Key Concepts » SSH
SSH Integration in Conjur Enterprise
Conjur Enterprise integrates with standard Linux tools such as OpenSSH, PAM and syslog to provide powerful SSH management.
Conjur SSH is not an agent. It's a smart configuration of a standard Linux system. We provide suggested configurations, but you can tweak this to your needs.
Public key authentication
The Conjur PubKeys service is used by OpenSSH to authenticate users. OpenSSH is
configured to use the
AuthorizedKeysCommand directive to fetch the public key list for the inbound user from Conjur.
If permitted by
/etc/ssh/sshd_config, users can also authenticate using their Conjur password. This capability
can be used to integrate Conjur with applications such as Jenkins and OpenVPN which can delegate authentication to PAM.
Conjur LDAP service is another way to use Conjur to authenticate end users to applications.
Linux PAM can be configured to use Conjur LDAP for authorization. In this scenario, once the
user is authenticated (by public key or password), she is then authorized via LDAP. In order to be authorized for SSH
access, the user must have
execute permission on the Host.
Each Host binds to Conjur using its unique
id and API key. In this way, each Host has a unique
executors list. Access control between users and hosts can be controlled at the level of individual users and hosts; SSH access management is not bound by the typical constraints of LDAP group management.
Learn more about Conjur LDAP
Conjur includes a tool called
logshipper which integrates with
syslog to parse the authentication log and send
structured login events to the Conjur audit database.
In this way, a detailed audit of each
sudo command is automatically recorded for each machine
which is using Conjur SSH management. These records can be retrieved through the API, CLI, or visualized in the