Skip to main content

Host-Credential Settings

Host-credential settings allow you to store credentials that are commonly used for adding hosts, which eliminates the need to input those credentials each time you add hosts. Host-credential settings also allow you to instruct how Key Manager adds hosts that use privilege-elevation software (such as Powerbroker or Privilege Manager for Unix).

note

Global deployment credentials allow all Key Manager administrators with deployment permission to add hosts using these credentials. Also, setting privilege-elevation credentials for hosts that do not use privilege elevation makes it impossible for Key Manager to manage such hosts. For better control over the scope of host-credential settings, consider setting them for host groups instead.

note

For increased security, both the Key Manager GUI and the command-line client only display the label of currently-configured credentials. Other fields such as Username and Password are hidden after the credentials are configured. If you want to reveal information related to hidden fields, you can include this information in the label.

Deployment Credentials

Commonly-used deployment credentials can be stored in Key Manager for future use. Deployment credentials can store credentials for password authentication and public-key authentication. Deployment credentials are used when you add agentless hosts using the Use existing deployment credentials authentication method.

To configure deployment credentials, provide the following information:

  • Label (optional): A free-text label for identifying these credentials. If the label is not specified when saving credentials, Key Manager assigns an automatically-generated label for the credentials. Spaces are not allowed in labels.

  • Username: The user name of the management account that is used for adding hosts.

  • Authentication type: Select the authentication method used for adding hosts. The possible choices are Password, and Private key with passphrase. The required information for configuring deployment credentials varies depending on the chosen authentication method.

  • Password: The password of the management account that is used for adding hosts. Required only when the Authentication type is set to Password.

  • Private key: A private key that is authorized for the management account. Required only when the Authentication type is set to Private key with passphrase. Note that only OpenSSH-format passphrase- protected private keys are supported.

    In the Key Manager GUI, you can add the private key by copying the contents of the private-key file to the Private key field. Alternatively, you can click Upload to upload the private-key file from your

    In the Key Manager command-line client, the private key is provided using private_key_file and the path of the private-key file. For example, when specifying deployment credentials:

    $ ssh-mgr-client set-credentials -d usage=deploy,username=alice,\
    privatekeyfile=/path/of/privatekeyfile,passphrase=example_passphrase,\
    hostgroup=dev_hosts

  • Passphrase: The passphrase of the private key. Required only when the Authentication type is set to Private key with passphrase.

For more information about host deployment, see Adding Agentless Hosts.

Privilege-Elevation Settings

Privilege-elevation settings are used for instructing Key Manager about how to gain the required root privileges on hosts that use privilege-elevation software (such as Powerbroker or Privilege Manager for Unix). These settings must be configured for hosts where a non-privileged management account is given root privileges using privilege-elevation software.

caution

Always ensure that privilege-elevation settings are only configured for the hosts that use privilege elevation. If privilege-elevation settings are configured for hosts that do not use privilege- elevation software, all management jobs on such hosts will automatically fail. Configuring privilege-elevation settings globally is not recommended for this reason.

We recommend using host groups for configuring privilege-elevation settings for the right hosts:

  1. Configure privilege-elevation settings for the host group.

  2. Add all the hosts that use the same privilege-elevation settings to a host group.

Hosts that use different privilege-elevation settings must be placed in separate host groups.

note

Privilege-elevation settings must be left blank for hosts that use sudo for privilege elevation.

For more information about sudo settings, see sudo Setup for Unprivileged Management Accounts.

To configure privilege-elevation settings, provide the following information:

  • Label (optional): A free-text label for identifying this setting. A label is generated automatically if it is left unspecified. Note that any values entered in the Username and Password fields is hidden after the settings are applied. If you want to retain any of this information, it can be added to the label.

  • Username: The name of the account that is being elevated to, such as root.

  • Password: Password used for privilege elevation.

  • Elevate command: The command used for gaining root-shell access on the host, such as /opt/quest/bin/pmrun /bin/sh

  • Host interaction elevate command: The command used for host-interaction module to execute the host script. The string {command} used in this setting is used as substitute for running the host script, for example su -c {command}

    If the string {command} is not present, a fallback to previous behavior occurs, i.e. the script execution command is added to the end of the elevation command as multiple space-delimited parameters.

  • Password prompt (optional): A string matching the end of the privilege-elevation password prompt. Leave this field empty if no password is required for privilege elevation.

    For example, if the privilege-elevation command prompts for the privilege-elevation password with a message like the following:

    ********************************************************************
    **      Quest Privilege Manager for Unix Version 6.0.0 (027)      **
    ********************************************************************
    ** You are required to authenticate as the user:"management_user"
    before running this command
    Password:

    You can specify the password prompt as: Password:

  • Expected response (optional): A string matching the beginning of the message that is displayed by the privilege-elevation command after successful privilege elevation. Leave this field empty if no password is required for privilege elevation.

You should not include the shell prompt in the Expected response. If the elevate command produces no output beside the shell prompt, leave this field empty.

For example, if the privilege-elevation command outputs the following message after successful privilege elevation:

Request granted for user "management_user"

You can specify the expected response as: Request granted