Removing domain from username in ssh connections

Products Privilege Secure Show & Tell
1

Overview

How to extract and pass only the “username” (from a “domain\username” format) when connecting via SSH to Linux servers or network devices that require local authentication.

Description

Many automated systems including NPS, however, retrieve credentials in the format “domain\username” or “resource\username” If you attempt to pass this full string to an SSH resource (via a proxy or automation tool), authentication will fail because the target system recognizes only the plain “username”

The image displays a user interface for managing the "Linux Vault Checkout Access Policy," highlighting two checkout options and an active session status for a specific URL. (Captioned by AI)
The image displays a user interface for managing the "Linux Vault Checkout Access Policy," highlighting two checkout options and an active session status for a specific URL. (Captioned by AI)662×717 73.9 KB

To address this behavior and ensure that only the username (without “domain\” or “resource\”) is passed, you can run the following PowerShell script as a “Run Custom PowerShell Script” step in the Pre-Session Grant stage:

The image displays a configuration interface for a Linux vault checkout process, detailing pre-session, session, and post-session activities, including credential checks and login monitoring. (Captioned by AI)
The image displays a configuration interface for a Linux vault checkout process, detailing pre-session, session, and post-session activities, including credential checks and login monitoring. (Captioned by AI)577×658 58.6 KB

# This is how to access the current activity session
$activitySession = Get-SbPAMActivitySession -Id $SessionId
$username = $activitySession.loginaccountname

if ($activitySession.loginaccountname.contains('\'))
{
    ($domain,$username)=$activitySession.loginaccountname.Split('\')
}

$LoginAccount = $username

if ($LoginAccount -ne $activitySession.loginaccountname)
{
    # Change the loginaccount
    Set-SbPAMActivitySessionLoginAccount -SessionId $SessionId -LoginAccount $LoginAccount
}

After implementing this script, only the username will be passed during authentication, with the prefix (“domain\” or “resource\”) removed as required by the target device.

The image displays an interface for a Linux Vault Checkout Access Policy, featuring options for "Linux Vault Checkout" and "Linux Vault Checkout - Strip Username," along with an indication of a session that started 15 minutes ago and will end in 2 hours, marked as "Available." (Captioned by AI)
The image displays an interface for a Linux Vault Checkout Access Policy, featuring options for "Linux Vault Checkout" and "Linux Vault Checkout - Strip Username," along with an indication of a session that started 15 minutes ago and will end in 2 hours, marked as "Available." (Captioned by AI)523×574 50.8 KB

7 Likes
2

Thanks for posting this, Niraj! This is a very useful tip.

1 Like