SSH script automation provider
Use a script automation provider to connect to your back-end system (targets). The SSH Provider is agentless and connects directly to the target machine. It authenticates by using public key-based authentication in SSH.
- bash – a shell that is used to wrap and run the specified commands or script.
- mktemp – A utility that is used to create a temporary file, which is required for the script execution with this automation provider to work.
- openssl – A utility that is used on the target system to decrypt the transferred commands or script.
Defining which RBA user is allowed to run an automation
- By the root user.
- By specific users on this target. For example, by putting the key in the
authorized_keys
file of home directory of these specific users.
Depending on the public key used, any RBA user or only members of specific RBA groups are able to access the target system. See step 5 in the following procedure for more information about creating public keys for specific groups.
Defining which UNIX or Windows user is used to run an automation
By default, scripts are run on the target machine by using the root username. It is possible to run the script with a different UNIX or Windows user. The username can either be fixed or depend on the RBA user that is logged in. For more information, see Creating Script automations.
Defining an SSH jump server
Configuring an SSH script automation provider
About this task
You can configure a connection on the Connections page. Click Configure on the Script tile to open the configuration window and follow the on-screen instructions.
Procedure
- In the main navigation menu, select Administration and click Integration with other systems.
- Click Automation type.
- Click Configure on the Script tile.
- If you are using a jump server you must configure it.
Depending on your environment, you might require a jump server to access your target endpoints. A jump server is an SSH endpoint that is used to connect to the nested SSH endpoints. This is a common approach that is used to communicate between different network zones. To use a jump server with RBA it must have an SSH server running and the
nc
command must be available. This is used to connect to nested SSH target endpoints.Click Use a jump server and specify the following jump server properties:- Jump server address
- The hostname or IP address of the jump server.
- Jump server port
- The SSH port of the jump server.
- Jump server username
- The username for authentication on the jump server.
- Jump server authentication type
- The type of authentication used for the jump server. You can select between
password
authentication orSSH key
authentication. When SSH key authentication is selected, the jump server connection uses the SSH keys configured in the following steps (in the Manage SSH keys tab) during its authentication. - Jump server password
- The password for authentication on the jump server. Only available if you selected
password
authentication for the previous field.
- On your target machine, register the default public key to enable access to the target endpoints
via SSH for all users.
- Configuring SSH public key authentication for the UNIX root user
- The displayed public key must be added to all target machines that you plan to run scripts on
via the SSH Provider. This key enables any RBA user to run script automations on the given target
endpoint. The key must be added to the
authorized_keys
file that is usually found in the /root/.ssh/authorized_keys folder. - Configuring SSH public key authentication for a specific UNIX user
- If you want to enforce that only a specific UNIX user can
run the script on this target endpoint you should copy the key to the
authorized_keys
file in the home directory of the specific user, for example /home/john/.ssh/authorized_keys.
You can regenerate the public key by clicking the refresh button of the public key.Note: Regenerating the public key deletes the old key pair. If you choose to regenerate the key pair you must exchange the public key in each target machine that you plan to access via the SSH Provider.For more information about how to configure which UNIX user is used to run the script, see Creating Script automations.
- Optionally, you can generate group-specific keys. Use these if you only want users from a
specific group to have access to a machine.In this scenario, the default public key can act as a fallback if none of the other keys work.
- Click New public key for groups.
- Select a group, then use the refresh button to create a public key for the selected group.
- The table lists all existing group-specific keys. Use the action buttons to change, delete, or copy the public keys.
Note: Runbook Automation tries every eligible public key for an RBA user to access a target endpoint until it finds an authorized public key. Some target endpoints might have security policies in place that ban further connection after a certain number of unauthorized connections. Therefore, it is good practice to either avoid having too many group-specific public keys or avoid having RBA users in too many different groups.