Issue with CyberArk and WinSCP (command line setting)
I successfully tested CyberArk with SSH and I used this command line (all works correctly):
ssh -o StrictHostKeyChecking=no -t <PSMConnect> <domain_login_name> <linux_target_account> <address>
you can see real command:
ssh -o StrictHostKeyChecking=no -t [email protected] jist root 10.192.24.10
where jist is domain login name, root is account in target location defined based on IP 10.192.24.10
But I have issue with configuration of WinSCP with CyberArk. Do you know which command line parameters are needed for building relation between WinSCP & CyberArk (that CyberArk will monitor activities under WinSCP)?
I expect something like this command (but I did not find the detail in documentation):
winscp -t [email protected] ???
BTW: I saw only ability to use WinSCP from Terminal Server which is under CyberArk monitoring, but it is without standard command line and this way has really huge overhead (extra terminal server, local disk mapping to the Terminal, etc. and finally, it degrades total performance for file transfers).
NOTE: Why this question (relation to SW use cases):
- If I need to transfer file to the production from my workstation via WinSCP (without CyberArk), IT Security generate security incident. Why? Because IT Security need to monitor my activities and from these reasons they use CyberArk and monitor activities in production environment under SSH, all activities in Terminal Server ... .
- How to avoid generate IT Security incidents. First option is to use WinSCP not from my workstation, but use WinSCP in Terminal Server (which full monitor CyberArk), but this way is not so comfortable (slow Terminal Server, mapping my local disks, etc.). Second (preferred) option is to use the similar way as SSH (it means SSH support relation to CyberArk and send to the CyberArk information about user activities e.g. user run these commands, ...). It means I am looking for ability do define via command line setting of WinSCP, that WinSCP will inform CyberArk about user activities such as user copy file (via SFTP) from source to target, etc. This relation will help me to avoid First option and use WinSCP directly from my workstation not from Terminal Server and the IT Security will be happy (because they will monitor my activities under WinSCP)
It is easy setting and can be apply to the WinSCP command line or in the WinSCP GUI.
The main logic is, that CyberArk PAM (privileged access management) will work as proxy for the WinSCP which will route (and spy) whole traffic. The setting is easy and contains only two steps in dialog for connection on WinSCP side (I tested this connection with WinSCP version 5.21.3 and CyberArk PAM version 12.6):
1. Step - Login in WinSCP
- File protocol:
SCP - Port number:
22 - Host name: connection to CyberArk proxy e.g.
ssh-proxycba.eu.prod - User name:
LoginID@TargetUser@TargetSystemLoginID: typically login to your domain e.g.
bank\jistTargetUser: user in target server e.g.
rootTargetSytem: name of target server for login e.g.
10.192.24.10User name full sample can be:
jist@[email protected]
2. Step - Advanced Site Setting in WinSCP
Environment SCP/Shell Shell: option
/bin/bash/
After this setting (for connection on WinSCP side) everything works correctly and the IT Security has full detail about content transfer.
NOTE:
- I tested SFTP instead of SCP and it did not work in my environment.
- I tested SCP without bash and I got error message from CyberArk, that 'bash' is needed.
- Why are iframes considered dangerous and a security risk?
- Secure Google Cloud Functions http trigger with auth
- How do I get the currently loggedin Windows account from an ASP.NET page?
- Error Importing SSL certificate : Not an X.509 Certificate
- Full text search on encrypted data
- It is necessary to send the JWT token from the browser page to the server
- Is it possible to use double @ in an email address?
- How to replicate the RuntimeDefault seccompProfile in Kubernetes to run in Docker?
- Difference between processes running in kernel mode and running as root?
- Why is it okay to transmit authentication/session cookies over plaintext?
- How to handle .env.local in a next js typescript file?
- How does Maven 3 password encryption work?
- Do we need encrypt session id before saving it into database
- Any point in using a paid threat intelligence service over Google's Lookup API for detecting malicious URLs?
- How to securely update configuration for root password in yocto?
- how to secure and encrypt setting.xml paswords file in maven?
- How to convert a PKCS#8 encoded RSA key into PKCS#1 in Java?
- Vector securely erasing its memory
- How to safely run user-supplied Javascript code inside the browser?
- curl - Is data encrypted when using the --insecure option?
- ZAP Dynamic SSL certificate option is not available
- how to implement the Eurion constellation security measure
- How can I sanitize user input with PHP?
- Security threats when using bar() vs bar(void)
- Is exposing a session's CSRF-protection token safe?
- is electron's `safeStorage` for passwords and login credentials?
- Encrypting/decrypting some file types with Rijndael 256 (CakePHP Security library) garbles contents
- Named Pipe security problem on some Windows clients
- Best way to save authentication token?
- Azure Function failling with error: The username or password incorrect: C:\host\LogFiles\Application\Function\Host