- Allow to create a ssh domain for check in and check out credentials, being configured using ssh keys instead of root proxy user.
by: Omar S. | over a year ago | Configuration
Micro Focus Enhancement Requests Portal is moving. We are migrating the IDEAS from this site to the New Idea Exchange on May 6th. For more information on the new Idea Exchange please visit the Community FAQs.
Votes
5
Credential Vault
by: Omar S. | over a year ago | Configuration
Comments
I suspect this is already supported via Enabling Key Checkout for Shared Keys with the type as SSH Key Check Out. SSH Keys can be entered into Shared Key Domains and made available for checkout and checkin. Please refer to https://www.netiq.com/documentation/privileged-account-manager-3/npam_admin/data/b1lbl4wy.html.
Is the proposed idea different from what is currently available?
Hi Tyler, no it is not, what i mean is, when configuring an application to be used as a SSH check in and check out for linux and unix systems, instead of using user: root and passwd: <whatever>, use a ssh key to authenticate to the server, so if at any point someone change the root passwd directrly on the system you don´t have to type it again inside the credentials of the credential vault.
excellent and must-have idea.
Ah ok, I understand. The Application credential doesn't allow for SSH key like with SSH Account Domains. This might be tricky as it would only be useful for applications configured for ssh password reset, determined only by the custom script contents. I believe the need is understood though now for the Product team to consider.
I would suggest creating a new proxy user with administrative privileges to change passwords on the server and configure usage of this reserved account with PAM. Perhaps this way, it may be a bit more unlikely for the password to be changed and need updating.
currently for ssh-relay, we create account domain and provide the root credentials, instead use a ssh key to authenticate to the server.
I get this I think - If I say it back this way, we'll know real fast if I got it, "Need the ability to substitute a Shared Key (SSH) as a credential instead of a UserID and Password". The "instead of" should not be read as "Remove user id and password and replace with SSH key" rather it should be an ANDing / ORing option. i.e. "When I setup the policy for the credential instead of ONLY providing the ability to share a userid and password, I should have the option to select an SSH Key as the credential". Do I have this right? If so - I can see the value in this, but at the moment cannot say that we've given any thought on where to introduce it into the product at this time.
Yes Michael, your appreciation of my idea is right, the thing around this feature is to make it easier to implement checkin/checkout for linux, this feature will avoid the need of "manage" your proxy account for each server you integrate, and just imagine that someone by error switch password for root or your proxy account in the operating system, you won´t be able to checkin or chekout credentials, and multiply this scenario for 2000 servers.