Devolutions ForumDevolutions Forum

PAM Providers shared between devices

PAM Providers shared between devices

0 vote

avatar
andrewlandsverk

Hello!

We have several thousand devices that we want to attempt to use with PAM. Currently each PAM provider needs to be specific to a device, but we would be using shared pam provider credentials on many different devices in order to reduce management overhead. Please make it so we can share these providers with multiple devices.

Thanks!

All Comments (3)

avatar
François Dubois

Hello,

Thank you for your request. What kind of devices do you have? Are you talking about managing local accounts on computers in your Active Directory domain? Because it is now possible to manage those accounts through the Active Directory provider instead of creating a provider for each computer. And it is also possible to reuse a PAM account as a credential for a PAM provider, so you can use an account across many providers. I'm not sure if this is what you are looking for, but let me know if that helps.

Best regards,

François Dubois

avatar
andrewlandsverk
Hello,

Thank you for your request. What kind of devices do you have? Are you talking about managing local accounts on computers in your Active Directory domain? Because it is now possible to manage those accounts through the Active Directory provider instead of creating a provider for each computer. And it is also possible to reuse a PAM account as a credential for a PAM provider, so you can use an account across many providers. I'm not sure if this is what you are looking for, but let me know if that helps.

Best regards,


Hello!

Thanks for the follow up. We are mostly targeting network devices over SSH such as Cisco routers and switches, and a host of carrier-grade equipment from vendors such as Ciena. Active Directory is probably not on our list for PAM implementation at this time.

Thanks!

avatar
Maurice Côté

Hi Andrew,

The providers are meant to be linked to a source of accounts, and each device in itself is an Identity Provider. We also have to remember, for those that want to attain it, the Zero Trust requirement of never reusing the same credentials, all at the same time protecting the devices by monitoring new accounts/keys created without authorization.

That being said, we realize there is friction when managing multiple non-federated devices (we experience the same pain, I can assure you). We would need to find way to onboard a great number of providers, and to simulate that the devices are federated. Francois mentioned what we had done for Active Directory joined computers, we could present, lets call them sub-providers, in a similar fashion maybe...

For the onboarding, we could use the PAMAdmin account that you provision on all devices to create a unique one to replace it.

All of that to say that we are suffering from the same pain, trying to find a solution that checks all the boxes, and hopefully we'll come up with a good solution.

Best regards,

Maurice