Managing accounts
This section describes the accounts page and how the accounts can be managed. The following topics are included in this section:
- Manage accounts
- Active Directory accounts
- Static accounts tab
- Service accounts tab
- Managing service account passwords
- SSH keys in Osirium PAM
- Troubleshooting account passwords
- Update stored credentials
Manage accounts
The Manage accounts page contains a list of accounts separated into a number of tabs depending on the account type:
-
Device accounts: accounts that exist locally on each of the provisioned devices.
-
Active Directory accounts: lists the accounts that exist on the Active Directory that is being used as the user account source.
Note
The accounts listed may be limited to a number of Groups of interest depending on how your Active Directory settings have been configured. See Adding an Active Directory.
-
Static accounts: are the accounts that have been stored in the Osirium PAM static vault.
See Manage Static Vaults. -
Service accounts: are accounts that have been configured on an Active Directory Account source and are being actively used by member servers.
Note
The account marked as the control account will be used by Osirium PAM for day-to-day interactions with the device, for which the credentials will be stored in Osirium PAM.
When devices are provisioned, Osirium PAM audits the accounts that exist on the device and lists them here. After the initial provisioning, device accounts can be audited through the following methods:
- Scheduling a device audit task through a profile.
- Executing the device audit task against an individual device.
- Adding or removing a device from a profile.
During the device audit, the account is given a state. Use the account state to review, assess and tidy up the accounts that exist on the device. Device accounts that are still operational should have their state changed appropriately (see Changing States) and any unused or potential rogue accounts should be removed.
The table below provides a description of what the individual device states mean and the options available for managing them.
Fully managed | Unapproved | Approved | Known | Managed | |
---|---|---|---|---|---|
State can be changed (only if it is not a control account) | X | X | X | X | |
Account already exists on the device | X | X | X | X | |
Account created by Osirium PAM | X | ||||
Osirium PAM knows about the account as it is either listed in the device template, marked as a control account or created by Osirium PAM | X | X | X | X | |
Credential refresh can be scheduled through a profile using the Device Credentials Regeneration task | X | X | |||
Individual device credentials can be updated using the Force credentials refresh task | X | X | |||
Account can be reprovisioned | X | ||||
Account can be locked (only if it is not a control account) | X | X | X | X | X |
Account can be unlocked | X | X | X | X | X |
Delete a local account (only if it is not a control account) | X | X | X | X | X |
Delete a local account which is using an Account source |
Note
Only applies if the device includes a command in the device template that performs the task.
Changing states
When updating device account states, the following rules will apply.
From | To | What happens |
---|---|---|
Unapproved | Approved | The account is marked as Approved. |
Unapproved/Approved | Known | The account credentials are supplied to Osirium PAM. Osirium PAM stores the credentials without changing them. |
Known | Managed | Osirium PAM will change the existing credentials of the account on the device and will now manage the credentials. Users will no longer know the credentials. |
Any | Fully managed | N/A – only accounts created by Osirium PAM can be Fully managed. |
Fully managed | Any | N/A – only accounts created by Osirium PAM can be Fully managed. |
Managed | Known | Osirium PAM will prompt the user to enter new account credentials. These credentials are then set on the device and stored in Osirium PAM. The credentials will no longer be managed by Osirium PAM. |
Known | Unapproved/Approved | The account is marked as unapproved/approved and will not be used by Osirium PAM. |
Managed | Unapproved/Approved | User resets the credentials, which are set on the device. Osirium PAM loses the ability to use the device account. |
Reprovisioning
Only Fully managed accounts can be reprovisioned. This option can be used if Osirium PAM has lost control of the account.
To reprovision a control account, you will need to provide details of an account on the device which can perform the reprovision. The reprovision account task is then run.
Reprovisioning a Fully managed account that is not a control account does not require you to provide details of an account, as the control account will be used to logon to the device and reprovision the selected accounts.
Active Directory accounts
The Active Directory accounts tab displays all the accounts that exist on the Active Directory you have provisioned in Osirium PAM.
Note
If your Active Directory has Groups of interest listed, then only the accounts belonging to the groups of interest will be listed.
If no Groups of interests are listed, then all accounts that exist in the Active Directory Users container will be listed.
Osirium PAM communicates with the Active Directory and mirrors the status of the account as it is in Active Directory. Osirium PAM cannot modify or delete the account.
If a change is made in the Active Directory then the changes will be reflected in Osirium PAM during the next sychronise cycle. Synchronisation of accounts is done with diacritic (accents added to words) insensitivity and case insensitivity to ensure duplicate accounts are not created in Osirium PAM and mapped to the same Active Directory account.
Note
Only accounts with a state of Known or higher can be made a control account.
Heading | Description |
---|---|
Service control account | If discovered, will be marked with a and used by Osirium PAM to: - Create and delete Osirium PAM accounts/groups on the Active Directory Service. - Refresh passwords on the Active Directory. |
Device control account | Will be marked with a and used by Osirium PAM to run tasks on the member servers. |
State | A State is set for each of the accounts discovered when a DeviceAudit task is run. |
Active Directory | The name of the Active Directory on which the account exists. |
Account | Name of the account that exists on the Active Directory. |
Enabled | If marked with a the account is enabled in Active Directory. |
Password never expires | If marked with a the account password has been set in Active Directory to never expire. |
Password expired | If marked with a the Active Directory password has expired and must be reset in Active Directory. |
Password last set | Timestamp of when the password was last set in Active Directory. |
Password age (days) | The number of days since the password was last set in Active Directory. |
Change at next logon | If marked with a the user will be prompted to change the account password when they next login to their workstation via Active Directory. |
Locked | If marked with a the account has been locked in Active Directory. |
Protected user | If marked with a the account is a member of the Protected Users group in Active Directory. |
Domain Admin | If marked with a the account is a member of the Domain Admins group in Active Directory. |
Credential(s) changed | Timestamp of when Osirium PAM last changed the password, SSH key or both. |
Failed logon | Timestamp of the last failed logon made by Osirium PAM when using the account to attempt to connect to Active Directory or a device. |
Linked to users | Osirium PAM user to which the account is linked. |
Trigger audit button
Note
Only available for Active Directory accounts.
When the TRIGGER AUDIT
button is clicked, Osirium PAM runs the Audit Account Source and Audit Service Accounts tasks.
These tasks allow Osirium PAM to contact the Active Directory over LDAPS and update the Active Directory account information and the service accounts displayed.
Static accounts tab
The static accounts tab lists all the accounts that have been stored in the static vault.
Heading | Description |
---|---|
Service control account | Not supported. |
Device control account | Will be marked with a if the account stored has been used to provision a device. |
State | A State is set for each of the accounts discovered when a DeviceAudit task is run. |
Static vault | The name of the static vault the account belongs to. |
Account | Lists the name of the accounts stored in the static vault. |
Credential(s) changed | Timestamp of when the account credential(s) were last changed. |
Failed logon | Timestamp of the last failed logon attempt made when the account is used to connect to a device through Osirium PAM. |
Linked to users | Osirium PAM user to which the account is linked. |
Password | Will be marked with a if the stored credentials include a password. |
SSH | Will be marked with a if the stored credentials include a SSH Key. |
Service accounts tab
Service accounts that have been configured on an Active Directory and that are being actively used by member servers can be audited and managed here.
Before the service accounts can be seen, the following needs to happen:
-
The Account source device needs to be provisioned in Osirium PAM. See Active Directory Integration in Osirium PAM.
-
The member server device(s) needs to be provisioned in Osirium PAM. See Adding an Active Directory.
-
On the Manage accounts page, click on the Active Directory accounts tab.
-
Click the
TRIGGER AUDIT
button. The Choose service window appears. -
On the Choose service window, select an
Active Directory
. -
Click
PROCEED
.The following tasks will be run:
-
Audit Account Source: audits the accounts on the provisioned Active Directory. The accounts discovered will then be listed on the Manage accounts > Active Directory accounts tab.
-
Audit Service Accounts: connects to each provisioned member server and audits every service running under a domain account (not local service or local system accounts). The services and accounts being used are then visible on the Manage accounts > Service accounts tab.
The following information is presented in the Service accounts table:
Heading Description Service Name of the service the account is managing on the member server. Account Name of the account the service is using. State A State is set for each of the accounts discovered when a DeviceAudit task is run.
See Manage Accounts.Device The name of the device that the service was discovered. Service last updated Reflects the date when the service was last updated by the Service Accounts Scan and Update Service Password tasks. -
Managing service account passwords
Another feature of Service Accounts is auditing and updating service account passwords. Service account passwords for all provisioned member servers can be managed from one central location. Schedules can also be created to manage password refreshes in accordance with your company's password policy.
Before service account passwords can be managed, the correct tasks are required in the template.
The tasks are:
-
Discover Service accounts: This task will find all the services on each member server and return a list of service names. Each service is then individually queried by name and logon account found. If a logon account matches an account we have audited from the authentication service, that account will be added to the Service accounts tab. This task can be scheduled to run within a profile.
-
Service Accounts Scan: This task scans the database to determine which service device account passwords are managed by Osirium PAM. This task can be scheduled through a profile or run as a user task.
Therefore, to manage service account passwords:
-
Provision an Account source and then provision your member server device(s).
-
Within the Manage Account window click the
Service accounts
tab. -
The Service accounts tab is displayed. Trigger an Account source audit.
-
On the Service accounts tab, set the State of the account accordingly.
-
Create a profile and add your member server device(s) for which you want to manage the service account passwords.
-
Add the tasks Discover Service Accounts and Regenerate passwords for all devices attached to the profile and Service Accounts Scan, and select a schedule for each.
Ensure that schedules are at least 15 mins apart in the order listed. New schedules can be created on the Manage Schedules page.
Note
In order for Osirium PAM to successfully manage service account passwords, every member server device that uses the service account must be provisioned within Osirium PAM.
Otherwise, when Osirium PAM updates the service account password on the Active Directory and on the service configuration on each member server device, any unprovisioned devices using the service account password will have the old password saved and the service will fail to stop/start.
SSH keys in Osirium PAM
What is SSH key authentication and how does it work in Osirium PAM?
SSH key authentication provides cryptographically stronger device protection than using long, complex passwords. SSH key authentication involves using of a pair of SSH keys, a public key copied to the server and a private key held by the connecting client. For Osirium PAM managed accounts, Osirium PAM is the only holder of the private key.
Note
SSH keys on Osirium PAM are imported as RSA private keys in PEM format, with bit length <= 16K. Osirium PAM exports and manages public keys in PEM format.
Osirium PAM allows devices with templates supporting SSH keys to be provisioned using SSH keys instead of, or alongside, passwords. When provisioning such a device, Osirium PAM allows you to authenticate the test connection account using an SSH private key. If the private key is encrypted, the passphrase should also be provided.
After adding a managed user to the device, Osirium PAM creates an authorized_keys file in the user’s home directory, where the public key is stored. A private key is also generated and held by Osirium PAM. Password authentication is available for these users.
Where available, SSH key authentication takes precedence over password authentication. Therefore, password authentication can be switched off on the device, if desired, provided that the control account is configured for SSH key authentication.
The Reveal Credentials tool displays account passwords, SSH private keys and SSH key passphrases for encrypted keys through the UI.
Static accounts exist within static vaults. These accounts can also be provisioned with SSH private keys, as well as passwords.
SSH keys on managed accounts are rotated in the same way as passwords, so the Regenerate Account Credentials task also regenerates the account’s SSH key and SSH key passphrase.
SSH key support works on a per-template basis. To see which devices currently have templates with SSH key support, refer to the Latest Template Package on the Osirium Support portal.
Troubleshooting account passwords
In case of network failure between the server and a device, breakglass can be used to reveal the password of an account stored in Osirium PAM. This can then be used to access the device directly.
There are a number of ways a breakglass password can be revealed:
Note
When logging password reveals, Osirium PAM highlights if a password was revealed outside of the UI on the Admin Interface.
Generate Breakglass KeePass file
The breakglass can be generated by the Owner role only, encrypted and stored periodically for cases when the server console may not be accessible.
You can breakglass the passwords of any account which is:
- A control account
- In the Known state
- In the Managed state
The generated encrypted KeePass file, which can be opened using the KeePass application and a password, contains SSH private keys and passphrases, as well as account passwords.
Note
For the KeePass file to be stored in the archived backup file a backup breakglass passphrase must have been configured. See Backup breakglass passphrase.
To generate a breakglass report:
-
In the left-hand menu click
Accounts
. -
On the Manage accounts page, click
GENERATE BREAKGLASS
. The Generate breakglass window opens. -
Within the Generate breakglass window, enter the following:
Heading Description My password Your Osirium PAM logon password. KeePass password The password that will be used to encrypt the breakglass file. NOTE If a password policy has been configured then this password must conform to the policy settings.
KeePass password again Confirm the above. -
Click
GENERATE
. Wait while your credentials are verified and the file is downloaded. -
Within the Question window, click
YES
if the file was downloaded. The download can be confirmed by checking the Download folder on your workstation.
Reveal credentials
Allows you to reveal the account credentials (passwords and SSH keys).
-
On the Manage accounts page, right-click an account on the table and click
Reveal credentials
.Note
Credentials can be revealed for Fully managed, Known and Managed accounts only.
-
Within the Reveal credentials note window, click
YES
to decrypt the account credentials. -
Account credentials can now be revealed by moving the mouse over the relevant credential field or pressing CTRL+C to copy the credential. The credential is visible for 30 seconds.
-
Once you have retrieved the account credentials, click
CLOSE
.
PAM Server Console window
Using the server console window:
-
Logon to your environment and open console.
-
Within the PAM Server Console window, use the arrow keys to navigate to Retrieve Passwords option and press ENTER.
-
Enter the Master Encryption Key.
-
Use the arrows to navigate and select
OK
. -
Use the arrow keys to scroll through the list of devices. Select the one you want and then press ENTER.
-
Use the arrow keys to select the account you wish to breakglass, and press ENTER.
-
The credentials are revealed.
Update Stored Credentials
If the stored credentials for a control account, either Managed or Known, have changed on the device, and there are no other accounts on the device that have the same administrator rights, Osirium PAM would no longer be able to communicate with the device.
The Update stored credentials task in this circumstance could be used to update the account which is currently stored in Osirium PAM to the new account credentials.
To update account credentials stored in Osirium PAM:
-
Right-click an account and select
Update stored credentials
from the context menu. The Enter account credentials window appears and will differ depending on the account type you are looking at. -
Provide the new credentials.
To provide a new password:
- In the Existing password field, type the new password.
- Ensure the checkbox to the left of Existing password is selected.
- In the Password again field, type the new password again to confirm.
To provide a new SSH private key:
- Click the
SSH private key
field. The Edit value window appears. - In the Edit value window, click
Choose file
. - Locate the SSH private key and click
Open
. For further details on how to upload a file see Uploading a file. - In the Edit value window, click
UPLOAD
. - Ensure the checkbox to the left of SSH private key is selected.
- If necessary, type a new SSH key passphrase in the SSH key passphrase field.
-
Click
PROCEED
. The Action queue window appears. -
When the task completes, click
DONE
.Note
To remove credentials, select the checkbox to the left of one or both empty credential fields and click
PROCEED
.
Account history
The account history starts from when the account was first audited. All Osirium PAM generated historical credentials and account states are viewable here.
To view the account credentials history:
-
On the Manage accounts page, right-click an
Account
and click Account history.Note
Credentials can be revealed for Fully managed, Known and Managed accounts only.
-
Within the Account history for window, you will see the following information.
Heading Description Active from The date/time the credentials were active from. State The account state at the time the credentials were used. Password The password used. SSH private key The SSH private key used. Hover over to view or press CTRL+C to copy. SSH key passphrase The SSH key passphrase used, if any. Hover over to view or press CTRL+C to copy. Used for The duration the credentials were used. -
Once you have finished, click
CLOSE
.