So you have a question but can't see the answer? Please submit your question via this form.


What is PrivX?

PrivX is lean access management software for privileged users. It’s based on the Zero Trust framework which means no one has permanent access. Users are authenticated just-in-time and granted only the right access for the right amount of time they need to get the job done. This lowers the potential risk of unauthorized persons having access critical infrastructure.

PrivX syncs with identity management systems, like Active Directory, and automatically maps your existing identity and authorization groups to specific access privileges. This way your access rights are always up to date. You see your entire multi-cloud and on-prem server estate in real time, in one place.

  • New generation cloud-native (microservice and open API based) credentialess ephemeral certificate based automated access solution ("PAM") for Admin, DevOps and 3rd Party consultant access to critical infrastructure and data, such as Personal Data as governed by GDPR.
  • Automates and governs and audits access to hosts, VMs, multi-cloud instances, network devices and e.g. IIoT.
  • Integrates into corporate IGA/IDM/AAD/AD solutions for Identities & Authorizations (role-based) and SOAR/SIEM/SOC services for analysis & response. 
  • Offers unprecedented low TCO and quick ROI for setting up controlled and governed automated access, providing an easy to use Single Signon for users.
  • Requires no agents to be installed, managed, updated, patched with operating system updates on either clients or hosts thus greatly reducing maintenance overhead and downtimes. Container and Serverless deployments in the future will further reduce such TCO burdens typically associated with "legacy PAMs".
  • PrivX can also use username + password (Stored in PrivX KeyVault) and Authorized Key based authentication for access so that users never see / get hold of secrets.


Buying and Trying

Where can I buy PrivX and how much is it going to cost?

Please see the options here.

Can I have a free trial?

There is a free version of PrivX limited by features, maximum number of hosts and concurrent connections. If you would like to trial or run proof of concept with the full feature set without limitations, please contact us.

Can I try PrivX online?

Absolutely, the SSH Webshop also has a PrivX test drive available.

What happens when my PrivX license expires?

When your PrivX license expires, the grace period is activated. During the grace period your PrivX instance remains fully functional, but there is an expiry notification shown on the UI. When the grace period ends, your PrivX instance will cease to function until the license is reactivated.


Support and Services

Do you offer 24/7 support?

Yes, please see the available plans for more information. We also provide a well-reputed modern support portal with extensive documentation and access to customer tickets and service requests. 

Can you provide a Proof of Concept?

Yes, POCs can be provided upon request.

Can you provide training?

Yes, training can be provided upon request. However, PrivX requires significantly less training than traditional monolithic/modular applications.

Are you able to support implementation and integration projects?

Yes, we have deployed PrivX for large Financial, Retail, Service Provider and Manufacturing organizations for up to 45,000 hosts and thousands of administrators.

Do you have any partners?

Partnerships with leading IAM, CIAM, and IDaaS vendors including Fujitsu, ForgeRock, Ubisecure, Digital Information Technologies and Nordcloud validate partner interest in the product and will help SSH reach a considerably wider audience with superior seamless customer experience.


Product Info

How is PrivX recognized on the market?
  • The European Commission has awarded SSH a funding of just over €2M for development, marketing, and go-to-market activities of the PrivX product over the next 24 months.
  • The United States Patent and Trademarks Office (USPTO) has granted SSH.COM a patent (US10523445), which covers secure passwordless access to hosts in hybrid networks comprising on-premise and cloud resources.
  • KuppingerCole recognizes PrivX as an innovative solution for the PAM market.
  • SSH.COM as a company has been listed as a vendor in Gartner's Remove Standing Privileges Through a Just-In-Time PAM Approach research.
Is there a datasheet available?

You can download the datasheet by signing up here.

Is there a solution roadmap available?

The roadmap is available for customers and it can be shared systematically in reviews at least Quarterly.


Product Features

Can I use my own client on my workstation, or do I need to use a browser to connect to hosts using PrivX?

Yes, you can use your own client. PrivX will enable connecting to hosts via browser or native clients on Linux, Mac & Windows.

Do you have to install agents on target hosts?

PrivX is a zero footprint solution, so there's no need to install any software on target hosts.

Does PrivX provide access to the target host or to individual applications on the target host?

On RDP connections you can restrict which applications each user is able to access on the target Windows host, please see the documentation. On SSH connections access is provided to the target host itself, and limiting user rights on the respective target host (by e.g. restricted shells) is your decision and responsibility.

Does PrivX support High-Availability and load balancing?

Most definitely and there are several ways how this can be accomplished. Please take a look at our Standard HA and AWS HA examples.

Does PrivX work with Ansible or Chef?

Privx works with both, please see the documentation about Ansible and Chef.

Is port forwarding possible with PrivX?

Yes, port forwarding works with PrivX Agent and PrivX Bastion (native clients). In the Authorizer config file /opt/privx/etc/authorizer.toml on PrivX servers the setting ssh_default_extensions includes the keywords permit-port-forwarding.


Security

How is data secured?

Sensitive data is split and stored in encrypted format. In transit, all database connections, intra micro-service connections and UI connections are encrypted via TLS.

Does PrivX support limiting certain functionalities on protocol, e.g. deny port forwarding on SSH tunnel or clipboard on RDP session?

Yes, channel controls are available.

Does PrivX support the least privilege principle for granting access to managed resources?

Yes, this is the main principle of PrivX Role Based Access (RBAC). Roles can de defined on multiple elevation levels and grant access rights based on IDM/AD/AAD or ServiceNow.


Compliance

Is PrivX GDPR compliant?

Yes, PrivX helps customers control and monitor who has access to what. SSH uses PrivX for privacy data access management, control and auditing internally for HR, finance, CRM, marketing and social media automation. PrivX does not collect nor transmit any privacy data from the customer system to SSH (apart form emila addresses for Support process). See SSH Privacy Policy for more information.

Does PrivX fulfil standard security requirements defined in e.g. ISO27001, PCI/DSS and CSA Star?

Access governance and management and auditing can be implemented according to those standards with PrivX connected to Identity and Authorizations Management in separate systems, such as IDM, IGA or AAD/AD.


Session Recording and Playback

How much file space is needed for a session recording?

Generally, SSH trails take a few megabytes per hour. For RDP trails, it depends greatly on the circumstances, i.e. your screen resolution and how much data is processed and moved. Fullscreen video will take several gigabytes per hour, while light administrative use with little animation on medium screen resolution takes approximately 100 megabytes per hour.

How are session recordings secured?

PrivX provides three-tiered security on session recordings:

  1. AES 128 and GCM based encryption
  2. Each trail file is secured with a unique key
  3. Each trail in turn within a trail file is also secured with a unique key

The master key is stored in the keyvault while the trail specific keys are stored in the filesystem. Additionally, the trail file names are confuscated on purpose, making it impossible to trace which file pertains to which session.

What is the format of the recordings?

The recordings are native SSH/Guacamole (RDP) protocol streams.

Can the recordings be played on any other application?

No. We will most likely add the capability to download the recordings as video files through the PrivX UI later .

Who can access the recordings from PrivX?

Access to recordings can be granted via a special role. Furthermore, all members of the privx-admin role have access to recording by default.

Can anyone download the recordings from the stored location?

As a PrivX admin, you choose the directory/NFS mount where the trails should be stored by defining it in the PrivX configuration files. PrivX does not manage permissions nor monitor the changes in that directory.  You must make sure that the directory is sufficiently protected against unauthorized access.

Are the recordings backed up by PrivX?

No. PrivX admin is responsible for configuring the directory/NFS mount where trails should be stored and ensuring that it is regularly backed up.

Can I move/playback recordings between PrivX instances?

No. Each PrivX instance has its own master key that is required for processing the encrypted trail files.

How do I share a specific recording to the audit team in my company?

Make sure everyone in the audit team has the role granting access to the recordings.

What happens if I open a SSH session on multiple browser tabs?

Each session is stored as a separate trail file. We are considering implementing a feature where we can merge the activities by timeline into a single trail file and introduce anomaly detection.

What happens to the ongoing recording when my access token expires?

Consequently, your session also expires, thus ending the recording. A new session will result in a new trail file.

How do I know if a recording has been tampered with?

There is a mechanism to check file tampering. The timing is user configurable, by default it is run once per day. When attempting to playback a tampered recording, UI will notify the PrivX admin about the fact. Such files can no longer be played back by PrivX. The recording sizes and checksums are stored in the database, file system and as audit events. Assuming audit events are propagated from the PrivX host to an external SIEM, the sizes & checksums can be compared against stored values at a later date. PrivX also sends out an audit event to syslog when an audit file has been opened.

What do I do if PrivX throws "Failed to audit" error?

This could be a sign that the designated NFS mount for storing trails is out of space or PrivX does not have sufficient permission to write to that location. Please check the syslogs to debug the situation.

What do I do if PrivX cannot play the recorded file for some reason? Is there a backdoor?

This could happen if the file has been deleted or has been tampered with. In either case, there is nothing one can do about it. There is no backdoor by design.


Auditing

How does PrivX create log data on user access to target hosts?

Versions up to PrivX 7 use syslog functionality LOG_DAEMON to write audit events. By default, the audit events end up in file /var/log/messages. From PrivX 8 onwards, CEF will use LOCAL6 instead of the LOG_DAEMON.

How do you see which user (identity) has accessed the host in host log data?

When using certificate-based authentication, the user identity is logged in the sshd logs on the target host. For example, when PrivX user ’superuser' logs in to target host as 'ec2-user’, /var/log/secure on target host logs it as follows:

Sep 17 07:15:07 ip-172-31-49-149 sshd[21275]: Accepted publickey for ec2-user from 195.20.116.1 port 3403 ssh2: RSA-CERT ID superuser@127.0.0.1:43836 serial 1059239823051326577 (serial 1059239823051326577) CA RSA SHA256:OmlS4VhEqBoGpm9AzgSYrvOaGSJyfot3Zf2ANMoY9So
How do you see user ID on the host log data when the user has accessed target  host via a role in PrivX?

Here is an example log entry:

Jun 13 12:41:32 privx-bug-squash-host.novalocal SSH-PRIVX-AUDIT[11992]: [event="File-upload" eventID="320" connectionID="d12598fc-915a-49c8-55b8-d301d42d082a" connectionType="ssh" hostAddress="10.11.0.46:22" hostUuid="a04b10f4-c9e9-49bd-76b2-5cfdcc2f63e0" path="/root/ssh_targets.png" sessionID="5fd2447a-ff4e-4384-7ec3-79b908fc5bed" size="0" targetUsername="root" userID="1da90209-2072-44f6-a65d-0ba9880836c1"]”
Can PrivX monitor which files were transferred?

Yes, the audit logs include file transfer events and has the info on the filename and who transferred the file. With auditing enabled, you may also download the transferred files.

Is there a way to enable session recording by default when adding a host?

Yes, set tag privx-enable-auditing=1 for a cloud host or use flag audit_enabled in deploy script.


Tips and Tricks

Is there a way to disable or autohide the Firefox URL or navigation bars on Carrier?

Yes there is, please see the config file /opt/privx/etc/carrier-config.toml on Carrier host for these settings:

# Enable Firefox browser kiosk mode
# Disables right mouse button, maximize and minimize buttons and navigation.
# This setting overrides all other settings below.
# Disabled by default
kiosk_mode = false

# Enable URL bar of web browser
# Effective only, if kiosk mode is disabled.
# Enabled by default
enable_urlbar = true

# Enable navigation bar of web browser
# Effective only, if kiosk mode is disabled.
# Enabled by default
enable_navibar = true

# Autohide navigation bar of web browser, show when hovering the mouse
# Effective only, if kiosk mode is disabled.
# Disabled by default
autohide_navibar = false
Is there any way to restrict which Windows accounts in endpoint should be able to access using roles?

The idea with PrivX is that you restrict which roles a particular user has access to, e.g. based on membership of AD group Windows Admins via PrivX and then on target configuration of the endpoint ensure that the particular user has the access right to logon locally and RDP allowed through some AD group membership, e.g. through role All Windows Admins or individually if you like. The target host configuration on PrivX should have login as self for the PrivX role that has Windows Admins via PrivX AD group configured.

This way the configuration is dynamic and there is no need to do any additional configuration than what Windows by default would require for RDP access with smart card authentication. Note that if your Windows target is an AWS host, you can configure the login as self using anAWS tag and enable scanning of the AWS directory for the target hosts.

How can I sudo with PrivX?

After having configured the target host for access through PrivX, one way to achieve this is to disable the password verification for sudo by editing /etc/sudoers. If the users are accessing the host using individual accounts, sudoing can also be enabled only for specific accounts through /etc/sudoers. If the password verification for sudo is disabled, we strongly recommend that the host is hardened in a way that it is only accessible through PrivX.

Can I configure how often PrivX verifies the connected user's access rights?

Yes, please modify the setting reauthorization_interval_sec as needed in files *-proxy.toml and *-mitm.toml.

How can I reset the superuser password?
  1. On a PrivX server, obtain an hashed version of your new password (replace example_password with your new password):
    # /opt/privx/bin/keyvault-tool bcrypt <example_password>
  2. Access the PrivX database using psql with write permissions. Change the superuser password (replace password_hash and superuser with the hashed password and your superuser account name respectively):
    # UPDATE localuser SET password='password_hash' WHERE username='superuser'

You can now log into PrivX as superuser using the new password.

How to enable web login to AWS console or Azure portal

To enable login to AWS console or Azure portal, certain additional fields need to be added to host services:

Can I change the banner text?

Yes, please modify the setting privx_instance_name as needed in file shared_config.toml.