Password auto-injection allows admins to provide users with a session to a local device, without needing to reveal the password to the user.

Dispel offers a suite of standard password injection capabilities, as well as support for custom injection connectors. Standard injection capabilities include:

Custom injection capabilities are available for additional or proprietary client applications.

Auto-Injection is set up in 2 phases:

Below, we look at each of the phases

Admin sets up a device account, and assigns the account to a user

Inside Dispel dashboard, navigate to a device, and click "Add User Account"

Add the account username and password

Select which users should receive which accounts for their access

In the above setup, when fred@dispel.io wants to SSH to the device zone-1.dev-1, the local account for "admin" will be automatically injected. However, when steve@dispel.io wants to SSH to the same device, Steve will be provided with a session authenticated with the "user" account instead.

User workflow automatically includes dynamic shortcuts for that device

The user workflow does not change. Users will log in, request access, and connect to their Dispel Virtual Desktop as normal.

However, now, the Virtual Desktop will contain a folder called "Device Shortcuts".

This folder will be automatically populated with the devices and protocols as granted by the admin.

The user can open the folder, and double click on any shortcut. The shortcut will open a pre-authenticated session of that connection type to that device.

Now, the user has a session on the device, but retains no knowledge of the password for the local device account.

Password auto-rotation allows admins to sync their end device passwords into Dispel, and set a time period (eg. 3 months). Then, on that time period, Dispel will automatically rotate the local password of the end device (eg. every 3 months, rotate the admin password of the engineering workstation on site).

Dispel offers two categories of password rotation:

The standard connections supported by HashiCorp Vault are the following:

However, Dispel has found that our customers’ OT environments often involve server types that are not covered by HashiCorp’s built-in integrations. Thus, we additionally offer custom connections and integrations.

To build a custom integration, the following information should be identified

Below, we walk through a few examples of custom connectors:

In this example, Vault stores the following pieces of information

At the defined frequency, the Vault will connect to the server via the stored account password, generate a new password, change the account on the server, and update its own account information with the new password.

This process is invisible to the user. Regardless of rotation, the user simply clicks on the shortcut to the device on their virtual desktop, and is automatically dropped into an authenticated session on the target device.

In this example, Vault stores the following pieces of information

At the defined frequency, the Vault will connect to the server via the stored account password, generate a new password, change the account on the server, and update its own account information with the new password.

Please note that more commonly, customers prefer to manage their Windows server through an Active Directory bind. In that event, Vault would require a binding account with read/write privileges for the users to control. Then, on an admin-defined frequency, the credentials for accounts in the Active Directory can be rotated automatically.

In either architecture, the process remains seamless for the user. Regardless of rotation, the user simply clicks on the shortcut to the device on their virtual desktop, and is automatically dropped into an authenticated session on the target device.

In this example, Vault stores the following pieces of information

At the defined frequency, Vault will generate a new password, call the defined API endpoint to update the password in the server, and update its own account information with the new password.

As always, this process remains seamless for the user. Regardless of rotation, the user simply clicks on the shortcut to the device on their virtual desktop, and is automatically dropped into an authenticated session on the target application.