RDP, SSH and SQL Connection

Available permissions to access resources are displayed in the user console.

Sorting is available for each column except the Tags column. When entering characters in the search field, matches will be displayed for all columns.

If the user has access to ad hoc resources, they will be displayed at the top of the list.

Connection to a Resource via RDP

1. In the user console, click Download RDP file to the right of the permission.
   
   By default, resources that support RDP and SSH connectivity have the Copy SSH command button displayed. To download RDP file, click , and then Download RDP file.
   
   
2. Run the RDP file to access the resource.
3. Authenticate.
4. Optionally specify local drives to use in the remote session.

info

The downloaded RDP file can be reused for further connections.

Connection to the Access Gateway

1. Click Connect to the access gateway, the download of the RDP file will begin.
2. Run this RDP file.
3. Authenticate and set up the connection.

Connection to the SSH Proxy

You can connect to the SSH Proxy from the command line or by using any SSH client.

Command line

1. Open the console utility.

2. Enter the connection string of the SSH Proxy or the load balancer. Можно использовать IP-адрес или DNS.
   To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.

   Template of SSH Proxy Connection Command

   ssh <IP address or DNS>
   Example of SSH Proxy Connection Command

   ssh axidianproxy

   Optionally specify the user login and port.

   Template of SSH Proxy Connection Command

   ssh <login>@<IP address or DNS> -p <port>
   Example of SSH Proxy Connection Command

   ssh user@axidianproxy -p 2222

   Optionally specify the path to the private key.

   Template of SSH Proxy Connection Command

   ssh <login>@<IP address or DNS> -p <port> -i <path to the private key>
   Example of SSH Proxy Connection Command

   ssh user@axidianproxy -p 2222 -i "C:\Users\user\.ssh\id_ed25519"

3. Enter the password. If SSH key authentication is configured, skip this step.

4. Enter OTP.

5. Select a resource and connect.

PuTTY

Authentication via Password

1. Open the PuTTY app.
2. In the Host Name (or IP address) field, enter the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
3. Optionally specify the port in the Port field.
4. In the Connection type field, select SSH.
5. Click Open.
6. Enter user login.
7. Enter the password.
8. Enter OTP.
9. Select a resource and connect.

Authentication via SSH Key

caution

This method is possible only if SSH key authentication is configured and the key is generated by the PuTTYgen utility.

1. Open the PuTTY app.
2. In the Host Name (or IP address) field, enter the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
3. Optionally specify the port in the Port field.
4. In the Connection type field, select SSH.
5. Open Connection → Data. Enter user login in Auto-login-username field.
6. Open Connection → SSH → Auth → Credentials. Specify the private key in the Private key file for authentication field.
7. Click Open.
8. Enter OTP.
9. Select a resource and connect.

Certificate Authentication

caution

This method is available only if SSH key authentication is configured and PuTTY CAC is installed.

1. Open the PuTTY app.
2. In the Host Name (or IP address) field, enter the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
3. Optionally specify the port in the Port field.
4. In the Connection type field, select SSH.
5. Open Connection → Data. Enter user login in Auto-login-username field.
6. Open Connection → SSH → Certificate. Click Set CAPI Cert.
7. Click Open.
8. Enter OTP.
9. Select a resource and connect.

MobaXterm

caution

In MobaXterm versions earlier 23.0, you need to disable the Fix connection issues option in the Settings → Configuration → SSH section.

Authentication via Password

1. Open the MobaXterm app.
2. Click Sessions → New Session.
3. Select SSH.
4. In Remote host specify the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
5. Enable the Specify username option and enter the username.
6. Optionally specify the port in the Port field.
7. Click OK.
8. Enter the password.
9. Enter OTP.
10. Select a resource and connect.

Authentication via SSH Key

caution

This method is possible only if SSH key authentication is configured.

1. Open the MobaXterm app.
2. Click Sessions → New Session.
3. Select SSH.
4. In Remote host specify the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
5. Enable the Specify username option and enter the username.
6. Optionally specify the port in the Port field.
7. Click the Advanced SSH Settings tab.
8. Enable the Use private key option and specify the private key in this field.
9. Click Expert SSH settings.
10. In the SSH protocol version field, specify SSHv2.
11. Click OK.
12. Enter OTP.
13. Select a resource and connect.

SecureCRT

Authentication via Password

1. Open the SecureCRT app.
2. Click File → Quick Connect.
3. In the Protocol field, select SSH2.
4. In the Hostname field, specify the SSH Proxy or the balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
5. Optionally specify the port in the Port field.
6. In the Username field, enter the username.
7. Click Connect.
8. Enter the password.
9. Enter OTP.
10. Select a resource and connect.

Authentication via SSH Key

1. Open the SecureCRT app.
2. Click File → Quick Connect.
3. In the Protocol field, select SSH2.
4. In the Hostname field, specify the SSH Proxy or the balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
5. Optionally specify the port in the Port field.
6. In the Username field, enter the username.
7. In the Authentication group, enable the PublicKey option and disable all others.
8. Select PublicKey with the mouse and click .
9. Select the Use session public key setting option.
10. Specify the private key in the Use identity or certificate file field.
11. Click OK.
12. Click Connect.
13. Enter OTP.
14. Select a resource and connect.

Connection to a Resource via SSH

Command Line

Connection by command from the user console

1. In the user console, to the right of the permission to the SSH resource, click Copy SSH command.
2. Run the copied command in the terminal.
3. Enter your password and OTP.

Connection by command with additional parameters

You can write an SSH command manually using the template below.

1. Write an SSH command using the template below.
2. Run the command in the terminal.
3. Enter your password and OTP.

Template of SSH command

ssh [user-name]#[resource]#[account-name]#[reason]@[proxy-address]

• user-name — user name.
• resource — IP address or DNS.
• account-name — name of the privileged account.
• reason — text of the connection reason. If the reason contains spaces, specify it in quotation marks.
• proxy-address — IP address or DNS of the SSH Proxy server.

You can omit any parameter except proxy-address. In this case, SSH Proxy will request these parameters separately.

Example of SSH command

ssh ivan.ivanov#ubuntu#webmaster#"system configuration"@pam

PuTTY

1. In the user console, to the right of the permission to the SSH resource, click Copy SSH command.
2. Open the PuTTY app.
3. Paste the copied line in the Host Name (or IP address) field. Remove the ssh, quotes, and port from this line.
4. Specify the port in the Port field.
5. Click Open.
6. Enter your password and OTP.

MobaXterm

1. Open the MobaXterm app.
2. Click Sessions → New Session.
3. Select SSH.
4. In Remote host specify the SSH Proxy or the load balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
5. Включите опцию Specify username.
6. Enter username. You can specify it in the format: [user-name]#[resource]#[account-name]#[reason]
   
   
   Example of specifying additional parameters in a username

   VDD\alex.shushkin#cent9en.vdd.com#CENT9EN\local##
7. Optionally specify the port in the Port field.
8. Click OK.
9. Enter your password and OTP.

SecureCRT

1. Open the SecureCRT app.
2. Click File → Quick Connect.
3. In Protocol field select SSH2.
4. In the Hostname field, specify the SSH Proxy or the balancer address. You can use an IP address or DNS. To find out the SSH Proxy address, copy the SSH command of any resource in the user console and take the value specified after the @ character.
5. In the Username field, specify the username. You can specify it in the format: [user-name]#[resource]#[account-name]#[reason]
   
   
   Example of specifying additional parameters in a username

   VDD\alex.shushkin#cent9en.vdd.com#CENT9EN\local##
6. Click Connect.
7. Enter your password and OTP.

Connection to a Resource via the PostgreSQL Proxy

caution

A special license is required to connect to the PostgreSQL resource.

GUI DBMS Client

1. Open the user console of Axidian PAM.

2. Click Show connection credentials.

3. Open your DBMS client and enter into its connection form the data you received in the previous step:

   • Connection Address
   • Connection Port
   • Account Name
   • Default Database

4. If the User must specify the connection reason option is enabled in the session policy, then add the connection reason text to the Account Name field.

   Example: if the Account Name value was admin@company.local#1.1.1.1#MYCOMPANY\test-admin, after the reason was added it will read as: admin@company.local#1.1.1.1#MYCOMPANY\test-admin#"my reason to connect".

   If this option is disabled, skip this step.

5. In the connection form, enter the password of your PAM account.

Console client of DBMS Psql

1. Open the user console of Axidian PAM.

2. Click next to the desired permission.

3. Click Copy command for Psql. The command to connect to this resource will be copied to the clipboard.

4. If the User must specify the connection reason option is enabled in the session policy, then add the connection reason text to the value of the -U.

   Example: if the -U parameter value was admin@company.local#1.1.1.1#MYCOMPANY\test-admin, after the reason was added it will read as: admin@company.local#1.1.1.1#MYCOMPANY\test-admin#"my reason to connect".

   If this option is disabled, skip this step.

5. Run the command from the previous step in the terminal. After executing the command, PostgreSQL Proxy will prompt you for the user's password.

6. Enter your PAM account password in the connection form.

Connection to an Ad Hoc Resource

Ad hoc resources are resources that are not registered in the Axidian Privilege system. This type of connection makes it possible to connect to any resources according to connection types predefined by the PAM administrator.

caution

A special license is required to connect to the ad hoc resource.

1. Click Specify connection address to the right of the required permission to the ad hoc resource.

2. Select Connection type.

   info

   The available connection types are determined by the PAM administrator when granting permissions.

3. Enter Connection address.

4. Depending on the selected connection type, click one of the buttons: Copy SSH command or Download RDP file.

info

If you have several permissions (with different connection types) to an ad hoc resource, and in the Connection to an ad hoc resource window in the Connection type field there are no required options, then check the Permission Access Schedule.

The connection type will not be displayed in the Connection type field if you are trying to connect via permission outside the hours specified in the Permission Access Schedule.

Setting a Password During Connection

When connecting to the resource, you may be asked for a password.

This means that the account on whose behalf you are granted access to the resource does not have a password. You cannot connect to the resource with such an account. Contact your PAM administrator, as only an administrator can set an account password.

Ending a Session

To end the session, close the remote connection window or log off the resource.