Automic Workload Automation

 View Only
  • 1.  Login Unix machines via SSH Keys

    Broadcom Employee
    Posted Jul 17, 2019 10:21 AM
    Hi Team,

    Just curious to know.

    Does Automic provides passwordless authentication? Can we login the target machine using SSH key pairs using Automic? 

    If it doesn't support keys, may I know the reason? 

    So far we are using passwords in login objects and thought of using key pairs. Any ideas?

    Thanks,
    Srujan.


  • 2.  RE: Login Unix machines via SSH Keys
    Best Answer

    Posted Jul 17, 2019 11:03 AM
    Edited by Christopher Hackett Jul 23, 2019 03:59 PM
    ​Hi.

    The agent essentially does syscalls that are associated with the su/sudo family of commands, as far as I know. This usually requires a password (unless the agent is fully running as root, which it really shouldn't  *).

    Switching users via SSH keys is ... an interresting idea. Not sure if it's really that useful, after all, using public key auth in a local setup kinda degrades keys into just very long passwords really. But I see two ways of generally achiving public key auth for account switches in the product (both would require Automic to build this though):

    - ssh to a ssh server on localhost, or ssh from the engine. If you wanted the keys centralized, like passwords in the login object today, you'd need to ssh from the engine to the agent. This could have advantages (and disadvantages, such as needing to store keys on the agent machine, too), but it would radically divert from the product Automic has now, so I don't think they'll pursue that any time soon.

    - ultimately, user authentication is performed by PAM, so using a http://pam-ssh.sourceforge.net and likely also teaching AE how to deal with it (again, that's Automic coding this functionality into a new release) could work. But then you'd need that PAM support for public key "su" on each target server, this would be limited to Linux (and some other platforms Automic doesn't support), and it also requires Automic to build it into the product, so I'll say this:

    I don't think it's very likely Automic will enable this any time soon. But if you have a demonstratable business case and/or possibly an ever slicker way to implement this, file an "idea" via the ideation mechanism. That is how Automic takes in any proposals for development.

    Hth,



    (edit:   *actually, it does run suid root, so not sure if it would really even need the passwords from the LOGIN objects but alas, the engine enforces them, so that's a moot point either way).

    edit (2): The AE sending jobs over SSH instead of proprietary protocols would be cool for other reasons though: It would give us a debuggable, stable and most of all open interface. I could totally get behind that idea :)







  • 3.  RE: Login Unix machines via SSH Keys

    Posted Jul 18, 2019 10:32 AM
    The Unix agent uses suid root as you said but you can SSH, passwordless with preshared key or with simple id/password,  by using the FTP RA agent, 
    If you enable remote execution on the agent setup, you can run simple command lines on a host with ssh.

    Its not quite as robust as the unix agent.  You can run a single command line and not a whole script in unix job process block, you can't run events, and so on.
    The connection object lets you set key to use for connection.    The plus side is from one agent, you can run a jobs on a number of machines without putting an agent on each remote machine.   Handy for cases where there is a small number of scheduled jobs and can't justify the cost of an agent.



  • 4.  RE: Login Unix machines via SSH Keys

    Posted Jul 18, 2019 10:46 AM
    True. But if it using remote SSH and not installing an agent is the overall goal, just go with a scriptable SSH client (like openssh on Linux) and have JOBS that ssh into target machine and do their business.

    We do have the FTP RA agent and I wouldn't be exactly recommending it, as we are trying to get away from it. For one thing, if you change cypher suites on the target machines, with an open source SSH client you'll usually be able to update the client and be done with it. With the FTP RA agent, you'll be at the mercy of both the guy who writes the underlying Java library to implement new cyphers in time, and Automic rebuilding with the new versions. While this has worked out OK in the past, I'm still rather betting on more widely used open source solutions.