST%20APIs%7CAccounts%7CAccount%20actions%7C_____0

I could be looking in the wrong place.

Answer 3 · 2021-02-23T20:51:19.000Z

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/MFA-Caching.htm

This page lists the various commands and links to the endpoint details of each.

Answer 4 · 2021-03-05T17:56:52.000Z

We will need to update our backend infrastructure to test this feature out. This will be pushed to a future release.