We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

JIT SESSION Password Prompt

jpuran
New Contributor
New Contributor

Hi Team, 

Hope you all doing well, so I recently bootstrapped some UNIX endpoints into our Prod environment.

Currently, the prerequisites are on all nodes, both credential and credential-less are working however for JIT sessions, I'm getting a password prompt. 

If I'm aware, this shouldn't be the case, also in the sshd_config file if we comment password authentication it works like a charm however that's not what we want in our environment. 

I'm seeing that it works for some nodes but for others, I'm getting the password prompt, can you guys let me know what I'm missing?

So, the service account is SaviyntAdmin with SaviyntUser01 and SaviyntUser02 for credentials and credential-less. 

How does the JIT authentication take place?

Warm Regards, 




3 REPLIES 3

NageshK
Saviynt Employee
Saviynt Employee

@jpuran Thanks for posting your question. You can compare the provision account command of the connections where JIT is working fine with the connections where it is not. I'm suspecting that you might have the password parameter in the connections where JIT is not working. If that is the case, you can remove the password parameter and give it a try. 

Also, as you said credential-less sessions are working fine, i'm assuming that presenting password is not mandatory to trigger a session with the server. Or, did you add a Match user in sshd_config and override the password restriction for SaviyntUser02? 

Thanks,

Nagesh K

jpuran
New Contributor
New Contributor

Hey bro, 

Thanks for the feedback, okay I'm using one master connection on all with the same provision command.

In the sshd_config file, SaviyntUser2 is set with no password. 


Warm Regards, 

J.Puran



NageshK
Saviynt Employee
Saviynt Employee

@jpuran As you have configured SaviyntUser02 to not need a password while launching a session, your credentialless session is working fine. You will have to the same thing for your JIT accounts as well where you will provide the format of the JIT account names (Remember that JIT account names use the Saviynt login's username). For example, if your saviynt logins are of the format EICUser01, EICUser02, etc. then in the MATCH User section you can mention EICUser* as the pattern and then disable password prompt.

Thanks,

Nagesh K