Skip to main content
Version: Axidian Privilege 3.4

Connecting via SSH Proxy

Axidian Privilege supports connecting Ansible to resources through a proxy server. In this scenario, Ansible connects to the SSH Proxy component, which provides access to resources via SSH, SCP, and SFTP protocols.

The component establishes a connection to the resource on behalf of the specified account, controls access to it, and logs all actions on the resource in the Events, Active Sessions, and All Sessions journals.

Limitations

Two-factor authentication is not supported in the Ansible via SSH Proxy scenario.

Requirements

The following is required to use Ansible via SSH Proxy:

Connection Configuration

To configure a connection from an Ansible playbook through SSH Proxy:

  1. Construct the SSH Proxy connection string in UTF-8 encoding using the following template:

    <pam_user>#<resource_address>#<account_name>#[reason]
    • pam_user — Axidian Privilege username for authentication in SSH Proxy.
    • resource_address — IP address or DNS name of the target resource.
    • account_name — name of the account under which the user connects to the target resource.
    • reason — reason for connecting to the resource, if required by the policy.

    Example: pam.admin#192.168.0.100#PAM.LOCAL\pam-admin#Maintenance

  2. Configure Ansible for connecting to Axidian Privilege in one of the following files:

    • Ansible playbook — specify the parameters in the vars section.

    • inventory configuration file — specify the parameters in the hosts section.

      Configuration parameters
      ParameterRequirementDescription
      ansible_hostRequiredDNS name or IP address of the SSH Proxy component
      ansible_portRequiredSSH Proxy component port.
      Default port: 2222
      ansible_userRequiredSSH Proxy connection string.
      Example: pam.admin#10.0.0.1#DOMAIN\admin.
      ansible_passwordOptionalPAM user password. Specify if password authentication is configured. It is recommended to encrypt the password using Ansible Vault.
      ansible_ssh_private_key_fileOptionalPath to the PAM user SSH key. Specify if SSH key authentication is configured.
      Example: /home/user/.ssh/id_rsa.
      ansible_ssh_retriesOptionalNumber of connection retry attempts. Use if reconnection is needed after a connection drop or session closure from the administrator console.
      Examples
      - name: Execute command via PAM SSH Proxy
        hosts: all
        gather_facts: false

        vars:
          ansible_host: "pam.company.com"
          ansible_port: 2222
          ansible_user: "pam.admin#192.168.0.100#DOMAIN\\admin"
          ansible_password: "{{ pam_password }}"

        tasks:
          - name: Get system information
            ansible.builtin.raw: uname -a
            register: result
            changed_when: false

          - name: Show result
            ansible.builtin.debug:
              msg: "{{ result.stdout | trim }}"

Running a Scenario

To start a session, open a terminal and run the command to connect to the resource via SSH Proxy:

ansible-playbook <playbook> [-i <inventory>] [-e <variable>]
  • playbook — name of the Ansible playbook
  • inventory — name of the configuration file with connection settings
  • variable — name of the environment variable
Launch command examples
Connection settings specified in the playbook
ansible-playbook playbook.yml
Connection settings specified in the configuration file
ansible-playbook playbook.yml -i inventory.yml
Using an environment variable
ansible-playbook playbook.yml -i inventory.yml -e "pam_password=${PAM_PASSWORD}"

Using Ansible Vault

It is recommended not to store credentials in plain text and to encrypt them using the Ansible Vault component.

To encrypt the PAM user password:

  1. Open a terminal and run the command to encrypt the password:

    ansible-vault encrypt_string --ask-vault-pass '<password>' --name '<variable>'
    • password — the Axidian Privilege user password to encrypt
    • variable — the variable name for encryption

  2. Enter the password that will be used to decrypt the variable when running the playbook.
    As a result, the encrypted variable will be displayed in the terminal.

  3. Create a file in YAML or JSON format and save the command output to it.

    vault_pam_password: !vault |
              $ANSIBLE_VAULT;1.1;AES256
              31643864386664376639656162346664313937633035346638656139376138656163376638656164
              6337663961383964666137633930626439656637666137660a313233343536373839306162636465

  4. Specify the variable in the playbook:

    • For the vars_files parameter, specify the path to the file containing the encrypted variable.
    • For the password parameter, specify the variable name.

    Example
    ---
    - name: Execute command via PAM SSH Proxy using Ansible Vault
      hosts: all
      gather_facts: false
      vars_files:
        - ./vault.yml

      vars:
          ansible_host: "pam.company.com"
          ansible_port: 2222
          ansible_user: "pam.admin#192.168.0.100#PAM.LOCAL\\pam-admin"
          ansible_password: "{{ vault_pam_password }}"

      tasks:
        - name: Verify connection
          ansible.builtin.raw: id
          register: result
          changed_when: false
          no_log: true

Security Recommendations

  1. For server authentication and automation scenarios, before the first connection to PAM, add the public key of the SSH Proxy component to the known_hosts file:

    ssh-keyscan [-p <port>] <host> >> ~/.ssh/known_hosts
    • port — SSH Proxy component port
    • host — DNS name or IP address of the SSH Proxy component

    caution

    Verify the key authenticity: the ssh-keyscan command uses the Trust on first use (TOFU) mechanism, where the key is added without verification.

    Do not disable public key verification (StrictHostKeyChecking=no) — this reduces security.

  2. Do not store passwords in plain text — use Ansible Vault to encrypt credentials.

  3. Use the no_log: true parameter to prevent credentials from appearing in Ansible logs when a task completes.

  4. In CI/CD scenarios, pass the password and SSH key through environment variables.

  5. To ensure security and optimize operation, it is recommended to use the following parameters:

    • gather_facts: false — disables host information gathering, which prevents Python script launch commands from appearing in logs.

    • no_log: true — disables output to the console and Ansible logs. Use for tasks involving credentials.

    • become: true and become_method: sudo — elevates privileges for executing commands that require root permissions.

    • raw module — allows executing commands through SSH Proxy without installing Python on the target resource and enables displaying an informative log in the session profile in the administrator console.

      Scenario example
      ---
      - name: Execute command via PAM SSH Proxy
        hosts: all
        gather_facts: false
        become: true
        become_method: sudo

        vars:
          ansible_host: "pam.company.com"
          ansible_port: 2222
          ansible_user: "pam.admin#10.10.5.190#PAM.LOCAL\\pam-admin"
          ansible_password: "{{ pam_password }}"

        tasks:
          - name: Execute command (credentials hidden)
            ansible.builtin.raw: uname -a
            register: result
            changed_when: false
            no_log: true                    

          - name: Show command result (log displayed)
            ansible.builtin.debug:
              msg: "{{ result.stdout | trim }}"
            no_log: false