Skip to main content
Version: 3.23

Terminal Proxy

senhasegura Terminal Proxy is an SSH service operating on standard port 22 that authenticates the senhasegura user using the same account that the user uses in the web interface. This login respects the same account lockout and MFA settings.

caution

senhasegura authenticates on the target device using the native protocols of the requested session. Delivering the user an authenticated session with no risk of exposing the credential used.

senhasegura Terminal

When logging into the senhasegura server using SSH, the user has the default prompt as below.

Proxy terminal

This simplified terminal has only commands to start a proxy session to a remote device and transfer files between the source and destination device. Use the help command to list the available commands and help [command].

List access credentials

To list available credentials for user, use the list command and access data such as connectivity type, Username , Hostname, and IP are listed.

caution

Domain credentials are not listed using this command. To perform access with domain credentials, you need to use the following syntax: ssh domain\user@server.

tip

To visualize the specific username, use the following syntax: list username –related Then all devices that an account has access, will be displayed.

To visualize the domain access is necessary to use the following syntax: list domain –related Allows the user to verify all domains that a domain credential has access.

Terminal connection

SSH Connection

To make an SSH connection to a device with this connectivity linked to a valid credential, run the ssh command followed by the credential and device as you would on a standard SSH connection. Example: ssh usr01@mylinuxserver or ssh usr01@172.18.50.201.

SSH connection

Access using ssh key

To perform access with ssh keys, use the following syntax, replacing the following strings with:

  • keyValue: ssh key value

  • valtServer: senhasegura instance

  • targetDevice: device you want to access

Accessing a senhasegura instance

ssh keyValue@valtServer

Accessing another device

ssh key keyValue@targetDevice

Accessing another device or when a key and credential have the same name.

ssh key\keyValue@targetDevice

To access the device or when a key and a credential have the same name, use the SSH key to make Multihop connections.

 ssh userss[key\credential@device]@senhasegura

Access using Multihop

To facilitate access to the target device in applications that do not provide interactive prompts is used Multihop to connect directly to the target without executing additional steps. For the examples, use:

  • valtUser: senhasegura user

  • valtServer: senhasegura instance

  • targetUser: credential you wish to use for access

  • targetServer: server you want to access

Default connection with only the user and senhasegura server

valtUser@valtServer

Connection containing the user and target server

In this example, senhasegura will connect directly to the destination server without delivering the intermediate terminal. The credential and target device are in brackets.

valtUser[targetUser@targetServer]@valtServer
Connection containing the user and senhasegura server

Multihop connection containing the OTP token

valtUser[targetUser@targetServer]2faToken@valtServer
Multihop connection containing the OTP token exemple

TELNET Connection

For TELNET sessions, run the telnet command followed by the credential and device in the same way. Example: telnet admin@myrouter.

File transfer

caution

For file transfer directly to a target server, it is mandatory to use the multihop connection, because the binaries that travel under SFTP do not have a way to interact with the intermediate terminal.

Due to protocol limitations, the user cannot use a personal credential with the file transfer. Only with a credential that is registered in senhasegura.

The example below uses the WinSCP program as an example.

WinSCP program as an example
WinSCP program as an example

The following example below uses a command-line version of SFTP.

command-line version of SFTP
info

If the user has an OTP token configured, use the token in the connection string.

Transfer with SCP

Two steps are needed to transfer a file using SCP from the user workstation to a target server.

  1. At the first step, the file is uploaded to the senhasegura using the user terminal proxy.

  2. Second step, the user has to connect to senhasegura Terminal Proxy to upload the same file to a target server.

To use the scp command, use the syntax below, replacing the strings with:

  • fileName: File to be transferred

  • vaultServer: senhasegura instance

  • vaultUser: credential that will authenticate to the senhasegura instance

  • fileDestination: Location where the file should be transferred to

Uploading a file to the senhasegura instance

scp fileName vaultUser@vaultServer

Downloading a file from the senhasegura instance to the requester workstation

scp vaultUser@vaultServer:fileName fileDestination
caution

The SCP syntax does not support multihop connection strings, making both steps mandatory. Use the SFTP transfer for a better experience.

Automated privilege elevation

senhasegura can allow a user to perform elevated tasks, like SUDO, without knowing the credential password. In these cases, the user will have its interactivity captured, and senhasegura will perform the elevation using the same credential used to authenticate in the target device.

Note in this first example that the user executes a super command without having to enter the credential password.

Super command example

If privilege elevation is inactive on the session, the device credential password is requested.

Privilege elevation is inactivated example

Interactivity blocking and compulsory logout

If the administrator activates interactivity blocking, the operator user will be warned by a message in the upper right corner.

Interactivity blocking example

And if the administrator compulsorily logout the session, the user is also warned.

Compulsorily logout the session alert