Discovery Credentials: SSH Private Key

Go to solution
chadlockwood
Kilo Sage

‎06-06-2014 08:46 AM

Currently, Discovery is configured to use a local account username and password for SSH to our Macs. Discovery is successful with this configuration, however, it is not the most secure option. We are attempting to use an SSH Private Key type credential for discovery of our Mac machines without success.

I have tried generating a key pair on the Mac and entering the private key data into the Credentials form.

I have tried generating a key pair on the MID server, adding the public key to the ~/.ssh/authorized_keys file on the Mac, and entering the MID server private key data into the Credentials form. Neither of these were successful.

I was able to successfully SSH from the MID server to the Mac using Putty, after copying the MID server public key to the Mac.

 

Is anyone using the SSH Private Key to successfully Discover Unix-based machines, that could help with configuration?

 

Regards,

Chad Lockwood

Labels:
0 Helpfuls
  • 20,267 Views
1 ACCEPTED SOLUTION

Go to solution
chadlockwood
Kilo Sage

‎06-11-2014 02:14 PM

The following process worked in my environment. You will need a service account on your endpoints and a public/private key pair for each of your MID servers before you can configure the SSH Private Key credential in ServiceNow:



  1. Service Account
    1. Setup a service account on your endpoint that has administrative privileges
    2. Use a central management tool or sneakernet/intern-net to push the service account to all endpoints
  2. Create the public/private key pair on the MID server
    1. If your MID server is running on a Windows machine, use PuTTYgen to generate your key pair. This is a great link for setting up PuTTY
    2. If your MID server is running on Linux/Unix, look at using ssh-keygen to generate your key pair
  3. Copy your MID server public key to your endpoints
    1. The public key will need to be saved in $HOME/.ssh/authorized_keys for your service account
  4. Create a new credential record in ServiceNow
    1. ServiceNow only supports PEM file private keys. Using PuTTYgen, follow these directions to convert your private key to PEM
    2. ServiceNow > Credentials > New
      1. Name: Enter a descriptive name
      2. Type: SSH Private Key
      3. User name: username of the service account on the endpoint
      4. SSH passphrase: the passphrase used to generate the public/private key pair on the MID server
      5. SSH private key: copy the entire contents of the PEM file private key from your MID server
      6. Applies to: Specific MID servers
      7. MID servers: select the MID server that this key pair was generated on
      8. Click Save
  5. You will need to repeat this process for all MID servers used in Discovery


Starting with Dublin, you can add a sudo password, if required. We are on Calgary so that field is not available to us. This would defeat the purpose of using the key pair for my requirements so we are not likely to use it after we upgrade. The alternative would be to use the NOPASSWD option. Hope this helps.


View solution in original post

10 REPLIES 10

Go to solution
chrisdimo
Kilo Contributor

‎06-10-2014 07:19 PM

Hi Chad,


We will also be looking at this for our Solaris and Linux boxes, so definetely interested in this as well.


0 Helpfuls

Go to solution
chadlockwood
Kilo Sage

‎06-11-2014 02:14 PM

The following process worked in my environment. You will need a service account on your endpoints and a public/private key pair for each of your MID servers before you can configure the SSH Private Key credential in ServiceNow:



  1. Service Account
    1. Setup a service account on your endpoint that has administrative privileges
    2. Use a central management tool or sneakernet/intern-net to push the service account to all endpoints
  2. Create the public/private key pair on the MID server
    1. If your MID server is running on a Windows machine, use PuTTYgen to generate your key pair. This is a great link for setting up PuTTY
    2. If your MID server is running on Linux/Unix, look at using ssh-keygen to generate your key pair
  3. Copy your MID server public key to your endpoints
    1. The public key will need to be saved in $HOME/.ssh/authorized_keys for your service account
  4. Create a new credential record in ServiceNow
    1. ServiceNow only supports PEM file private keys. Using PuTTYgen, follow these directions to convert your private key to PEM
    2. ServiceNow > Credentials > New
      1. Name: Enter a descriptive name
      2. Type: SSH Private Key
      3. User name: username of the service account on the endpoint
      4. SSH passphrase: the passphrase used to generate the public/private key pair on the MID server
      5. SSH private key: copy the entire contents of the PEM file private key from your MID server
      6. Applies to: Specific MID servers
      7. MID servers: select the MID server that this key pair was generated on
      8. Click Save
  5. You will need to repeat this process for all MID servers used in Discovery


Starting with Dublin, you can add a sudo password, if required. We are on Calgary so that field is not available to us. This would defeat the purpose of using the key pair for my requirements so we are not likely to use it after we upgrade. The alternative would be to use the NOPASSWD option. Hope this helps.


Go to solution
prasanna11
Giga Guru
In response to chadlockwood

‎07-09-2014 03:25 AM

what happens when we choose



Applies to : all midservers


0 Helpfuls

Go to solution
chadlockwood
Kilo Sage
In response to prasanna11

‎07-09-2014 07:15 AM

prasanna,



You will need to generate a public/private key on each MID server you have. Since the credentials for allows only one private key to be entered, you would need to add credentials for each MID server. If you apply one server private key to 'All MID servers' it would only work for the server it came from. If Discovery used a different MID server, the credentials would fail.


0 Helpfuls