How It Works
A Linux/Unix scan connects entirely through the Gateway:- Each CIDR range is expanded into a list of target hosts; individual IPs and hostnames are used as-is (hostnames are resolved by the gateway in the target network).
- For each host, discovery picks a credential account: it first tries an account whose stored host matches the target, otherwise it tries each account in turn until one authenticates.
- It reads the host’s local accounts from
/etc/passwd(viagetent passwd) over SSH. - Each login-capable account is staged as an SSH account scoped to that host.
rooton two hosts becomes two separate staged accounts.
Prerequisites
Before creating a Linux/Unix discovery source, make sure you have:- A Gateway (or Gateway pool) with network access to the hosts you want to scan.
- One or more SSH accounts in PAM to use as credential accounts. Discovery authenticates to each host as one of these accounts, using its port. Password, private-key, and certificate (SSH CA) auth are all supported for scanning; certificate accounts are brokered through the gateway and require the target hosts to trust the account’s CA.
- The Product Admin role. See Access Control.
A scanning identity is typically provisioned uniformly across the fleet, most reliably as a key-based SSH account whose key is trusted on every host.
Creating a Source
1
Start adding a source
Go to Privileged Access Manager → Discovery and click Add Source, then choose Linux/Unix.
2
Configure the source
3
Save
Click Add Source. The source appears in the Discovery table.
Account Filtering
Discovery surfaces only accounts that can be logged into. Because it reads only/etc/passwd, login-capability is inferred from each account’s shell: accounts with a real login shell are kept (regular users, root, and service accounts such as postgres), while accounts with a nologin/false (or similar non-interactive) shell are dropped. This keeps daemon and system accounts that can never open a session out of the results.
Running a Scan
Trigger a scan manually with Scan Now from the source’s row menu or its detail panel. Scans run in the background, and a source can only have one scan running at a time. If the source is on a Daily or Weekly schedule, Infisical also scans it automatically when its interval has elapsed. Manual sources are only scanned when you trigger them.Importing Accounts
From the Staged Accounts tab, select the accounts you want and click Import Accounts. Then choose:
Once imported, the accounts become regular PAM SSH accounts in the chosen folder and inherit their template’s rules.
Next Steps
Discovery Overview
Understand staging, importing, and schedules.
SSH Accounts
Learn about the account type used to authenticate scans.