Skip to main content
Linux/Unix discovery scans a set of Linux and Unix hosts over SSH, enumerates their local accounts, stages them for review, and lets you import them into PAM as SSH accounts. Because there is no central directory to read from, you point a source at the hosts to scan and the SSH accounts to scan with. All scan traffic is tunneled through an Infisical Gateway.

How It Works

A Linux/Unix scan connects entirely through the Gateway:
  1. Each CIDR range is expanded into a list of target hosts; individual IPs and hostnames are used as-is (hostnames are resolved by the gateway in the target network).
  2. For each host, discovery picks a credential account: it first tries an account whose stored host matches the target, otherwise it tries each account in turn until one authenticates.
  3. It reads the host’s local accounts from /etc/passwd (via getent passwd) over SSH.
  4. Each login-capable account is staged as an SSH account scoped to that host. root on two hosts becomes two separate staged accounts.
Hosts that no credential can reach or authenticate to are reported on the run and skipped; the rest of the scan still completes.

Prerequisites

Before creating a Linux/Unix discovery source, make sure you have:
  • A Gateway (or Gateway pool) with network access to the hosts you want to scan.
  • One or more SSH accounts in PAM to use as credential accounts. Discovery authenticates to each host as one of these accounts, using its port. Password, private-key, and certificate (SSH CA) auth are all supported for scanning; certificate accounts are brokered through the gateway and require the target hosts to trust the account’s CA.
  • The Product Admin role. See Access Control.
A scanning identity is typically provisioned uniformly across the fleet, most reliably as a key-based SSH account whose key is trusted on every host.

Creating a Source

1

Start adding a source

Go to Privileged Access Manager → Discovery and click Add Source, then choose Linux/Unix.
2

Configure the source

3

Save

Click Add Source. The source appears in the Discovery table.

Account Filtering

Discovery surfaces only accounts that can be logged into. Because it reads only /etc/passwd, login-capability is inferred from each account’s shell: accounts with a real login shell are kept (regular users, root, and service accounts such as postgres), while accounts with a nologin/false (or similar non-interactive) shell are dropped. This keeps daemon and system accounts that can never open a session out of the results.

Running a Scan

Trigger a scan manually with Scan Now from the source’s row menu or its detail panel. Scans run in the background, and a source can only have one scan running at a time. If the source is on a Daily or Weekly schedule, Infisical also scans it automatically when its interval has elapsed. Manual sources are only scanned when you trigger them.

Importing Accounts

From the Staged Accounts tab, select the accounts you want and click Import Accounts. Then choose: Once imported, the accounts become regular PAM SSH accounts in the chosen folder and inherit their template’s rules.
Imported accounts arrive without a credential because discovery finds accounts with a username but no password. Open each imported account and add a credential before connecting.

Next Steps

Discovery Overview

Understand staging, importing, and schedules.

SSH Accounts

Learn about the account type used to authenticate scans.