PAM Install & config

PAM Jump Server installation and configuration

PAM Jump Server Installation

The purpose of this tutorial is to show how to install Jump servers and configure PAM, to use critical resources without knowing the password required.

Jump Server

A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. (*)

Prerequisites

The PAM Service is only released as a docker service.

1. Install docker ( https://docs.docker.com/install/ )

2. Create a Docker network(*), that network allows you to connect containers to the same bridge network to communicate:

sudo docker network create -d bridge NETWORKNAME

*  You can use the same network defined in the Console and Sync Server installation to avoid visibility problems.

Screen overview

Installation

The steps required to install PAM are:

  1. Create the storage server container.
  2. Create the launcher container.
  3. Register storage server in Soffid console.

Fast path to create storage server and launcher containers

1. To create both containers, you can download the following script: install-pam.sh

2. Before installing, you have to edit the file and set the name of the new network you have created, and the latest versions of store and launcher

.........
docker create \
  --network soffid \
  -v soffid-pam-store:/opt/soffid/tomee/data \
  -p 8081:8080 \
  --name soffid-pam-store \
  soffid/pam-store:1.3.0 >/dev/null
  
......
......
docker create \
  --network soffid \
  -v soffid-pam-launcher:/opt/soffid/tomee/launcher \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -p 8082:8080 \
  -e STORE_SERVER="http://$PUBLIC_IP:8081/" \
  -e STORE_USER="$userid" \
  -e STORE_PASSWORD="$pass" \
  --name soffid-pam-launcher \
  soffid/pam-launcher:1.3.0 >/dev/null

......

3. Finally, you can execute the script

~/Downloads$ bash ./install-pam.sh
A brief description of that script

1.  Creates two volumes, one for the storage and other for the launcher.

2. Creates a storage server container:

2.1. In that container the files and videos recorded will be saved.

2.2. All the data will be saved using a key.

2.3. By default, it will use the 8081 port.

3. Starts the storage container.

4. Generates the user and password to connect the launcher.

5. Creates a launcher server container:

5.1. That container will be in charge of record and send the recording files to the storage.

5.2. Soffid allows you to configure some environment variables:

Variable Description
STORE_SERVER Store URL
STORE_USER Store user
STORE_PASSWORD Store password
JAVA_KEYSTORE (optional) Key store path that contains the key SSL
KEYSTORE_PASS (optional) SSL key

5.3. By default, it will use the 8082 port. 

6. Starts the launcher container.

7. Generates the encryption key to be used to store the recordings.

8. Generates the user and password that have to be registered on Soffid Console.

You will get something similar to this. When the process is complete, two docker containers should be created: soffid-pam-store and soffid-pam-launcher.

~/Downloads$ bash ./install-pam.sh
=====================
Creating store server
=====================
Waiting for store server
Creating launch server
=============================================================
Process completed
Notice: You must register the store server in Soffid console:
User name: bubu-thinkpad
Password : DRFoeOsD02yph7DERNcAZB8jp3b67bO3D/Ax3uS4PbzuBnPbQLhR1lyAu9PFqRJ0
~/Downloads$ docker ps
CONTAINER ID IMAGE                 COMMAND                  CREATED         STATUS         PORTS                    NAMES
854d7aff5c0a soffid/pam-launcher   "/bin/sh -c /opt/sof…"   4 minutes ago   Up 4 minutes   0.0.0.0:8082->8080/tcp   soffid-pam-launcher
7d66a3d3cfa1 soffid/pam-store      "/bin/sh -c /opt/sof…"   4 minutes ago   Up 4 minutes   0.0.0.0:8081->8080/tcp   soffid-pam-store

Next, you must open the Jump Server page in Soffid console. At this page, you must register the store and launcher servers, using the user name and password displayed it the previous step. Visit the Configure PAM session servers on Soffid Console to finish the installation process.

image-1625145417983.png

Privileged Account Session Recording

Be in mind that you need to download the latest image of the required  Privileged Account Session Recording that you need depending on the protocol.

Examples

Linux

docker pull soffid/soffid-pasr-ssh

Windows

docker pull soffid/soffid-pasr-rdp

(*) https://en.wikipedia.org/wiki/Jump_server


PAM Jump Server Upgrade

Upgrade 

To upgrade PAM you will need to run two scripts, one for the store and other for the launcher.

Upgrade store

To upgrade the storage container you can download and execute the following script: upgrade-store.sh

~/Downloads$ bash ./upgrade-store.sh
A brief description of that script

1. Gets the latest version of the PAM store.

2. Stops the store container.

3. Removes the store container.

4. Ceates a new store container.

5. Starts a new store container.

Upgrade launcher

To upgrade the launcher container you can download and execute the following script: upgrade-launcher.sh

~/Downloads$ bash ./upgrade-launcher.sh
A brief description of that script

1. Gets the latest version of the PAM launcher.

2. Gets environment variables of current docker to create the new docker with the same configuration

3. Stops the launcher container.

4. Removes the launcher container.

5. Ceates a new launcher container.

6. Starts a new launcher container.


(*) https://en.wikipedia.org/wiki/Jump_server


Configure PAM session servers

Definition

Soffid provides the functionality that allows you to configure the Jump servers. That option is located on

Main Menu > Administration > Configure Soffid > Security settings > Configure PAM session servers

To configure that functionality is mandatory to install PAM following the instructions of the PAM installation page.

A Jump server is the control point that forces users to log into that system first, then, they could traverse to other servers without having to log in again. The purpose of a jump server is to be the only gateway for access to your infrastructure reducing the size of any potential attack surface.

Screen overview

Standard attributes

Actions

Add new

Allows you to add a new configuration of PAM.  You can choose that option by clicking the add button (+).

You must fill in all the attributes to save a new configuration. 

Delete

Allows you to delete one or more configuration PAM registers, you must select one or more records from the list and click the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Apply chanages

Allows you to create a new configuration PAM or to update an existing. To save the data it will be mandatory to fill in the required fields. Also, the password and user name should be correct to connect.

Undo

Allows you to quit without applying any changes made.


SSH gateway

SSH gateway

SSH Gateway Installation

Introduction

Soffid allows you to deploy a new docker container with the ssh gateway. The configuration is similar to the sync server configuration, the main difference is the ssh container is listening in ssh.

Prerequisites

The SSH Service is only released as a docker service.

1. Install docker ( https://docs.docker.com/install/ )

2. Install Soffid PAM (store container and launcher container) 

You can visit the PAM Jump Server Installation page for more information about how to install PAM

3.  Create a Docker network(*), that network allows you to connect containers to the same bridge network to communicate:

sudo docker network create -d bridge NETWORKNAME

*  You can use the same network defined in the Console and Sync Server installation to avoid visibility problems.

Installation

The steps required to install SSH container are:

1. Create a user

We need to create a user in the pam store container. To do this, we need to connect to the store container.

sudo docker exec -it soffid-pam-store /bin/bash

Once, we are connected to the container, we need to run a script to create the user. This script has two parameters, the user name, and the role. We have to type launcher in the role parameter

root@soffid-pam-store:/# /opt/soffid/tomee/bin/add-user.sh proxysshtest launcher
Password: c4ZRcmgemq3nMr1VQJCD1pJRhPbdX5hrmmrP6RX7zBE4HSs3RV3+cGwDdL1WaaqZ
root@soffid-pam-store:/#

As a result of the script, we receive the password for the created user. This password will be needed later when we create the container.

2. Create volume

We need to create a volume that will be used by the docker container

sudo docker volume create soffid-ssh

3. Create a docker container

Finally, we need to execute the command to create the ssh gateway container

docker run \
--name soffid-ssh \
-e SOFFID_SERVER=https://iam-sync.soffidnet:1760 \
-e SOFFID_USER=admin \
-e SOFFID_PASS=changeit \
-e SOFFID_HOSTNAME=ssh-gateway \
-e STORE_SERVER=http://soffid-pam-store:8080 \
-e STORE_PASSWORD=kDH0vh8MFWWn843Vhzmj0Np7uzMEfbqFYM1ELCQqOf++tF0xfd=Ve2eGq81OXvqy \
-e STORE_USER=proxysshtest \
-v soffid-ssh:/opt/soffid/iam-sync/conf \
--publish 2222:22 \
--network=soffidnet \
soffid/pam-ssh:1.4.2

Environment Variables

To create the new SSH container you need to set the following environment variables:

Variable Description Example

SOFFID_SERVER

Sync Server URL

https://syncserver01.soffid.com:1760

SOFFID_USER

Soffid user to join the security domain

admin

SOFFID_PASSWORD

Soffid user password

changeit

SOFFID_HOSTNAME

The hostname used to access the ssh gateway

ssh-gateway

STORE_SERVER

Store URL

http://soffid-pam-store:8080

STORE_PASSWORD

Password received when you created the user in the store container.

************

STORE_USER

Store user

proxyssh


SSH gateway

SSH Gateway Connection

Introduction

We can establish a connection to the target system using the SSH remote access protocol.

How to connect 1

You can establish the connection with the ssh gateway and then Soffid will ask your password and the target system parameters to connect:

root@soffid:~# ssh -p 2222 dilbert@ssh-gateway
Password: 
Target server: 10.129.120.5
Account to use: patricia
Account source system [leave blank to use a target system local account]: 
 ________________________________________
|                 __                     |
|              __/       |               |
|   __   __  _/__|__o  __|               |
|  |__  /  \  |  |  | /  |               |
|   __| \__/  |  |  | \__/  SSH GATEWAY  |
|           __/                          |
|                                        |
| Hello dilbert                          |
| NOTICE: This session is being recorded |
|________________________________________|

Connecting to 10.129.120.5 as patricia
Last login: Fri Apr  8 08:39:23 2022 from 10.129.120.6
[patricia@forgecentos ~]$

How to connect 2

You can establish the connection with the target system typing all the parameters to connect in one line AccountName__HostName__TargetAccount. At the end, Soffid will ask the password of your account to connect.

root@soffid:~# ssh -p 2222 dilbert__10.129.120.5__patricia@ssh-gateway
Password: 
 ________________________________________
|                 __                     |
|              __/       |               |
|   __   __  _/__|__o  __|               |
|  |__  /  \  |  |  | /  |               |
|   __| \__/  |  |  | \__/  SSH GATEWAY  |
|           __/                          |
|                                        |
| Hello dilbert                          |
| NOTICE: This session is being recorded |
|________________________________________|

Connecting to 10.129.120.5 as patricia
Last login: Fri Apr  8 09:57:22 2022 from 10.129.120.6
[patricia@forgecentos ~]$ 

How to connect 3

You can establish the connection with the target system typing all the parameters to connect in one line AccountName__HostName__TargetAccount and using a ssh key.

You can generate an ssh key to connect or use your existing ssh key. 

Then you need to include it in Soffid Console in your user data.

Finally you can establish the connection.

pgarcia@soffid:~$ ssh -p 2222 pgarcia__10.129.120.5__patricia@ssh-gateway
 ________________________________________
|                 __                     |
|              __/       |               |
|   __   __  _/__|__o  __|               |
|  |__  /  \  |  |  | /  |               |
|   __| \__/  |  |  | \__/  SSH GATEWAY  |
|           __/                          |
|                                        |
| Hello pgarcia                          |
| NOTICE: This session is being recorded |
|________________________________________|

Connecting to 10.129.120.5 as patricia
Last login: Fri Apr  8 11:57:19 2022 from 10.129.120.6
[patricia@forgecentos ~]$ 

Soffid needs the ssh_key attribute in the user object metadata, please check the attribute is created properly, and the fill in with your public key.

image-1649409347766.png

image-1650351248718.png



https://es.wikipedia.org/wiki/Secure_Shell

RDP gateway

RDP gateway

RDP Gateway Installation

RDP gateway

Soffid allows you to deploy a new docker container with the RDP gateway. The configuration is similar to the sync server configuration.

Prerequisites

The RDP Service is only released as a docker service.

1. Install docker ( https://docs.docker.com/install/ )

2. Install Soffid PAM (store container and launcher container) 

You can visit the PAM Jump Server Installation page for more information about how to install PAM

3. Create a Docker network(*), that network allows you to connect containers to the same bridge network to communicate:

sudo docker network create -d bridge NETWORKNAME

*  You can use the same network defined in the Console and Sync Server installation to avoid visibility problems.

Installation

The steps required to install SSH container are:

1. Create a user

We need to create a user in the pam store container. To do this, we need to connect to the store container.

sudo docker exec -it soffid-pam-store /bin/bash

Once, we are connected to the container, we need to run a script to create the user. This script has two parameters, the user name, and the role. We have to type launcher in the role parameter

root@soffid-pam-store:/# /opt/soffid/tomee/bin/add-user.sh proxyrdptest launcher
Password: c4ZRcmgemq3nMr1VQJCD1pJRhPbdX5hrmmrP6RX7zBE4HSs3RV3+cGwDdL1WaaqZ
root@soffid-pam-store:/#

As a result of the script, we receive the password for the created user. This password will be needed later when we create the container.

2. Create volume

We need to create a volume that will be used by the docker container

sudo docker volume create soffid-rdp

3. Create a docker container

Finally, we need to execute the command to create the rdp gateway container

docker run \
  --name soffid-rdp \
  -e SOFFID_SERVER=https://iam-sync.soffidnet:1760 \
  -e SOFFID_USER=admin \
  -e SOFFID_PASS=changeit \
  -e SOFFID_HOSTNAME=rdp-gateway \
  -e STORE_SERVER=http://soffid-pam-store:8080 \
  -e STORE_PASSWORD=/Dp77Kho5QB2vVKjNNGmXYLzVa6PoPWJ8p0E4O7EP++9/ZM+l3cieGKMRSgOnFCMc \
  -e STORE_USER=proxyrdp \
  -v soffid-rdp:/opt/soffid/iam-sync/conf \
  --privileged \
  --shm-size=1024m  \
  -p 3389:3389 \
  --network=soffidnet.intenal \
  soffid/pam-rdp:1.4.2
Environment Variables

To create the new SSH container you need to set the following environment variables:

Variable Description Example

SOFFID_SERVER

Sync Server URL

https://syncserver01.soffid.com:1760

SOFFID_USER

Soffid user to join the security domain

admin

SOFFID_PASSWORD

Soffid user password

changeit

SOFFID_HOSTNAME

The hostname used to access the ssh gateway

ssh-gateway

STORE_SERVER

Store URL

http://soffid.pat.pam:8082

STORE_PASSWORD

Password received when you created the user in the store container.

************

STORE_USER

Store user

proxyrdp




RDP gateway

RDP Gateway Connection

Introduction

We can establish a connection to the target system using the RDP remote access protocol. You can use a remote desktop client.

How to connect 

You can establish the connection with the ssh gateway using a descktop client and then Soffid will ask you the parameters to connect:

image-1650883256715.png

image-1650880075277.png




https://es.wikipedia.org/wiki/Remote_Desktop_Protocol