IT Process Automation

  • Private Community

  • 1.  Same SSH Credentials in Host Group for all users ?

    Posted Feb 14, 2017 08:56 AM

    Hi,

     

    We want to connect on servers with a trust relationship from a proxy touchpoint host to target remote hosts.

     

    We have generated a  key pair with the SSH-keygen program with command 

    ssh-keygen -t rsa

     

    the private key that has been generated is in /root/.ssh/id_rsa

    the public key that has been generated is in /root/.ssh/id_rsa.pub

     

    We'd like to use this unique key pair for many users.

     

    Can we configure the host group to use this unique file instead of looking for a file named as each user ?

     

    For the moment in SSH Keys Path field in properties for the host group we have put

    "/root/.ssh"

     

    but it doesn't work unless if we do a copy of id_rsa for each user.

     

    Example, if we want to connect to server X from host group Y with user "nagios" and with user "tomcat", we must copy /root/.ssh/id_rsa in files /root/.ssh/nagios and /root/.ssh/tomcat in Y server.

    (and we add id_rsa.pub in authorized_keys in nagios home, and in tomcat home in server X)

     

    Is there a simpler solution ?

     



  • 2.  Re:  Same SSH Credentials in Host Group for all users ?
    Best Answer

    Broadcom Employee
    Posted Feb 14, 2017 11:36 AM

    I am not aware of a simpler solution and do not believe there is one within the context of the SSH operators.

     

    The documentation indicates that what you are seeing is the expected behavior:

     

    Product-Specific Requirements for SSH Connectivity

    CA Process Automation attempts an SSH connection from the agent host to the remote host specified in the request. The first access attempt is made with the configured credentials of the user account. If this attempt fails, a second attempt is made using key-based authentication. To use SSH public key authentication with CA Process Automation, the name of the private key file must match the name on the user account. If a passphrase is specified when creating the keys, the passphrase must match the password on the user account. Thus, the following two fields serve double duty.

     

     

    So you have to use a key that corresponds to the user in question and cannot create a 'generic' key that will work for all users.  



  • 3.  Re:  Same SSH Credentials in Host Group for all users ?

    Posted Feb 17, 2017 08:38 AM
      |   view attached

    Hi WG,

     

    I had a similar use case where I was automating the patching of Linux servers and we wanted to connect to specific groups of servers with specific IDs.

     

    Our solution was to create a custom operator that wrapped around the RunScript operator which would SSH to the remote server from a "management touchpoint" and run the inline script.

    That way we could have multiple key files on a single host, and choose which one we wanted to use at runtime.

     

    I have attached a copy of the Custom Operator below, as well as the code block we used in the operator.

     

    Thanks,

    Ian

     

    #!/bin/bash
    #
    # $1 Remote Server
    # $2 Remote User
    # $3 SSH KeyPath
    # $4 Remote Command

    ssh -i ${3} -o ConnectionAttempts=5 -o ConnectTimeout=20 \
    -o ServerAliveCountMax=3 -o ServerAliveInterval=10 \
    -o TCPKeepAlive=yes -o StrictHostKeyChecking=no \
    -o PasswordAuthentication=no -n -q \
    ${2}@${1} "$4" 1>${C2OSVD}/StdOut 2>${C2OSVD}/StdErr
    exit $?

    Attachment(s)

    zip
    RunRemoteProgramSSH.zip   17 KB 1 version