Skip to content

Agentless privilege elevation on Unix endpoints.

Motivation

Privilege elevation on Unix and Linux endpoints allows users to obtain temporary, tightly controlled access to higher-level permissions. At its most basic level, this is handled through native mechanisms such as sudo, enabling specific commands to run as root or another privileged account.

Privileged Access Management (PAM) builds on this foundation by introducing centralized policy control, role-based access enforcement, full session and event recording, enterprise directory integration, and AI-driven monitoring and analysis. Instead of relying solely on local configuration files, organizations gain visibility, accountability, and governance across all privileged activity.

An agentless approach to privilege elevation leverages native Unix and Linux capabilities without requiring third-party agents or packages on each endpoint. This significantly reduces deployment complexity, accelerates adoption, and minimizes ongoing operational overhead—while maintaining strong security controls.

12Port Solution

12Port PAM SSH Proxy with credential injection is a core capability that enables system owners to grant secure access to Unix endpoints at precisely defined privilege levels using native ssh client.

Users working within an unprivileged interactive shell can initiate a session or execute a privileged command using the native SSH client. The connection is transparently routed through the PAM server, which brokers the session back to the same endpoint using privileged credentials securely stored in the PAM vault.

Those credentials are injected into the privileged session without being exposed to the user, ensuring controlled elevation, full auditability, and centralized policy enforcement.

Architecture of the agentless privilege elevation

The diagram below demonstrates the architecture of the agentless privilege escalation.

The diagram shows the following components

  • 12Port PAM Server.

  • WEB SSH Client.

  • Native SSH Client (PuTTY in this case but could be any other desktop or mobile client).

  • Destination Unix or Linux endpoint or network device.

  • Non-Privileged Asset stored in the PAM Vault.

  • Privileged Asset stored in the PAM Vault.

Agentless privilege elevation on Unix, Linux endpoints and network devices

Step 1: Accessing unprivileged session

First, the user establishes an unprivileged session on the remote Unix endpoint through one of the following access paths:

  • Route 1a: via the PAM Web SSH session using Not-Privileged Asset.

  • Route 1b: via the PAM SSH Proxy using a native SSH client using Not-Privileged Asset.

  • Route 1c: direct access to the endpoint.

This initial connection operates with regular user privileges before any controlled privilege elevation is requested.

Step 2: Privilege elevation

Inside the unprivileged shell on the remote endpoint, the user launches the native SSH client to establish a new connection routed through the PAM Server. The PAM Server then brokers the session back to the same endpoint using a designated Privileged Asset, securely injecting the vaulted credentials into the elevated session.

This process enables controlled privilege elevation without exposing high-privilege credentials to the user.

Route 2 on the diagram above highlights the network traffic during privilege elevation.

When elevating privileges on the remote endpoint, the user may either establish an interactive privileged shell (Route 2a) or execute a single command with elevated rights (Route 2b). In both scenarios, the PAM server can optionally enforce command filtering within the privileged session, restricting access to specific commands or resources according to defined policies.

This ensures that privilege elevation remains controlled, auditable, and aligned with least-privilege principles.

12Port Advantage

In addition to controlled privilege elevation on remote Unix, Linux, and network devices, 12Port delivers a set of powerful extended capabilities designed to strengthen overall security posture and operational governance:

  • Video recording captures a full video replay of the entire privileged session for audit, forensic investigation, and compliance reporting.

  • Events recording logs granular activity within the session, including keystrokes, file transfers, and clipboard activity.

  • Granular access control enables administrators to precisely grant or revoke permission for selected users to elevate privileges on specific servers and devices, as well as control file upload, download, and clipboard usage.

  • Access approval workflows support multi-level, interactive, or automated approvals for privilege elevation—configurable by policy, time of day, or day of the week.

  • Command filtering restricts access to specific commands or resources within the privileged session, enforcing least-privilege policies even after elevation.

  • Comprehensive event logging provides detailed reporting of access requests, approvals, and all activity performed within privileged sessions.