How to configure ssh credential checkout

  • Document ID:7023951
  • Creation Date:18-Jun-2019
  • Modified Date:19-Jun-2019
    • Micro Focus Products:
      Privileged Account Manager (Privileged User Manager)

Environment

Privileged Account Manager

Situation

How to setup and configure application credential checkout for ssh credentials
How to enable ssh password checkout

Resolution

At the time of writing this document, SSH Credential Checkout can be configured in PAM similar to other Application Credential Checkouts:

  1. Please download the following supplemental resource for enabling this use-case:
    ssh-credential-checkout
    Note: These files will be references in the below steps: changepasswd binary and SSH-Check-In-Perl-Script.
    Alternatively, another approach could be used as seen in the Additional Information section.

  2. Credential Vault - Application Vault:
    • Identify the account that will be used as the Reconcile Account. This account must have appropriate rights on the target server to perform the password change operation for the intended users available in the credential checkout pool.
      Note: It is recommended to also have one local administration account, which is not managed by PAM to resolve any password change issue.

    • Create a new Resource:
      • Name: Server name or string to uniquely identify the resource.
      • Application Type: A unique command string such as 'SSH' that is used by Command Control to differentiate the credential checkout request. This command will automatically be created in Command Control.
      • Connection Details. Provide target server connection details.
        Note: Default ssh port is 22 with ssl disabled since the ssh protocol already is already encrypted.
      • Password Change: By Script. Please paste the contents from the SSH-Check-In-Perl-Script resource downloaded in Step 1.
      • Reconcile Account: Select the identified account from above.
    • Create additional credentials for this Resource that will be used as the pool of credentials available for checkout.

  3. Create Command Control Rule:
    • Add Rule:
      • Authorize: Yes.
        Note: Recommend setting "Stop if authorized" to stop further processing of cmdctrl hierarchy.
      • Credentials: Run User@Run Host
      • Run User: *
      • Run Host: <Resource Name from Application Credential Vault>
    • Apply the appropriate Command to the Rule Conditions.
      Note: This command that was created automatically as "APP <Application Type>" (i.e. "APP SSH").

  4. Place the changepasswd binary provided from Step 1 in the /opt/netiq/npum/bin directory on the PAM Manager.
    Note: This binary is used by the SSH-Check-In-Perl-Script provided in the Credential Vault Resource.

Additional Information

Another sample perl script can be found below that can be adapted as needed to perform the necessary ssh checkin: