Generate Cyberark MFA Cache key

Hi Michael!

Can you provide some information on the configuration required for this server side? So that we can setup a similar scenario for us to test.

Is there any relation to the PSM for SSH feature? We already have a ticket to implement this, I'm just not certain it would cover your specific case.

Best regards,

Hi Xavier,

This does not use the PVWA to access SSH targets (Using RDP on a windows server to launch Putty), rather it is a separate Linux connector that acts as a proxy for SSH connections. You are able to use native SSH clients like Putty, and in the case of RDM, the native SSH client implementation in RDM. In order to prove you have access to the requested target account, the MFA Cache key is created. You pass this private key during authentication to prove you have authenticated to Cyberark. The key has a limited lifetime that is configured by the administrator. My thinking was that, once you authenticate to the Cyberark Dashboard, it would have the ability to generate a new MFA cache private key which could be linked to multiple session entries.

Here are the relevant documents to the solution and the API.

https://docs.cyberark.com/privilege-cloud-shared-services/latest/en/Content/Privilege%20Cloud/privCloud-deploy-psm-ssh.htm

https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/WebServices/Generate%20MFA%20caching%20SSH%20key.htm

Alright, so it is PSM for SSH: https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PASIMP/PSSO-PMSP.htm, right?

Best regards,

That link isn't accurate to what we are using, we are not self-hosted, but utilize privilege cloud. The PSM-SSH seems to have many meanings from what I have found. Perhaps what we are using used to be called PSMP-SSH? It is a Cyberark Linux connector used to proxy SSH sessions to targets. The way we have it set up, does not require any password to be passed in the connection string, rather it uses an MFA Cache key that is generated in the web console that must be present to prove you have an active, authenticated session. MFA caching (PSM for SSH) in Privilege Cloud | CyberArk Docs

Hi,

I see, indeed, there seems to be a nuance between the two. They are probably branded the same (PSM for SSH) because, in practice they offer a similar feature, although they work differently in the background.

I'll open a ticket for this, although, considering this is unknown territory for us, I cannot provide any ETA.

Best regards,

Hello,

Any update on this?
"PSM for SSH MFA Caching" would be great to reduce the number of MFA prompts, when usingPSM in RDM.

BR
Mario

The function would be really nice, as the current solution with CyberArk PSM and RDM is not very user-friendly.

Hi,

I'm happy to report that we are currently working on this improvement and if all goes well it will be in the next major version of RDM (2025.1).

Regards,

I just tested the SSH MFA Caching with 2025.1 Beta. So far it works, but there's one big issue with the beta implementation...
For security reasons, the MFA Caching private key in our Cyberark enviroment must have a passphrase set. As of now RDM does not request the MFA Caching Key with a passphrase and therfore the request from RDM to /API/Users/Secret/SSHKeys/Cache/ fails with Error 500.

Hi,

We actually do generate a random passphrase, when needed, based on the policy we receive from CyberArk.
I'll investigate on my side and see if I can reproduce the issue when a passphrase is required.

@mariosommer
I was able to reproduce the error. Certain policy combinations aren't correctly met in the generated password, and when that happens, the server throws an error 500 as you experienced.
I'll work on a fix.

Hi,

The issue is fixed and the correction should be available in BETA 2025.1.17.

Just tested with the latest beta. Works fine now with password policy activated!
Thanks for the quick fix.