How to configure TADDM to use public / private key authentication
When the TADDM application is installed on a Windows server and you need to use public / private key authentication to connect to Unix / Linux clients, you can use the following procedure to configure and test the authentication process.
Step 1: Generate the public / private key pair on a Unix / Linux client.
Login to the Unix / Linux client as the user that will be running the TADDM discovery, in this example the user is called “taddm”. OpenSSH was installed on this Linux server
Execute the following command to generate the key pair:
ssh-keygen –t dsa
Generating public/private dsa key pair.
Enter file in which to save key (/home/taddm/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):<password>
Enter same passphrase again:<password>
Your identification has been saved in /home/taddm/.ssh_id_dsa.
Your public key has been saved in /home/taddm/.ssh/id_dsa.pub.
The key fingerprint is:
3c:97:8e:f1:f0:43:71:8d:a5:d5:9d:3d:a7:6d:fd:50: taddm@tamit.orbdata.com
Change directory to
cd /home/taddm/.ssh
There are two file in this directory, id_dsa and id_dsa.pub
Copy the public key to the authorized keys file
cp id_dsa.pub authorized_keys
Copy the private key to your windows system
Make sure the .ssh folders permissions are set to 700 and the authorized_keys file permissions are set to 600
Step 2: Modify sshd_config on the Unix/Linux client
Modify the /etc/ssh/sshd_config file to contain the following:
RSAAuthentication no
PubkeyAuthentication yes
Restart the OpenSSH daemon:
/etc/init.d/ssh restart
Step 3: Configuring TADDM to use the generated keys.
The id_dsa key that you copied to the Windows TADDM server needs to be placed in a “.ssh” directory for the user that started the TADDM server. If you are unsure of the correct directory use Step 5 to test the SSH connection, in the output it will display the directory where it expects to find the key.
For example if the user that started the TADDM server is the Administrator then you need to create the “.ssh” directory in the “C:Documents and SettingsAdministrator” folder.
In a command window execute the following command
cd C:Documents and SettingsAdministrator
mkdir “.ssh”
Copy the id_dsa key into this directory.
Step 4: Setting up the TADDM access list to use the keys when discovering the Unix / Linux server
Click the Access List under the Discovery tab.
Click the Add button to add a new access type.
Component type should be set to Computer System
Enter a name for the account
Enter the user name “taddm” in this example
Enter the passphrase that you used when generating the public/private keys.
Enter the passphrase in the Confirm Password box.
Authentication Type should be set to Default.
On the Scope Limitations tab limit the scope to the scope containing the Unix / Linux clients.
Step 5: Test the SSH connection to the Linux server using the TADDM testssh.bat script
Open a command shell on the TADDM server, change to the directory where TADDM support tools are installed, in this example it is C:ibmcmdbdistsupportbin>
Issue the following command:
testssh.bat -u <taddm administrator> -p <password> <target server> <command>
If the taddm console user is administrator and password is collation, to run “ls –al” on the server 10.10.10.130 using the taddm access lists, the command would be:
testssh.bat -u administrator -p collation 10.10.10.130 “ls -al”
This will provide debug information for the command and should return a list of the files in the “taddm” user home directory
Step 6: Additional – Setting taddm user on linux to use sudo
To test the taddm user on linux using sudo, you need to use the visudo command
Examples sudo entries to include
taddm ALL=NOPASSWD: /usr/sbin/lsof, /bin/netstat, /usr/sbin/ethtool
You also need to add the above commands to the collation.propeties to ensure it uses the sudo command when running them, file is in C:ibmcmdbdistetc directory.
com.collation.discover.agent.command.lsof.Linux=sudo lsof
Visits: 397