Solution Guide: Launching SSH Sessions with Mac-Native SSH Client

These instructions show how to launch SSH sessions through Delinea Connection Manager to the Mac-native SSH client on MacOS. This allows users to use the Mac-native SSH client as their preferred terminal implementation.

Use Cases

Starting in Connection Manager 2.5.3, the Mac-native SSH client supports the ability to launch usernames and passwords as well as private keys over proxy. It does not support private keys without proxy or sessions with session recording.

Prerequisites

Prior to using the Mac-Native SSH Client, users need to verify that they have:

  1. Connection Manager version 2.5.3 installed or newer on the client machine.

  2. A secret configured with SSH proxy to the target machine

  3. GPG installed on the client machine. This can be accomplished by running the following terminal command:

Copy 
brew install gpg 

Connection Manager will look for GPG in the default homebrew folder. If users want to install GPG in a different location, users must pass the modified path to the folder as a launcher argument: --environment-path /your/path

Setup

Step 1: Create a Custom Launcher in Secret Server

Follow the directions for creating a custom launcher using the parameters named below:

General Settings

  • Launcher Type: Proxied SSH process

  • Launcher Name: macOS Terminal

  • State: Enabled

  • Preserve SSH Client Process: Yes

MacOS Settings

  • Process Name: TerminalSSH

  • Process Arguments: --password $PASSWORD --port $PORT --username $USERNAME --host $HOST

If GPG was installed to a non-default location, add the following process argument: --environment-path /your/paths

Step 2: Map the New Launcher to the SSH Secret Template in Secret Server

Follow the directions for editing a secret template to map the macOS Terminal launcher to the appropriate SSH secret template (e.g., Unix Account (SSH)). Be sure to map the launcher fields as shown below.

Step 3: Launch SSH Secret from Connection Manager

Within the Connection Manager application, authenticate to the desired vault and use macOS Terminal as the secret launcher rather than PuTTY.

The macOS Terminal should open for the selected secret.

On first launch, users may see a terminal window asking to save the fingerprint key. Enter yes to confirm the connection fingerprint as a known host.

When tasks on the connection are complete, please ensure the terminal is terminated. Because the Preserve SSH Flag setting is required, it is important to close these tabs correctly.

Known Issues

Fingerprint Confirmation

If the fingerprint is confirmed after 2 minutes or longer, it will still be accepted by the system; however, the user will need to reconnect because the connection will timeout.