So you have a question but can't see the answer? Please submit your question via this form.

Buying and trying

Where can I buy PrivX and how much is it going to cost?

PrivX is available for purchase at the SSH Webshop and the price will depend on the desired plan. You can check your billing information by logging in to the SSH Webshop with your account.

Can I have a free trial?

There is a free version of PrivX limited by features, maximum number of hosts and concurrent connections. If you would like to trial or run proof of concept with the full feature set without limitations, please contact us.

Can I try PrivX online?

Absolutely, the SSH Webshop also has a PrivX test drive available.

Do you have any partners?

Partnerships with leading IAM, CIAM, and IDaaS vendors including Fujitsu, ForgeRock, Ubisecure, and Nordcloud validate partner interest in the product and will help SSH reach a considerably wider audience with superior seamless customer experience.

What happens when my PrivX license expires?

When your PrivX license expires, the grace period is activated. During the grace period your PrivX instance remains fully functional, but there is an expiry notification shown on the UI. When the grace period ends, your PrivX instance will cease to function until the license is reactivated.

Product features

Is there a datasheet available?

You can download the datasheet by signing up here.

Can I use my own client on my workstation, or do I need to use a browser to connect to hosts using PrivX?

Yes, you can use your own client. PrivX will enable connecting to hosts via browser or native clients on Linux, Mac & Windows.

Do you have to install agents on target hosts?

PrivX is a zero footprint solution, so there's no need to install any software on target hosts.

Does PrivX provide access to the target host or to individual applications on the target host?

On RDP connections you can restrict which applications each user is able to access on the target Windows host, please see the documentation. On SSH connections access is provided to the target host itself, and limiting user rights on the respective target host (by e.g. restricted shells) is your decision and responsibility.

Does PrivX support High-Availability and load balancing?

Most definitely and there are several ways how this can be accomplished. Please take a look at our Standard HA and AWS HA examples.

Does PrivX work with Ansible or Chef?

Privx works with both, please see the documentation about Ansible and Chef.

How is data secured?

Sensitive data is split and stored in encrypted format. In transit, all database connections, intra micro-service connections and UI connections are encrypted via TLS.

Is port forwarding possible with PrivX?

Yes, port forwarding works with PrivX Agent and PrivX Bastion (native clients). In the Authorizer config file /opt/privx/etc/authorizer.toml on PrivX servers the setting ssh_default_extensions includes the keywords permit-port-forwarding.

Session recording and playback

How much file space is needed for a session recording?

Generally, SSH trails take a few megabytes per hour. For RDP trails, it depends greatly on the circumstances, i.e. your screen resolution and how much data is processed and moved. Fullscreen video will take several gigabytes per hour, while light administrative use with little animation on medium screen resolution takes approximately 100 megabytes per hour.

How are session recordings secured?

PrivX provides three-tiered security on session recordings:

  1. AES 128 and GCM based encryption
  2. Each trail file is secured with a unique key
  3. Each trail in turn within a trail file is also secured with a unique key

The master key is stored in the keyvault while the trail specific keys are stored in the filesystem. Additionally, the trail file names are confuscated on purpose, making it impossible to trace which file pertains to which session.

What is the format of the recordings?

The recordings are native SSH/Guacamole (RDP) protocol streams.

Can the recordings be played on any other application?

No. We will most likely add the capability to download the recordings as video files through the PrivX UI later .

Who can access the recordings from PrivX?

Access to recordings can be granted via a special role. Furthermore, all members of the privx-admin role have access to recording by default.

Can anyone download the recordings from the stored location?

As a PrivX admin, you choose the directory/NFS mount where the trails should be stored by defining it in the PrivX configuration files. PrivX does not manage permissions nor monitor the changes in that directory.  You must make sure that the directory is sufficiently protected against unauthorized access.

Are the recordings backed up by PrivX?

No. PrivX admin is responsible for configuring the directory/NFS mount where trails should be stored and ensuring that it is regularly backed up.

Can I move/playback recordings between PrivX instances?

No. Each PrivX instance has its own master key that is required for processing the encrypted trail files.

How do I share a specific recording to the audit team in my company?

Make sure everyone in the audit team has the role granting access to the recordings.

What happens if I open a SSH session on multiple browser tabs?

Each session is stored as a separate trail file. We are considering implementing a feature where we can merge the activities by timeline into a single trail file and introduce anomaly detection.

What happens to the ongoing recording when my access token expires?

Consequently, your session also expires, thus ending the recording. A new session will result in a new trail file.

How do I know if a recording has been tampered with?

There is a mechanism to check file tampering. The timing is user configurable, by default it is run once per day. When attempting to playback a tampered recording, UI will notify the PrivX admin about the fact. Such files can no longer be played back by PrivX. The recording sizes and checksums are stored in the database, file system and as audit events. Assuming audit events are propagated from the PrivX host to an external SIEM, the sizes & checksums can be compared against stored values at a later date. PrivX also sends out an audit event to syslog when an audit file has been opened.

What do I do if PrivX throws "Failed to audit" error?

This could be a sign that the designated NFS mount for storing trails is out of space or PrivX does not have sufficient permission to write to that location. Please check the syslogs to debug the situation.

What do I do if PrivX cannot play the recorded file for some reason? Is there a backdoor?

This could happen if the file has been deleted or has been tampered with. In either case, there is nothing one can do about it. There is no backdoor by design.


How does PrivX create log data on user access to target hosts?

Versions up to PrivX 7 use syslog functionality LOG_DAEMON to write audit events. By default, the audit events end up in file /var/log/messages. From PrivX 8 onwards, CEF will use LOCAL6 instead of the LOG_DAEMON.

How do you see which user (identity) has accessed the host in host log data?

When using certificate-based authentication, the user identity is logged in the sshd logs on the target host. For example, when PrivX user ’superuser' logs in to target host as 'ec2-user’, /var/log/secure on target host logs it as follows:

Sep 17 07:15:07 ip-172-31-49-149 sshd[21275]: Accepted publickey for ec2-user from port 3403 ssh2: RSA-CERT ID superuser@ serial 1059239823051326577 (serial 1059239823051326577) CA RSA SHA256:OmlS4VhEqBoGpm9AzgSYrvOaGSJyfot3Zf2ANMoY9So
How do you see user ID on the host log data when the user has accessed target  host via a role in PrivX?

Here is an example log entry:

Jun 13 12:41:32 privx-bug-squash-host.novalocal SSH-PRIVX-AUDIT[11992]: [event="File-upload" eventID="320" connectionID="d12598fc-915a-49c8-55b8-d301d42d082a" connectionType="ssh" hostAddress="" hostUuid="a04b10f4-c9e9-49bd-76b2-5cfdcc2f63e0" path="/root/ssh_targets.png" sessionID="5fd2447a-ff4e-4384-7ec3-79b908fc5bed" size="0" targetUsername="root" userID="1da90209-2072-44f6-a65d-0ba9880836c1"]”
Can PrivX monitor which files were transferred?

Yes, the audit logs include file transfer events and has the info on the filename and who transferred the file. With auditing enabled, you may also download the transferred files.

Is there a way to enable session recording by default when adding a host?

Yes, set tag privx-enable-auditing=1 for a cloud host or use flag audit_enabled in deploy script.

Tips and tricks

Is there a way to disable or autohide the Firefox URL or navigation bars on Carrier?

Yes there is, please see the config file /opt/privx/etc/carrier-config.toml on Carrier host for these settings:

# Enable URL bar of web browser
# Enabled by default
enable_urlbar = true

# Enable navigation bar of web browser
# Enabled by default
enable_navibar = true

# Autohide navigation bar of web browser, show when hovering the mouse
# Disabled by default
autohide_navibar = false
Is there any way to restrict which Windows accounts in endpoint should be able to access using roles?

The idea with PrivX is that you restrict which roles a particular user has access to, e.g. based on membership of AD group Windows Admins via PrivX and then on target configuration of the endpoint ensure that the particular user has the access right to logon locally and RDP allowed through some AD group membership, e.g. through role All Windows Admins or individually if you like. The target host configuration on PrivX should have login as self for the PrivX role that has Windows Admins via PrivX AD group configured.

This way the configuration is dynamic and there is no need to do any additional configuration than what Windows by default would require for RDP access with smart card authentication. Note that if your Windows target is an AWS host, you can configure the login as self using anAWS tag and enable scanning of the AWS directory for the target hosts.

How can I sudo with PrivX?

After having configured the target host for access through PrivX, one way to achieve this is to disable the password verification for sudo by editing /etc/sudoers. If the users are accessing the host using individual accounts, sudoing can also be enabled only for specific accounts through /etc/sudoers. If the password verification for sudo is disabled, we strongly recommend that the host is hardened in a way that it is only accessible through PrivX.