Client environment is having several restriction:
1) Disabled SSH interactive login for "deployment" ID. That causes OOTB feature (set credential) and action (SSH actions) not working.
2) Sudo not allowed
3) Key exchange not allowed, thus user must enter password (password auto reset every hour) before each deployment start.
4) Agent cannot be run as "deployment ID" for security purpose. It has to be "su" from allowed credential.
Without RA, user needs to:
1) Login to their "2F-authentication" ID (similar to CA PMFKEY). This is an allowed credential to "su" into deployment ID.
2) After logined, perform "su - <deployment ID>"
3) Key in password (retrieved from PasswordVault..ie: CyberArk)
"SU" command doesnt support password as input parameter, it's now a challenge to even start performing the deployment. Tried "echo <password> | su - deployID" but in vain.
why not setup sudo ?
Hi Steve. Unfortunately, client's security policy doesn't allow sudo to be executed by any functional ID.
Note: It's a bank client; with rather stringent policy.
do they have autosys ?
Hi Steve. Nope. They don't - unfortunately.
well this will be special. because i would have said have the scheduler do it for you .
Did you try to use "expect" utility?
my caveat in trying to do this .. how are you storing the password?
and how will you pass it to expect etc etc..
Hi Jacky. Client doesnt have "expect" installed in their servers.
It sounds to me the client doesn't want the machines to do much.
Time to have the SAs and infosec figure this quandary out. They have done a stellar job bricking the environment.