This document describes how to configure impersonation using passwordless credentials to allow an agent user (for example,
ecbuild) on Ubuntu to
su to another user without a password.
The following procedures show how to configure passwordless credentials. In this example, the ElectricFlow agent runs under a user named
ecbuild, and the following procedures show how to allow this user to
su - testuser without a password.
Configuring the Agent Machine
Perform the following steps on each agent machine:
1. (Optional) If you do not want to use an existing group, create a group by entering
sudo addgroup <groupname>
2. (Optional) If you do not want to use an existing user, create a user by entering
sudo adduser <username>
3. Make the
<username> password empty by entering
sudo passwd -d <username>
For details, see “Can I set my user account to have no password?”
4. Allow the
ecbuild user to
su - <username> by adding the following two lines to
/etc/pam.d/su file just below the
auth [success=ignore default=1] pam_succeed_if.so user = testuser
auth sufficient pam_succeed_if.so use_uid user = ecbuild
The first line ensures that the target user is
testuser. If it is, the next line takes
control and authorizes the
su if the calling user is
You can also restrict
su to a group. In the following example, the group
su without a password:
auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople
For details, see “Allow user1 to “su - user2” without password.”
Now you can run a procedure with credentials other than the
ecbuild user without
specifying a password for this user.
Adding a New Credential to a Project
1. Open a project in the Automation Platform and click the Credentials tab.
2. On the right side of the tab, click the Create Credential button.
The New Credential dialog box appears:
3. Fill in the fields. For example:
Note that you do not need to enter a password in this dialog box. The
credential name (the Name field) can be different than the user name.
4. Click OK.
Adding a New Credential to a Procedure
For every procedure that you want to run with the new credential:
1. Click the Use specific credential radio button.
2. Specify the Credential Name that you specified in the Name field above.
3. Click OK.
Running the Procedure to Test the Configuration
1. Click the Run button on the procedure to execute the procedure.
2. Check the Job Step Details >General tab for the job step that you just ran to
ensure that the job was executed with the specified credential.