> ## Documentation Index
> Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Linux/Unix Discovery

> Scan Linux and Unix hosts over SSH for local accounts and import them into PAM.

Linux/Unix discovery scans a set of Linux and Unix hosts over SSH, enumerates their local accounts, stages them for review, and lets you import them into PAM as [SSH accounts](/documentation/platform/pam/accounts/ssh). Because there is no central directory to read from, you point a source at the hosts to scan and the [SSH accounts](/documentation/platform/pam/accounts/ssh) to scan with.

All scan traffic is tunneled through an Infisical [Gateway](/documentation/platform/gateways/overview).

## How It Works

A Linux/Unix scan connects entirely through the Gateway:

1. Each **CIDR range** is expanded into a list of target hosts; individual IPs and hostnames are used as-is (hostnames are resolved by the gateway in the target network).
2. For each host, discovery picks a credential account: it first tries an account whose stored host matches the target, otherwise it tries each account in turn until one authenticates.
3. It reads the host's local accounts from `/etc/passwd` (via `getent passwd`) over SSH.
4. Each login-capable account is staged as an **SSH** account scoped to that host. `root` on two hosts becomes two separate staged accounts.

Hosts that no credential can reach or authenticate to are reported on the run and skipped; the rest of the scan still completes.

## Prerequisites

Before creating a Linux/Unix discovery source, make sure you have:

* A [Gateway](/documentation/platform/gateways/overview) (or Gateway pool) with network access to the hosts you want to scan.
* One or more [SSH accounts](/documentation/platform/pam/accounts/ssh) in PAM to use as **credential accounts**. Discovery authenticates to each host as one of these accounts, using its port. Password, private-key, and certificate (SSH CA) auth are all supported for scanning; certificate accounts are brokered through the gateway and require the target hosts to trust the account's CA.
* The **Product Admin** role. See [Access Control](/documentation/platform/pam/concepts/access-control).

<Note>
  A scanning identity is typically provisioned uniformly across the fleet, most reliably as a key-based [SSH account](/documentation/platform/pam/accounts/ssh) whose key is trusted on every host.
</Note>

## Creating a Source

<Steps>
  <Step title="Start adding a source">
    Go to **Privileged Access Manager → Discovery** and click **Add Source**, then choose **Linux/Unix**.
  </Step>

  <Step title="Configure the source">
    | Field                   | Description                                                                                                                                        |
    | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
    | **Name**                | A descriptive name (e.g., `corp-servers`)                                                                                                          |
    | **Credential Accounts** | One or more [SSH accounts](/documentation/platform/pam/accounts/ssh) used to authenticate and scan                                                 |
    | **Gateway**             | The [Gateway](/documentation/platform/gateways/overview) or Gateway pool that scan traffic tunnels through                                         |
    | **Scan Schedule**       | How often to scan automatically: **Manual**, **Daily**, or **Weekly**                                                                              |
    | **Targets**             | IP addresses, IPv4 CIDR ranges, or hostnames to scan, one per line or comma-separated. Hostnames are resolved by the gateway in the target network |
  </Step>

  <Step title="Save">
    Click **Add Source**. The source appears in the Discovery table.
  </Step>
</Steps>

## Account Filtering

Discovery surfaces only accounts that can be logged into. Because it reads only `/etc/passwd`, login-capability is inferred from each account's shell: accounts with a real login shell are kept (regular users, `root`, and service accounts such as `postgres`), while accounts with a `nologin`/`false` (or similar non-interactive) shell are dropped. This keeps daemon and system accounts that can never open a session out of the results.

## Running a Scan

Trigger a scan manually with **Scan Now** from the source's row menu or its detail panel. Scans run in the background, and a source can only have one scan running at a time.

If the source is on a **Daily** or **Weekly** schedule, Infisical also scans it automatically when its interval has elapsed. **Manual** sources are only scanned when you trigger them.

## Importing Accounts

From the **Staged Accounts** tab, select the accounts you want and click **Import Accounts**. Then choose:

| Field                  | Description                                                                            |
| ---------------------- | -------------------------------------------------------------------------------------- |
| **Destination Folder** | The [folder](/documentation/platform/pam/folders/overview) to import the accounts into |
| **Template**           | An [SSH account template](/documentation/platform/pam/templates/overview) to apply     |

Once imported, the accounts become regular PAM SSH accounts in the chosen folder and inherit their template's rules.

<Warning>
  Imported accounts arrive without a credential because discovery finds accounts with a username but no password. Open each imported account and add a credential before connecting.
</Warning>

## Next Steps

<CardGroup cols={2}>
  <Card title="Discovery Overview" icon="radar" href="/documentation/platform/pam/discovery/overview">
    Understand staging, importing, and schedules.
  </Card>

  <Card title="SSH Accounts" icon="terminal" href="/documentation/platform/pam/accounts/ssh">
    Learn about the account type used to authenticate scans.
  </Card>
</CardGroup>
