SSH Command Sets
(Feature available only in Premium and Enterprise Editions)
Password Manager Pro (PMP) mainly provides out-of-the-box support to enforce automatic remote password reset for a wide range of commonly-used resource types such as Windows local accounts, Windows domain accounts, Linux root accounts, etc. For custom resource types that are not included out-of-the-box, PMP now provides an SSH command-based password reset option. Through this, you can add the password reset commands used in the command-line interface of your resource type directly to the PMP web interface, without the need for a CLI terminal. Please note that this feature is supported only for devices that allow SSH connections.
PMP offers a default set of basic commands that you can use right away; alternatively, you can add your own commands, arrange them in the order of execution, and combine them into a new command set. This way, you'll be able to add accounts that have varying password authentication methods but fall under a single custom resource type. For example, Linux resources have different password authentication flows for root passwords and regular user passwords; similarly, Cisco devices support five different types of users. In such cases, you will be able to add any number of custom commands and specify the order in which they are to be executed.
Note: While all administrators can view the SSH command sets, only privileged administrators will be able to add, edit, and delete commands and command sets in PMP.
How to configure SSH Command Sets in PMP
To create your own set of commands in PMP and ensure they work as expected, you must follow the flow given below:
- Add your custom commands individually or pick from the existing commands to create one or more command sets.
- Combine commands in the sequence in which you want them to be executed and create a command set.
- While adding a new resource type, you can map multiple command sets to it. You can do this by navigating to 'Add Resource Type', choosing your custom command sets and adding them to your resource type.
- Map your new resource to your custom resource type. While adding a new resource, choose your custom resource type from the 'Resource Type' drop down list.
- While adding accounts to your resource, you will be prompted to choose from the command sets that have been mapped to your resource type.
- Each account can have an individual command set mapped to it.
Steps to configure command sets for custom resource types
- Navigate to Admin > Customization > SSH Command Sets.
Under the Commands section, you will find a pre-defined set of commands ready for use. You can arrange these into a required sequence and create a command set for your resource type. You can also add and delete new commands as per your requirement. To modify or delete the commands you have added, click on the respective icons under Actions. Default commands and custom commands that are already associated with a resource cannot be deleted.
- To add new commands, click on the 'Add Command' option. You will be prompted to enter the command name, command, the appropriate prompt, a short description, and a timeout period in seconds. The timeout period denotes the amount of time for which the system awaits for an input.
- It is imperative that the command prompt given here matches the one in your CLI for the command to execute properly. For example, if the prompt is colon and a space, it should be entered here as such ": "
- The Command entered must be of the format specified in the tool tip below. Refer to the tool tip text for examples.
- To delete a command that has already been added, click on the delete icon under Actions. You can delete multiple commands by selecting the required ones using the check box and clicking on the Delete Command button.
- Please note that default commands and custom commands that are already associated with a resource cannot be deleted.
- While deleting commands in bulk, in case you select a default command or a custom command that is already in use, those commands will be excluded and the rest will be deleted. You can get more details on this from the audit logs.
Creating command sets:
- Once you have added your custom commands to PMP, navigate to the SSH Command Sets tab to create your command set.
- Here, you can add a name and a description for your command set. All the available commands will be listed below the Command Name box and you can add them one by one to the Verify SSH Command Sequence box. You will be able to re-order them according to your preference by clicking and dragging the commands into the Reset Command Sequence box.
- On the right, you will find two sections: Verify SSH Command Sequence and Reset Command Sequence.
- To add any command under Command Name to either of those sections, hover your mouse over a command and you will see two options 'Verify' and 'Reset'.
Verify SSH Command Sequence
- Under this section, you need to specify the command sequence that has to be carried out to check if the password of an account is in sync with the one stored in the PMP repository.
- Under this you can add a password verify sequence for your resource type. Hover your mouse over the commands you want to add, click on the 'Verify' option and move them to the Verify SSH Command Sequence box on the right. Click and drag the commands to arrange them in the required order and click Save to add the command set.
- Once this command set is associated with an account, this sequence will help you in verifying if the password of that account is in sync with the one stored in PMP.
Reset Command Sequence
- Under this section, you need to specify the command sequence in which the password reset has to be carried out.
- Hover your mouse over the commands you want to add, click on the 'Reset' option and move them to the Reset Command Sequence box on the right. Click and drag the commands to arrange them in the required order and click Save to add the command set.
- Once this command set is associated with an account and remote password reset is configured for the resource it belongs to, the password reset will be carried out in this sequence.
Note: Both password verify and reset command sets will work only if the remote password reset settings are configured with valid credentials. Refer to this document for details on how to configure remote password reset.
Mapping command sets to a resource type:
- Once your command sets are created, you need to create your custom resource type and map the required command sets to it.
- To create your custom resource type, navigate to the Resources tab and click on Resource Types.Click on Add to start adding a new resource type. Here, you can specify a name and an icon of your choice. This icon will be displayed under Type in the Resources tab.
- Under the General section, you can select resource and account attributes to be added to your resource type, along with a name and an icon of your choice. This icon will be displayed under Type in the Resources tab.
In the Advanced section, you will find four options:
- Existing Resource Type
- Password Reset Plugin
- SSH Command Sets
If the resource type you are adding is similar to an existing resource type such as a variation of a network device like Cisco or HP, you may choose the 'Existing Resource Type' option. This will enable PMP to associate similar actions with your custom resource type
If you have already created a password reset plugin from the Admin console, you may choose it here to use it for your resource type. Refer to this section of the documentation for more information on creating Password Reset Plugin.
SSH Command Sets:
You will find both default command sets and your custom command sets listed under this option. You can choose any of those by clicking on the names of the command sets. You will be able to choose multiple command sets for one resource type. Once you have selected the required command sets, click on Save.
Adding a resource
Once added, the newly added resource type will appear under the Resource Type drop down list in the Add Resource dialog box. While adding a resource, choose your custom resource type from the drop down and proceed to add accounts as usual.
When you add accounts to your resource, you need to select your custom command set from the SSH Command Sets drop down list.
Once the command sets are added to your accounts, you may proceed to configure remote password reset for the resource from Resources tab > Resource Actions.
Applying command sets to accounts in bulk
You can apply a single command set to multiple accounts within a single resource in bulk. To achieve this:
- Navigate to the Resources tab and click on a resource name to list all the accounts associated with that particular resource.
- Select the accounts for which you want to apply a command set, click on Apply Command Set in Bulk.
- In the dialog box that appears, choose the required command set from the drop down list and click Save.
- Now, this command set will be applied to all the selected accounts, overriding their previous command set configuration, if any.