chapter 6 Flashcards
what are the 2 types of linked accounts
1
2
logon account
reconcile account
root account best practices
the root user is often prevented from logging in remotely as part of
best practices (/etc/ssh/sshd_config
> PermitRootLogin no
The solution is to log in as a user with the authorization to
switch to root in order to perform the password change
blank
Root Password
Change Failure
If the SSH policy on the target machine forbids root log on, the (blank) will not be able to verify or change the root password
cpm
what to do when the root logon account fails
the solution is to onboard a non-privileged account that we can use to connect and then switch to root in order to perform the password change. this account is the (blank)
logon account - in order to use this account you need to link it to the root account
Now that we have specified a logon account, when we re-run
a password change, we will see that the (blank) user has changed the
password.
Note that the logon account is also used when connecting to
the target system through the
(blank)
password manage
psm
(blank) is used for
situations where we don’t know a password or if the use of individual passwords would be
too onerous
reconciliation
The verification process will discover passwords that are not synchronized with their corresponding password in the (blank) and we can configure the
(blank) to reset the password in the (blank) and on the Target
vault
cpm
vault
(blank) reconciliation is
enabled by default.
(blank) reconciliation
must be enabled
manual
automatic
A (blank) account is typically a Domain account with sufficient rights to perform a password change
reconcile
Failed Verify and Reconcile Process
cpm scans vault for account
vault sends current credentials to cpm
cpm sends login credentials to target
target report failure to cpm
cpm flags account in the vault
cpm scans vault for accounts
vault sends current credentials to cpm
cpm generates password and connects to target with reconcile account and then runs a password reset
target reports success or failure to cpm
cpm logins to target with new credentials
target reports success or failure
cpm stores new credentials in the vault
blank
(blank) account
used when a user is prevented from logging on, and the passwords is known
used on a regular basis - i.e. it is common to block root access via SSH
a super user such a root should not be used as a (blank) account
logon
logon
(blank) accounts
used for lost or unknown passwords
should be used infrequently
needs to have elevated privileges (member of local administrators)
this account is usually a service account reserved for this purpose
reconcile
(blank) password authentication
Client launches the
connection.
* Server presents its public key.
* Client and server negotiate a
symmetric session key. All further communication is encrypted with the symmetric session key.
* User enters the account
password and the Server
authenticates it
SSH
(blank)
To authenticate with SSH keys, the user must first generate a public/private key-pair locally on her
machine and then install the public key in her user directory on the target server (or servers)
through a password authenticated session.
Once that is done, the user can authenticate using the SSH keys.
* She launches a connection to the remote server.
* The server then encrypts a random prime number with the user’s public key and transmits that back to the user, who must then decrypt the number with her
corresponding private key.
* She then generates a hash of the prime number and returns it to the server.
* The server compares it with its own hash of the prime. If they match, then this proves that the user must have the private half of the key-pair
* The server therefore allows the connection to be established.
SSH – Asymmetric Key Authentication
what are the SSH Key Advantages?
- SSH keys allow a substantially longer secret between client and server than a password.
- The secret is never transmitted over the network.
- One private key can be used to access multiple systems
what are the SSH Key Disadvantages?
- One private key can be used to access multiple systems. If it is compromised, all the systems
that trust it are vulnerable - SSH keys are more difficult to change than passwords
(blank)
- Creates unique key-pairs for each target system.
- Private keys are stored in the Vault, not on user workstations.
- The CPM changes key-pairs often and automatically disseminates public keys to target systems.
- End users retrieve the private key from the Vault to authenticate to the target system
SSH Key Manager
how are keys added to the vault
- select system type
- assign to platform - ssh keys can share a safe with passswords, but hey need their own platforms
2a. because entering the ssh keys into cyberark exposes them, the old keys can no longer be considered secure and should be rotated immediately
2b. you can select the file containing the private key or copy and paste it
blank
You can rotate the SSH keys using the (blank) button, just
like with passwords
change
Users who have the (blank) permission can retrieve a copy of the private key
retreive accounts
Users who have the (blank) permission can click on the Connect
button to launch the session directly from
the PVWA
use accounts
If you have applications that authenticate using
SSH keys, you can use (blank) to push
private keys to those servers
CyberArk PAM
