Devolutions ForumDevolutions Forum

Use existing PAM credential in Provider config

Resolved Implemented

Use existing PAM credential in Provider config

0 vote

avatar
jm2

Hello,

Instead of manually entering a username and password in the provider configuration, it would be useful to just be able to choose an existing PAM account.

This would likely improve security as scheduled password rotation could be configured on the respective PAM account..

Please let me know if any additional information is required.

Thanks
Joe

All Comments (8)

avatar
Marc-Andre Bouchard

Hi,

It's something we've already thought about doing. And I think it would be beneficial to be able to link a PAM account to the provider. On the other hand, it is this account with elevated rights that is used to manage the accounts. So we should think of another strategy to reset the account used by the Provider.

I'm going to create a ticket so we can take the time to look at this.

Best regards.

Marc-Andre Bouchard

avatar
François Dubois

Hello Joe,

Just to let you know that next version, 2024.1, will contain a such feature. It will be possible to link your provider to an existing PAM Account. So it will be possible to add rotation on the provider credentials. Don't hesitate to send us feedback once you try that new feature.

Best regards,

François Dubois

avatar
jm2

Hi François,

Thats really great news, thank you for working on that new feature.

Joe

avatar
jm2

Hi François,

The addition of this feature is great. While testing it out I noticed that only accounts from existing providers can be configured as the linked credential for a provider. This prevents multiple providers from linking to a single static unmanaged credential.

Would it be possible to be able to link other types of credentials in the PAM provider config (I.e. to standalone entries)?

Also, is there a way for provider types like AnyIdentity or SQL to use the 'linked credential' capability? I currently only see it available in the 'domain user' type provider config.

Thanks
Joe

avatar
François Dubois

Hello Joe,

Thank you for your feedback. What you would like is to be able to link to a credential saved in a shared vault, am I understanding correctly ?

And you are right, integrating the link account on the AnyIdentity provider had a small challenge and we postponed it for the next version, but it should be available in June.

Best regards,

François Dubois

avatar
jm2

Thanks François.

Ideally the linked credential could be any (i.e. standalone, AnyIdentity etc) account stored in PAM, not just those that are from an existing 'domain user' provider.

Currently if I create a 'standalone' PAM credential, it doesnt show in the dialog for selecting the linked credential in the provider config.

Pls let me know if you would like more info.

Joe

avatar
François Dubois

Hello Joe,

You are right, we limited to the same provider type to avoid cases that could be a problem with AnyIdentity and to be honest, we didn't think about the standalone PAM credential. I'm creating a ticket and we will have a look when we will work to improve AnyIdentity provider with linked account. It should be possible to remove that limitation. Sorry for all inconveniences. We will let you know when we have an update.

Best regards,

François Dubois

avatar
jm2

sounds good, thanks François.