Specifying Proxy Root Accounts

The most common scenario for most UNIX systems is to have the Privileged Access Service manage the password for the local root user. However, it is also very common to configure secure shell environments to prevent the root user from opening secure shell connections, which would prevent the account from being used to log on to target systems.

To address these two common scenarios, the Privileged Access Service allows you to specify a “proxy” account to use in place of the root account. The “proxy” account is used to open the secure shell session on the target system. The account used as the “proxy” for the root account does not require any special privileges. The only requirement for the “proxy” account is that it must be allowed to open secure shell sessions on the target system. After the “proxy” account opens the secure shell connection, the Privileged Access Service gets root privileges programmatically, enabling the account to perform administrative tasks on the target system.

Accounts using SSH key as the credential type cannot have a proxy account.

Checking If a Proxy Account is Required

If you have configured SSH to prevent the root user account from logging on using secure shell (SSH) connections, you must add a user name and password for an account that can open a secure shell connection on the target system. If necessary, you can open the /etc/ssh/sshd_config file on the server to verify whether the PermitRootLogin parameter is set to no. If the PermitRootLogin parameter is set to no, you must specify a “proxy” account.

Managing Passwords for Proxy Accounts

If you are using a “proxy” account as a substitute for the root user account, you also have the option to have the password for the “proxy” account managed by the Privileged Access Service. If you select Manage this credential for a “proxy” account, only the Privileged Access Service will know the password for the account. The managed password for the “proxy” account will not be available to any other applications or users.

You can specify the proxy account information when adding the system using the Add System wizard or an import template or after you have added the system using the System Settings.