KBEC-00368 - Passwordless credentials

Summary

This document describes how to configure impersonation using passwordless credentials to allow an agent user (for example, ecbuild) on Ubuntu to su to another user without a password.

Solution

The following procedures show how to configure passwordless credentials. In this example, the ElectricFlow agent runs under a user named ecbuild, and the following procedures show how to allow this user to su - testuser without a password. 

Configuring the Agent Machine

Perform the following steps on each agent machine:

  1. (Optional) If you do not want to use an existing group, create a group by entering

      sudo addgroup <groupname>

  2. (Optional) If you do not want to use an existing user, create a user by entering

      sudo adduser <username>

  3. Make the <username> password empty by entering

      sudo passwd -d <username>

      For details, see “Can I set my user account to have no password?

  4. Allow the ecbuild user to su - <username> by adding the following two lines to
      the /etc/pam.d/su file just below the 
pam_rootok.so line:

   auth       [success=ignore default=1] pam_succeed_if.so user = testuser

   auth       sufficient   pam_succeed_if.so use_uid user = ecbuild

     The first line ensures that the target user is testuser. If it is, the next line takes 
     control and authorizes the su if the calling user is ecbuild.

     You can also restrict su to a group. In the following example, the group
     allowedpeople can su without a password:

     auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople

     For details, see “Allow user1 to “su - user2” without password.”

Now you can run a procedure with credentials other than the ecbuild user without
specifying a password for this user.

Adding a New Credential to a Project

  1. Open a project in the Automation Platform and click the Credentials tab. 

      For example:

     CredentialsTab.png

  2. On the right side of the tab, click the Create Credential button.

      The New Credential dialog box appears:

NewCredentialDialogBox.png

   3. Fill in the fields. For example:

      NewCredentialDialogBoxFilledIn.png

       Note that you do not need to enter a password in this dialog box. The
       credential name (the Name field) can be different than the user name. 

   4. Click OK.

Adding a New Credential to a Procedure

For every procedure that you want to run with the new credential:

  1. Click the Use specific credential radio button.

  2. Specify the Credential Name that you specified in the Name field above.

  3. Click OK.

Running the Procedure to Test the Configuration

  1. Click the Run button on the procedure to execute the procedure.

  2. Check the Job Step Details >General tab for the job step that you just ran to
      ensure that the job was executed with the specified credential. 

      For example:

JobStepDetailsSpecifiedCredential.png

Have more questions? Submit a request

Comments

Powered by Zendesk