UseCase11_LinuxSSHRestrictions - sandersdHES/PAMEmergingTech GitHub Wiki

6.11 Securing SSH Access and Command Restrictions on a Linux Machine

Objective

This use case showcases how to securely connect to a remote Linux machine using SSH key-based authentication managed through PAM360, replacing the less secure, traditional password-based approach. The main goals are to:

  • Enhance the security of SSH access, especially for privileged (admin) accounts
  • Centralize the management of SSH keys
  • Restrict command execution to enforce the principle of least privilege

Context

SSH is the primary method for managing Linux systems, but when used with static passwords and unrestricted command-line access, it introduces significant security risks. Traditional setups often expose privileged accounts to credential theft, lateral movement, or misuse.

PAM360 addresses these risks by:

Replacing static SSH credentials with managed key pairs

Enforcing least-privilege access through command control

Auditing SSH sessions to ensure traceability and compliance

In this scenario, a Linux virtual machine is managed through PAM360 to simulate real-world administrative access. SSH keys are centrally stored and rotated, and non-admin users are restricted to a predefined set of commands—ensuring that all remote access remains both secure and governed.

Official Documentation

Prerequisites

Before starting, ensure the following conditions are met:

  • A Linux VM is up and running with SSH enabled
  • The target Linux host and user accounts are already added as resources in PAM360

Step 1: Create an SSH Key in PAM360

Rather than using static passwords, organizations should leverage key-based authentication to secure privileged access.

In PAM360, navigate to SSH Keys > Add SSH Key and fill in the required fields:

  • Key Name: Choose a descriptive name
  • SSH Key Passphrase: (Recommended) Adds encryption to the private key
    • Protecting the private key with a passphrase mitigates the risk of unauthorized access—even if the key file is compromised.
  • Key Type: RSA
  • Key Length: 2048 or 4096 bits

image.png

Step 2: Associate the Key with a Linux Resource

Once generated, the SSH key must be linked to the appropriate resource to control where and how it's used.

After generating the key:

  1. Click the key in PAM360
  2. Choose Associate
  3. Select your Linux machine and click Associate again

Only accounts with appropriate permissions will have the public key deployed, and access will be governed by PAM360’s policies.

image.png

Step 3: Configure PAM360 to Use the Key for Login

  1. Go to Resources > [Linux Machine] > [admin account]
  2. Select Edit Account
  3. Toggle "Use Private Key for Login"

This ensures all SSH sessions initiated via PAM360 use the private key, enhancing security and traceability.

image.png

Step 4: Test the SSH Connection

This step confirms that PAM360 successfully uses the SSH key for authentication. Run the following command on your Linux VM:

sudo systemctl status ssh

Look for a log entry that says:

Accepted publickey for admin

This confirms that key-based authentication is working.

image.png

Optional: Set Up SSH Key Rotation

To reduce the risk of stale or compromised keys, PAM360 supports key rotation:

  1. Go to SSH Keys in PAM360
  2. Select the key > Key Rotation
  3. Choose whether to push private/public keys to the remote system

image.png

⚠️ Good practice: Enable expiry notifications to receive alerts before a key becomes outdated. This ensures continuous secure access.

image.png

Step 5: Restrict Commands Using Command Control

Limiting what commands can be executed post-login helps mitigate the risk of privilege abuse. PAM360’s command control allows enforcing least-privilege access.

To limit access for a non-admin user:

  1. Create a user on the Linux VM:
sudo adduser pamuser
  1. Add this user to PAM360 as a managed account
  2. Go to Admin > Manage Commands

Here, you'll see:

  • Commands: All defined CLI commands
  • Command Groups: Logical groupings (e.g., "File System", "Basic Administration")

image.png

image.png

image.png

Step 6: Assign Command Groups

  1. Go to the pamuser account in PAM360
  2. Click Configure SSH Command Control
  3. Assign built-in command groups:
    • "File System"
    • "Basic Administration"

image.png

image.png

After setup, when pamuser logs in, they cannot type commands directly. Instead, they'll use a menu of approved commands from the PAM360 interface.

image.png

Conclusion

This use case illustrates how PAM360 enhances SSH access management by:

  • Eliminating shared/static credentials
  • Securing access with encrypted SSH key pairs
  • Auditing and recording SSH sessions
  • Enforcing role-based access and command restrictions

You now have a compliant, secure, and auditable SSH access setup aligned with PAM best practices.

🛡️ Privileged Access Management (PAM360) & Admin Bastion Project
🔍 Built with a focus on Zero Trust, credential security, and hands-on Azure lab architecture.
🧠 Created as part of the 2025 Emerging Technologies module at HES-SO.

👨‍💻 Dylan Sanderson    👨‍💻 Johann Von Roten    👨‍💻 Maxime Bossi    👩‍💻 Nadja Lötscher
📚 Explore the Wiki • 📧 Contact us via GitHub if you have questions!

⚠️ **GitHub.com Fallback** ⚠️