Back to Infisical

Linux/Unix Discovery

docs/documentation/platform/pam/discovery/unix.mdx

0.162.95.0 KB
Original Source

Linux/Unix discovery scans a set of Linux and Unix hosts over SSH, enumerates their local accounts, stages them for review, and lets you import them into PAM as SSH accounts. Because there is no central directory to read from, you point a source at the hosts to scan and the SSH accounts to scan with.

All scan traffic is tunneled through an Infisical Gateway.

How It Works

A Linux/Unix scan connects entirely through the Gateway:

  1. Each CIDR range is expanded into a list of target hosts; individual IPs and hostnames are used as-is (hostnames are resolved by the gateway in the target network).
  2. For each host, discovery picks a credential account: it first tries an account whose stored host matches the target, otherwise it tries each account in turn until one authenticates.
  3. It reads the host's local accounts from /etc/passwd (via getent passwd) over SSH.
  4. Each login-capable account is staged as an SSH account scoped to that host. root on two hosts becomes two separate staged accounts.

Hosts that no credential can reach or authenticate to are reported on the run and skipped; the rest of the scan still completes.

Prerequisites

Before creating a Linux/Unix discovery source, make sure you have:

  • A Gateway (or Gateway pool) with network access to the hosts you want to scan.
  • One or more SSH accounts in PAM to use as credential accounts. Discovery authenticates to each host as one of these accounts, using its port. Password, private-key, and certificate (SSH CA) auth are all supported for scanning; certificate accounts are brokered through the gateway and require the target hosts to trust the account's CA.
  • The Product Admin role. See Access Control.
<Note> A scanning identity is typically provisioned uniformly across the fleet, most reliably as a key-based [SSH account](/documentation/platform/pam/accounts/ssh) whose key is trusted on every host. </Note>

Creating a Source

<Steps> <Step title="Start adding a source"> Go to **Privileged Access Manager → Discovery** and click **Add Source**, then choose **Linux/Unix**. </Step> <Step title="Configure the source"> | Field | Description | |-------|-------------| | **Name** | A descriptive name (e.g., `corp-servers`) | | **Credential Accounts** | One or more [SSH accounts](/documentation/platform/pam/accounts/ssh) used to authenticate and scan | | **Gateway** | The [Gateway](/documentation/platform/gateways/overview) or Gateway pool that scan traffic tunnels through | | **Scan Schedule** | How often to scan automatically: **Manual**, **Daily**, or **Weekly** | | **Targets** | IP addresses, IPv4 CIDR ranges, or hostnames to scan, one per line or comma-separated. Hostnames are resolved by the gateway in the target network | </Step> <Step title="Save"> Click **Add Source**. The source appears in the Discovery table. </Step> </Steps>

Account Filtering

Discovery surfaces only accounts that can be logged into. Because it reads only /etc/passwd, login-capability is inferred from each account's shell: accounts with a real login shell are kept (regular users, root, and service accounts such as postgres), while accounts with a nologin/false (or similar non-interactive) shell are dropped. This keeps daemon and system accounts that can never open a session out of the results.

Running a Scan

Trigger a scan manually with Scan Now from the source's row menu or its detail panel. Scans run in the background, and a source can only have one scan running at a time.

If the source is on a Daily or Weekly schedule, Infisical also scans it automatically when its interval has elapsed. Manual sources are only scanned when you trigger them.

Importing Accounts

From the Staged Accounts tab, select the accounts you want and click Import Accounts. Then choose:

FieldDescription
Destination FolderThe folder to import the accounts into
TemplateAn SSH account template to apply

Once imported, the accounts become regular PAM SSH accounts in the chosen folder and inherit their template's rules.

<Warning> Imported accounts arrive without a credential because discovery finds accounts with a username but no password. Open each imported account and add a credential before connecting. </Warning>

Next Steps

<CardGroup cols={2}> <Card title="Discovery Overview" icon="radar" href="/documentation/platform/pam/discovery/overview"> Understand staging, importing, and schedules. </Card> <Card title="SSH Accounts" icon="terminal" href="/documentation/platform/pam/accounts/ssh"> Learn about the account type used to authenticate scans. </Card> </CardGroup>