Connecting to a target machine through CyberArk PSMP with PuTTY using the username@accountname@targetIPaddress@PSMPaddress syntax.

Connecting through CyberArk’s PSMP with PuTTY: the four-part syntax you’ll use

If you’re navigating privileged access, you’ve probably heard about the Privileged Session Management Proxy—PSMP for short. Think of it as a secure doorway that makes sure every session to a target machine is properly authorized, recorded, and auditable. When you’re using PuTTY to reach a protected host through PSMP, there’s a precise way to structure the login path. The four-part string you’ll see is: username@accountname@targetIPaddress@PSMPaddress. Yes, it’s a mouthful, but it’s also the backbone of a clean, auditable connection flow.

What PSMP does for you

Before we break down the string, let’s ground this in the bigger picture. PSMP sits in CyberArk’s ecosystem as the gatekeeper for privileged sessions. It:

• routes your connection through a controlled path

• retrieves the right credentials from the CyberArk vault

• records the session for auditing and compliance

• helps enforce the principle of least privilege by ensuring you connect with the exact account that has permission on the target

All of this sounds a little security-centric, but it pays off when you’re managing many servers and a bunch of accounts. The PSMP’s role is to keep things traceable and prevent ad-hoc privilege escalation.

Decoding the four-part address

Let’s unpack the parts, one by one, and then see why they come together in that exact order.

• username: This is the identity you’re using to authenticate on the target machine. It’s not the CyberArk account name at this stage; it’s the login name you’ll use on the destination system once you’re there. It’s part of the chain that tells PSMP who you are at the end of the tunnel.

• accountname: This is CyberArk’s account label—the credential holder that maps to the target. It tells PSMP which set of credentials to fetch from the vault for this session. In other words, it’s the key that lets PSMP pull the right password or key for the target.

• targetIPaddress: The actual destination you want to reach. This is the IP (or hostname) of the machine you’re trying to access, once the PSMP has granted you a path through.

• PSMPaddress: The entry point—the gateway itself. This is where your connection starts. It’s the CyberArk-protected proxy that enforces policy, prompts for the right credentials, and records the session as it proceeds.

Putting the formula into PuTTY

Now the practical part. In PuTTY, you typically enter the host name (and port) you’re connecting to. With PSMP, you use the four-part string as the target host name, so PuTTY can route the session through CyberArk’s gateway and apply the right credentials to the right destination.

A concrete example helps: imagine you’re Alice. Your login on the target is alice, the CyberArk account label is myAppServerAcct, the target host is 10.0.1.25, and the PSMP gateway is psmp.cyberark.example.com. The full host field in PuTTY would be:

alice@myAppServerAcct@10.0.1.25@psmp.cyberark.example.com

That single line tells PuTTY (via the PSMP) to fetch your credentials for myAppServerAcct, reach 10.0.1.25 on your behalf, and route everything through psmp.cyberark.example.com for authentication, access control, and recording. You don’t see every credential on screen, but PSMP uses them behind the scenes to establish a secure session.

Think of it like mailing a letter through a trusted courier who knows exactly which address to deliver to, who is allowed to be there, and who’s watching the whole handoff. The four parts are the address, the courier’s authorization, the destination, and the courier hub.

Why the order matters

The sequence username, accountname, targetIPaddress, PSMPaddress is intentional. If you switch the order, the system wouldn’t know whose credentials to pull, which target you’re allowed to access, or through which gateway the session should be relayed. In short, the order ties together identity, authorization, destination, and the security layer that sits in between.

• The username anchors the session on the target.

• The accountname pulls the correct credentials from CyberArk.

• The targetIPaddress designates where the work happens.

• The PSMPaddress provides the secure path, logging, and governance that CyberArk enforces.

A few practical notes for smooth sailing

• Consistency is king. Use the same naming conventions for account labels and target hosts across your environment. It reduces confusion when you’re managing dozens of servers and dozens of accounts.

• Keep credentials tightly controlled. The PCMP (the PSMP) is a gatekeeper. Rely on its vault to fetch the correct secret for each account, rather than embedding passwords in scripts or in plain text files.

• Expect auditing to show up in reports. Since PSMP sessions are recorded, you’ll often be able to review who connected, when, and what actions were taken. That visibility isn’t a burden; it’s a safety net.

• Test in a safe lab. If you’re new to this, try a sandbox environment first. Practice would help you feel fluent with the path, but a controlled lab is the fastest way to avoid missteps in production.

• Watch the syntax closely. A misplaced symbol or a missing segment means PuTTY won’t be able to route the session. Keep the four parts intact, in the right order.

Common gotchas (and how to handle them)

• Typing mistakes: A small typo in accountname or PSMPaddress can derail the whole connection. Double-check each segment, and consider copy-pasting from a secure reference to avoid typos.

• Host key prompts: When you first connect to a PSMP, PuTTY may prompt you to verify the host key. Make sure you’re on the legitimate PSMP address and that you accept the key only when you’re certain.

• Credential lifecycle: If credentials change in the vault, PSMP will fetch the updated secret for new sessions. Don’t assume last session credentials will work forever; rely on the vault’s current state.

• Role-based access: Some accounts are scoped to particular targets or time windows. If you’re blocked, it might be a policy restriction rather than a misconfiguration. Check with your security or operations team.

Real-world flavor: a quick scenario

Let’s say you’re a systems admin responsible for a cluster of Linux servers. You need to run a diagnostic on server 10.0.3.77, but you don’t want direct access to the machine. You log into PuTTY with the four-part string, something like:

adminAcct@srvDiagAcct@10.0.3.77@psmp.lab.example.com

On login, PSMP grabs the credentials tied to srvDiagAcct, connects to 10.0.3.77 on your behalf, and starts a session that’s recorded. You run your commands, PSMP logs every keystroke, the session is auditable, and when you’re done, the gateway ends the session cleanly. It’s a quiet, disciplined workflow that keeps risk metrics in check while you get the job done.

Beyond PuTTY: broader implications and other tools

PuTTY isn’t the only client you’ll encounter in this space. The same four-part addressing concept often translates to other SSH clients or to features like SSH Jump or ProxyCommand configurations. The underlying idea is universal: a secure gateway, a precise mapping to credentials, a target, and an auditable path. If you ever switch from PuTTY to another client, you’ll still be applying the same four pieces in the right order.

A final thought: the culture of secure access

This approach isn’t just about moving from point A to point B. It’s about building a culture where access is deliberate, credentials are vault-protected, and every session is part of a compliant, traceable chain. The four-part syntax is a practical tool for that culture: it encodes security policy into the very act of connecting.

If you’re exploring PSMP and PuTTY, take it slowly and walk through a few mock sessions. Pay attention to how the system responds to each piece of the string, and you’ll notice how the gateway, the credentials, and the target align to produce a smooth, controlled connection. In the end, it’s not just about getting in—it’s about staying in control, responsibly and transparently.

A small recap to seal the idea

• PSMP acts as a secure barrier for privileged sessions.

• The four-part address in PuTTY is: username@accountname@targetIPaddress@PSMPaddress.

• Each segment has a clear role: target login, CyberArk account, destination host, and the gateway.

• The order matters, because it ties together who you are, which credentials you’re using, where you’re going, and how the security layer sits in front of that journey.

• Practice in a safe environment, verify host keys, and expect session recording to be part of the process.

If you ever feel tangled in the details, remember that the goal behind this structure is simple: trustworthy, auditable access that keeps your systems safe while you get the work done. And that sense of clarity—when the pieces click into place—makes the whole process feel less like a puzzle and more like a well-orchestrated workflow.