PAM Integration
PAM Integration
Section titled “PAM Integration”Integrate SSH-KLM with Privileged Access Management (PAM) solutions.
Supported PAM Solutions
Section titled “Supported PAM Solutions”| Solution | Integration Type | Status |
|---|---|---|
| CyberArk | Credential Provider | GA |
| BeyondTrust | API Integration | GA |
| HashiCorp Vault | Secrets Engine | GA |
| Delinea (Thycotic) | API Integration | Beta |
CyberArk Integration
Section titled “CyberArk Integration”Configuration
Section titled “Configuration”# SSH-KLM PAM integration configpam: provider: cyberark
cyberark: appId: "SSH-KLM" safe: "SSH-Keys" credentialProviderUrl: "https://cyberark.example.com/AIMWebService"
# Certificate authentication clientCert: /etc/ssh-klm/cyberark-client.pem clientKey: /etc/ssh-klm/cyberark-client-key.pemCredential Retrieval
Section titled “Credential Retrieval”// SSH-KLM retrieves credentials from CyberArkconst credential = await client.pam.getCredential({ safe: 'SSH-Keys', object: 'root-server01'});BeyondTrust Integration
Section titled “BeyondTrust Integration”Configuration
Section titled “Configuration”pam: provider: beyondtrust
beyondtrust: apiUrl: "https://beyondtrust.example.com/api" apiKey: ${BEYONDTRUST_API_KEY} managedSystemId: "ssh-servers"HashiCorp Vault Integration
Section titled “HashiCorp Vault Integration”# Enable SSH secrets enginevault secrets enable ssh
# Configure SSH-KLM rolevault write ssh/roles/ssh-klm \ key_type=ca \ default_user=admin \ ttl=1hConfiguration
Section titled “Configuration”pam: provider: vault
vault: address: "https://vault.example.com:8200" authMethod: approle roleId: ${VAULT_ROLE_ID} secretId: ${VAULT_SECRET_ID} sshPath: sshCredential Sync
Section titled “Credential Sync”SSH-KLM can sync discovered keys to PAM:
// Sync discovered keys to PAM vaultawait client.ssh.syncToPam({ filter: { status: 'managed' }, pamProvider: 'cyberark', safe: 'SSH-Keys-Managed'});