Hi.
The agent essentially does syscalls that are associated with the su/sudo family of commands, as far as I know. This usually requires a password (unless the agent is fully running as root, which it really shouldn't *).
Switching users via SSH keys is ... an interresting idea. Not sure if it's really that useful, after all, using public key auth in a local setup kinda degrades keys into just very long passwords really. But I see two ways of generally achiving public key auth for account switches in the product (both would require Automic to build this though):
- ssh to a ssh server on localhost, or ssh from the engine. If you wanted the keys centralized, like passwords in the login object today, you'd need to ssh from the engine to the agent. This could have advantages (and disadvantages, such as needing to store keys on the agent machine, too), but it would radically divert from the product Automic has now, so I don't think they'll pursue that any time soon.
- ultimately, user authentication is performed by PAM, so using a
http://pam-ssh.sourceforge.net and likely also teaching AE how to deal with it (again, that's Automic coding this functionality into a new release) could work. But then you'd need that PAM support for public key "su" on each target server, this would be limited to Linux (and some other platforms Automic doesn't support), and it also requires Automic to build it into the product, so I'll say this:
I don't think it's very likely Automic will enable this any time soon. But if you have a demonstratable business case and/or possibly an ever slicker way to implement this, file an "idea" via the ideation mechanism. That is how Automic takes in any proposals for development.
Hth,
(edit: *actually, it does run suid root, so not sure if it would really even need the passwords from the LOGIN objects but alas, the engine enforces them, so that's a moot point either way).
edit (2): The AE sending jobs over SSH instead of proprietary protocols would be cool for other reasons though: It would give us a debuggable, stable and most of all open interface. I could totally get behind that idea :)
Original Message:
Sent: 07-17-2019 10:21 AM
From: Venkata Srujan Kumar Pathuri
Subject: Login Unix machines via SSH Keys
Hi Team,
Just curious to know.
Does Automic provides passwordless authentication? Can we login the target machine using SSH key pairs using Automic?
If it doesn't support keys, may I know the reason?
So far we are using passwords in login objects and thought of using key pairs. Any ideas?
Thanks,
Srujan.