Documentation
Start typing to search…

pbssh | EPM-UL

  • Version 6.0.1 and earlier: pbssh program not available.
  • Version 6.1 and later: pbssh program available.

Using EPM-UL policy and the pbssh program, you can control access to, and activities on, SSH-managed devices. The pbssh program is similar to the pbrun program, except that it uses the SSH protocol (or, optionally, the telnet protocol) to connect to devices that do not have EPM-UL installed on them; such devices can include Windows computers and certain network devices.

You must specify the -h option (to indicate the host name of the target device), and the -u option (to indicate the user name with which to log into the device). To execute a command on the target device, use the -C option. You may also optionally use the -P (--port) option to specify a particular port for the SSH connection.

If you have a Password Safe appliance, the EPM-UL can be configured to automatically obtain the device password from Password Safe. To do so, the following EPM-UL settings must be specified on the submit host:

  • pkrunfile
  • pk_cert (or the --pk_cert option)
  • pk_servers (or the --pk_servers option)
  • pbsshshell (optional)

If you do not have a Password Safe appliance, then pbssh prompts the user for the password. The user is also prompted under these circumstances:

  • The Password Safe appliance is not available.
  • The Endpoint Privilege Management for Unix and Linux settings are not specified or not correctly specified.
  • The --skip_pkrun option is specified on the pbrun command line.
  • The --telnet option is specified on the pbrun command line.

The --domain option has two purposes, both of which are related to Password Safe:

  • If you need to log into a host using a domain account, then you use the --domain option defines the domain from which Password Safe should obtain the domain account password.
  • If the --user option defines a user account, and you want to use a Password Safe managed account alias in place of the actual managed system name, then you use the --domain option to specify the managed system alias.
ℹ️

Unlike pbrun, pbssh does not require a command to be specified. Consequently, the Endpoint Privilege Management for Unix and Linux policy function basename() always returns pbssh. In the Endpoint Privilege Management for Unix and Linux policy, to determine the command that was specified, parse the argv list.

Syntax

pbssh [options] command [command_arguments]
   -c, --pk_cert
   -C, --command
   -d, --debug=connect
   -d, --debug=time
   -d, --debug=ttime
   -D, --domain
   -h, --host=run_host
   -k, --skip_pk
   -K, --pk_servers
   -P, --port=ssh_port
   -r, --pk_reset_password
   -T, --telnet
   -u, --user=request_user
pbssh –v | --version
pbssh --help

Arguments

-c, --pk_certOptional. Absolute path to the Password Safe certificate on the submit host.
Overrides the pk_cert EPM-UL setting.
-C, --command='ssh_command'Optional. Command and arguments to be executed on the target SSH-managed device. If arguments are specified, the command and its arguments must be enclosed together in single quotation marks.
-d connect, --debug=connectOptional. Displays policy server connection information for debugging.
-d time, --debug=timeOptional. Displays pbssh timing information for debugging. This option is intended primarily for BeyondTrust Technical Support.
-d ttime, --debug=ttimeOptional. Displays pbssh total run time for debugging.
-D, --domainOptional. Specifies a domain for Password Safe to use when obtaining a domain account password, or defines a Password Safe managed system alias to use instead of the actual host name.
Version 6.2 and later: option available.
-h, --host=run_hostRequests run_host as the run host for the secured task.
-k, --skip_pkrunOptional. Specifies that the SSH-managed device password not be obtained from Password Safe.
-K, --pk_serversOptional. Specifies the host name or IP address of one or more Password Safe appliances. Overrides the pk_servers EPM-UL setting.
To specify more than one appliance, separate each name by a space and enclose the list in quotation marks.
-P, --port=ssh_portSpecifies a TCP port to use for the SSH session. If not specified, then a default port number is used.
-r, --pk_reset_passwordOptional. Specifies that Password Safe check in a new password for the user after the Password Safe command is complete.
-T, --telnetOptional. Specifies that a connection to an SSH-managed device be made using the telnet protocol, not the SSH protocol.
-u, --user=request_userSets the variable requestuser to request_user. The policy can then decide to honor the request and set runuser and/or runeffectiveuser equal to request_user.
-v, --versionOptional. Displays the program version and exits.
--helpOptional. Displays the program help message and exits.

Files

/etc/pb.settings Local EPM-UL submithost settings

Example

pbssh –h runhost -u jjones -C "dir /w"
ℹ️

For more information, see Connections to SSH-Managed Devices.

Updated 1 day ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.