docs/documentation/platform/pam/discovery/unix.mdx
Linux/Unix discovery scans a set of Linux and Unix hosts over SSH, enumerates their local accounts, stages them for review, and lets you import them into PAM as SSH accounts. Because there is no central directory to read from, you point a source at the hosts to scan and the SSH accounts to scan with.
All scan traffic is tunneled through an Infisical Gateway.
A Linux/Unix scan connects entirely through the Gateway:
/etc/passwd (via getent passwd) over SSH.root on two hosts becomes two separate staged accounts.Hosts that no credential can reach or authenticate to are reported on the run and skipped; the rest of the scan still completes.
Before creating a Linux/Unix discovery source, make sure you have:
Discovery surfaces only accounts that can be logged into. Because it reads only /etc/passwd, login-capability is inferred from each account's shell: accounts with a real login shell are kept (regular users, root, and service accounts such as postgres), while accounts with a nologin/false (or similar non-interactive) shell are dropped. This keeps daemon and system accounts that can never open a session out of the results.
Trigger a scan manually with Scan Now from the source's row menu or its detail panel. Scans run in the background, and a source can only have one scan running at a time.
If the source is on a Daily or Weekly schedule, Infisical also scans it automatically when its interval has elapsed. Manual sources are only scanned when you trigger them.
From the Staged Accounts tab, select the accounts you want and click Import Accounts. Then choose:
| Field | Description |
|---|---|
| Destination Folder | The folder to import the accounts into |
| Template | An SSH account template to apply |
Once imported, the accounts become regular PAM SSH accounts in the chosen folder and inherit their template's rules.
<Warning> Imported accounts arrive without a credential because discovery finds accounts with a username but no password. Open each imported account and add a credential before connecting. </Warning>