Issue with CyberArk and WinSCP (command line setting)
I successfully tested CyberArk with SSH and I used this command line (all works correctly):
ssh -o StrictHostKeyChecking=no -t <PSMConnect> <domain_login_name> <linux_target_account> <address>
you can see real command:
ssh -o StrictHostKeyChecking=no -t PSMConnect@proxycba.prod jist root 10.192.24.10
where jist is domain login name, root is account in target location defined based on IP 10.192.24.10
But I have issue with configuration of WinSCP with CyberArk. Do you know which command line parameters are needed for building relation between WinSCP & CyberArk (that CyberArk will monitor activities under WinSCP)?
I expect something like this command (but I did not find the detail in documentation):
winscp -t PSMConnect@proxycba.prod ???
BTW: I saw only ability to use WinSCP from Terminal Server which is under CyberArk monitoring, but it is without standard command line and this way has really huge overhead (extra terminal server, local disk mapping to the Terminal, etc. and finally, it degrades total performance for file transfers).
NOTE: Why this question (relation to SW use cases):
- If I need to transfer file to the production from my workstation via WinSCP (without CyberArk), IT Security generate security incident. Why? Because IT Security need to monitor my activities and from these reasons they use CyberArk and monitor activities in production environment under SSH, all activities in Terminal Server ... .
- How to avoid generate IT Security incidents. First option is to use WinSCP not from my workstation, but use WinSCP in Terminal Server (which full monitor CyberArk), but this way is not so comfortable (slow Terminal Server, mapping my local disks, etc.). Second (preferred) option is to use the similar way as SSH (it means SSH support relation to CyberArk and send to the CyberArk information about user activities e.g. user run these commands, ...). It means I am looking for ability do define via command line setting of WinSCP, that WinSCP will inform CyberArk about user activities such as user copy file (via SFTP) from source to target, etc. This relation will help me to avoid First option and use WinSCP directly from my workstation not from Terminal Server and the IT Security will be happy (because they will monitor my activities under WinSCP)
It is easy setting and can be apply to the WinSCP command line or in the WinSCP GUI.
The main logic is, that CyberArk PAM (privileged access management) will work as proxy for the WinSCP which will route (and spy) whole traffic. The setting is easy and contains only two steps in dialog for connection on WinSCP side (I tested this connection with WinSCP version 5.21.3 and CyberArk PAM version 12.6):
1. Step - Login in WinSCP
- File protocol:
SCP - Port number:
22 - Host name: connection to CyberArk proxy e.g.
ssh-proxycba.eu.prod - User name:
LoginID@TargetUser@TargetSystemLoginID: typically login to your domain e.g.
bank\jistTargetUser: user in target server e.g.
rootTargetSytem: name of target server for login e.g.
10.192.24.10User name full sample can be:
jist@root@10.192.24.10
2. Step - Advanced Site Setting in WinSCP
Environment SCP/Shell Shell: option
/bin/bash/
After this setting (for connection on WinSCP side) everything works correctly and the IT Security has full detail about content transfer.
NOTE:
- I tested SFTP instead of SCP and it did not work in my environment.
- I tested SCP without bash and I got error message from CyberArk, that 'bash' is needed.
- Access token and Refresh token best practices ? How to implement Access & Refresh Tokens
- Securely storing an access token
- Why does angular add ng-version attribute to the app-root html tag
- How to properly handle secrets in a local.settings.json file when adding the function source code to a source control repository
- Conditional Column-level permissions in PostgreSQL
- Embedding youtube video "Refused to display document because display forbidden by X-Frame-Options"
- How can I prevent SQL injection in PHP?
- IFrame security and CORS
- Should I impose a maximum length on passwords?
- <app> would like to access data from other apps - macOS Sonoma
- SELinux syntax error when optional is used inside a tunable_policy macro
- Generate cryptographically secure random numbers in php
- How to get through security error pages in the Firefox web browser?
- How to handle cookies securely during the REST API call in SWIFT 3 or 4?
- Read/write to NFC tag with password protection
- Request for the permission of type 'System.Security.Permissions.FileIOPermission.. failed
- Azure blocks POST requests from User-Agent Mozilla/5.0 to App Service
- How to read a HttpOnly cookie using JavaScript
- Using PHP to check if there are unsuitable characters in a textarea form
- Why androidx.security.crypto.MasterKeys is deprecated?
- Login session id's with hash
- Convert String to SecureString
- Is there a way to avoid MITM attacks without encryption?
- How to Detect Web Scrapers Using Chrome DevTools Protocol (CDP) Instead of Selenium or Puppeteer?
- Using API keys in a react app
- Session cookies http & secure flag - how do you set these?
- Node.js hashing of passwords
- KeyCloak Java Service Account Create User
- Windows Property Pages: Domain Path Not Shown on Security Tab
- How do I keep a log of all user requests for a specific route properly?