Local Endpoint Modules¶
Section: Modules | Article 56
Audience: System Administrators
Last Updated: 2026-04-08
Overview¶
RP-PAM includes two built-in modules for managing privileged access on non-domain-joined servers:
| Module | Target | Access Method | What It Manages |
|---|---|---|---|
| Local Windows Endpoint | Windows servers not joined to Active Directory | WinRM (HTTPS) | Local Administrators group membership |
| Local Linux Endpoint | Linux servers not managed via centralized identity | SSH | Sudoers entries |
These modules ship with the RP-PAM installer — no additional installation is required. Enable them from the Modules page in the portal.
When to use these modules vs. the AD or SSH modules: - Use the AD module when the target server is domain-joined and you manage access through AD group membership - Use the SSH module when you manage SSH key-based access to Linux servers - Use these Local Endpoint modules when the target is a standalone server with local accounts only
Local Windows Endpoint¶
How It Works¶
When access is granted, RP-PAM connects to the target Windows server via WinRM and adds the user to the specified local group (default: Administrators). When the grant expires or is revoked, the user is removed.
Prerequisites¶
Before enabling this module, ensure:
- [ ] WinRM is enabled on the target server (
winrm quickconfig) - [ ] WinRM HTTPS listener is configured (port 5986)
- [ ] RP-PAM service account has local administrator rights on the target
- [ ] Firewall allows TCP 5986 from the RP-PAM server to the target
Configuration¶
Enable the module from Modules in the portal, then configure:
| Field | Description | Example |
|---|---|---|
| Target Host | Hostname or IP of the Windows server | 192.168.1.50 |
| WinRM Port | HTTPS port (default: 5986) | 5986 |
| Admin Username | Local admin account on the target | rppam-svc |
| Admin Password | Password for the admin account | Stored encrypted in vault |
Resource Metadata¶
When creating a resource for this module, configure:
| Field | Description | Default |
|---|---|---|
| Target User | The local username to add/remove | (from access request) |
| Local Group | The local group to manage | Administrators |
Local Linux Endpoint¶
How It Works¶
When access is granted, RP-PAM connects via SSH and creates a sudoers file for the user. When the grant expires or is revoked, the sudoers file is removed.
Each grant gets its own sudoers file, named with the grant ID for clean tracking and removal.
Prerequisites¶
Before enabling this module, ensure:
- [ ] SSH server is running on the target (port 22 by default)
- [ ] RP-PAM service account has SSH access with sudo privileges on the target
- [ ] Firewall allows TCP 22 from the RP-PAM server to the target
- [ ]
/etc/sudoers.d/directory exists and is included via#includedirin/etc/sudoers
Configuration¶
| Field | Description | Example |
|---|---|---|
| Target Host | Hostname or IP of the Linux server | 192.168.1.60 |
| SSH Port | SSH port (default: 22) | 22 |
| Admin Username | SSH account with sudo access | rppam-svc |
| Auth Method | Password or SSH key | Key recommended |
Resource Metadata¶
| Field | Description | Default |
|---|---|---|
| Target User | The username to grant sudo access to | (from access request) |
Domain-Joined Server Warning¶
When adding a Windows or Linux endpoint, RP-PAM probes the target to check if it is domain-joined. If it detects domain membership, you will see:
This machine appears to be domain-joined. Consider managing access through the AD module instead.
You can still proceed if you have a legitimate reason (e.g., managing local service accounts separately from domain accounts, or needing local admin access when AD is unreachable).
Troubleshooting¶
| Problem | Cause | Solution |
|---|---|---|
| WinRM connection refused | WinRM not enabled or HTTPS listener missing | Run winrm quickconfig and configure HTTPS |
| SSH connection refused | SSH service not running or port blocked | Verify sshd is running and firewall allows port 22 |
| "Access denied" during grant | Service account lacks admin rights | Verify the RP-PAM service account is in the Administrators group (Windows) or has sudo (Linux) |
| Sudoers file not created | /etc/sudoers.d/ not included |
Add #includedir /etc/sudoers.d to /etc/sudoers |
| User not removed after revoke | Network error during revocation | Check connectivity; RP-PAM will retry via the outbox |
Next Steps¶
- Active Directory Module — For domain-joined Windows servers
- SSH Module — For SSH key-based access
- Browser-Based Sessions — Connect via browser after access is granted
RP-PAM v1.0.0 — Copyright 2026 Ravenphyre. All rights reserved.