Prepare Unix hosts
The management console provides a central management and reporting console for local Unix users and groups.
Using Management Console for Unix with Safeguard Authentication Services not only allows you to centrally manage your hosts, but it allows you to do these additional features for managing Unix systems with Active Directory:
- Ability to remotely install Safeguard Authentication Services agents, join systems to Active Directory, and implement AD-based authentication for Unix, Linux, and macOS systems.
- Ability to manage access control on a single host system or across multiple hosts.
- Ability to create reports about Unix-enabled users and groups in Active Directory.
- Ability to create access control reports that show which user is permitted to log into which Unix host.
Whether you have the core version or are using the management console with Safeguard Authentication Services, once you have successfully installed Management Console for Unix, you must first add your hosts to the console, and then profile them to gather system information. Once a host is added and profiled you can then manage users and groups on the hosts and run reports.
Adding hosts to the management console
In order to manage a Unix host from the management console, you must first add the host. Go to the Hosts tab of the management console to either manually enter hosts or import them from a file.
To add hosts to the management console
- Click the Add Hosts tool bar button to display the Add Hosts dialog.
- To manually add one or more hosts, enter the FQDN, IP address, or short name of a host you want to add to the management console and either click the Add button or press Enter.
Once added, the Host column displays the value you enter. The management console uses that value to connect to the host. You can rename the host if it has not been profiled using the Rename Host command on the Host panel of the tool bar. After a host is profiled, the only way to change what is displayed in the Host column is to remove the host from the console and re-add it. For example, if you add a host by its IP address, the IP address displays in the Host column (as well as in the IP Address column); to change what is displayed in the Host column, you must use the Remove from console tool bar button to remove the host from the console; then use the Add Hosts button to re-add the client by its host name. If you had profiled the host before removing it, you will have to re-profile it after re-adding it.
- To add hosts from a known_hosts file, click the Import button.
- In the Import hosts from file dialog, browse to select a .txt file containing a list of hosts to import.
Once imported, the host addresses display in the Add Host dialog list.
Note: The valid format for an import file is:
- .txt file - contains the IP address or DNS name, one per line
- known_hosts file - contains address algorithm hostKey (separated by a space), one entry per line
See Known_hosts File Format in the online help for more information about the supported known_hosts file format.
- Once you have a list of one or more hosts to add, if you do not wish to profile the hosts at this time, clear the Profile hosts after adding option.
Note: If you add more hosts to the list than selected in the Rows to show drop-down menu in the View panel of the tool bar, this option is disabled.
- If you do not clear the Profile hosts after adding option in the Add Hosts dialog, when you click OK, the Profile Host dialog prompts you to enter the user credentials to access the hosts. Refer to Profiling hosts, which walks you through the host profile steps.
- If you clear the Profile hosts after adding option in the Add Hosts dialog, when you click OK, the Add Hosts dialog closes and control returns to the management console.
The management console lists hosts that were successfully added on the All Hosts view by the FQDN, IP address, or short name of the hosts you entered in the Add Hosts dialog.
Profiling hosts
Profiling imports information about the host, including local users and groups, into the management console. It is a read-only operation and no changes are made to the host during the profiling operation. Profiling does not require elevated privileges.
To profile hosts
- Select one or more hosts in the All Hosts view and click Profile from the Prepare panel of the tool bar, or open the Profile menu and choose Profile.
- In the Profile Host dialog, enter user credentials to access the hosts.
If you selected multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
- If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter the following information:
- Enter the user name and password to log onto the selected hosts.
- Optionally, enter the SSH port to use. It uses port 22 by default.
- To save the credentials entered for the host, select the Save my credentials on the server option.
Once saved, the management console uses these credentials to access the host during this and subsequent sessions.
Note: If you do not save a password to the server, the user name and password fields will be blank the first time the management console needs credentials to complete a task on the host during a logon session. Once entered, the management console caches the user name and password and reuses these credentials during the current session, and pre-populates the user name and password fields in subsequent tasks during the current log on session.
If you choose to save a host's credentials to the server, the management console encrypts the credentials and saves them in the Java keystore. Saved user names and passwords persist across logon sessions, and when needed, the management console pre-populates the user name and password fields each subsequent time it needs them to perform a task. For more information, see Caching Unix Host Credentials in the online help.
- If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays allowing you to enter different credentials and specify different settings for each host.
- To enter different credentials, place your cursor in the Username and Password columns to the right of the Host column and enter the credentials to use.
- To change the SSH port for a host, place your cursor in the SSH Port column and enter the new SSH port number.
- To save the credentials entered for a host, select the check box in the Save column.
- If you want the management console to prompt you to review and accept new SSH keys for the selected hosts (which do not have previously cached SSH keys), clear the Automatically accept SSH keys option before you click OK.
Note: When profiling one or more hosts, you must accept at least one key before continuing. The management console only profiles hosts with accepted keys.
By default, the Automatically accept SSH keys option is selected. This enables the management console to automatically accept the SSH key for all selected hosts that do not have a previously cached key. When it accepts the key, the console adds it to the accepted-keys cache on the Management Console for Unix server. If you clear the Automatically accept SSH keys option, when the management console encounters a modified key, it opens the Validate Host SSH Keys dialog, allowing you to manually accept keys that are encountered. Once you have manually verified the fingerprint, the console adds the SSH host keys to the accepted-keys cache.
Note: Once you profile a host, all future tasks that involve an SSH connection will verify the SSH host key against the accepted-keys cache. When profiling, if the console encounters a modified key, the profile task prompts you to accept and new or changed keys. When performing any other SSH action, other than profile, if the console encounters a different SSH key, the task will fail. To update the accepted-keys cache for the host, you can either profile or reprofile the host, accept the new key, and try the task again. Or, you can import a new SSH host key from the host's properties or from the All Hosts view. See Import SSH Host Key or Managing SSH Host Keys in the online help for more information.
A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered.
Configuring automatic profiling
To keep the Management Console for Unix database up to date with accurate information about users, groups, and One Identity products, you can configure the management console to profile hosts automatically.
BEST PRACTICE: Configure newly added hosts for auto-profiling before you perform any other actions so that the management console dynamically updates user and group information. See UID or GID Conflicts in the online help.
Configuring a host for auto-profiling sets up a cron job on the client that runs every five minutes. If it detects changes on the host, it triggers a profile operation.
The cron job detects changes to the following:
- Local users, groups, or shells
- Installed Safeguard Authentication Services or Privilege Manager software
- Safeguard Authentication Services access control lists
- Safeguard Authentication Services mapped user information
- Privilege Manager configuration
- Safeguard Authentication Services configuration
- Privilege Manager licenses
The cron job also sends a heartbeat every day. This updates the Last profiled date displayed on the host properties. If the Last profiled date is more than 24 hours old, the host icon changes to to indicate no heartbeat.
To configure automatic profiling
- Select one or more hosts in the All Hosts view, open the Profile menu from the Prepare panel of the tool bar, and choose Profile Automatically.
Note: The Profile Automatically option is only available for multiple hosts if all hosts are in the same "auto-profile" state; that is, they all have Auto-profiling turned on, or they all have Auto-profiling turned off.
- In the Profile Automatically dialog, select the Profile the host automatically option.
- Choose the user account you want to use for profiling:
- Create a user service account on the host
When you choose to create the user service account on the host, if it does not already exist, the management console, does the following:
- Creates "questusr," the user service account, and a corresponding "questgrp" group on the host that the management console uses for automatic profiling.
- Adds questusr as an implicit member of questgrp.
-OR-
- Use an existing user account (user must exist on all selected hosts)
Click Select to browse for a user.
- Click OK in the Profile Automatically dialog.
Whether you choose to create the user service account or use an existing user account, the management console:
-
Adds the user account (the "questusr" or your existing user account) to the cron.allow file, if necessary. For example, the console takes no action if the cron.allow file does not already exist, but there is a cron.deny file:
NO |
NO |
Creates cron.allow and adds root and questusr to it |
Both root and questusr have access. |
NO |
YES |
No action |
All users have access except those in cron.deny; questusr has access unless explicitly denied. |
YES |
NO |
Adds questusr to cron.allow |
Users in cron.allow have access. |
YES |
YES |
Adds questusr to cron.allow |
Users in cron.allow have access unless in cron.deny. |
- Adds the auto-profile SSH key to questusr's authorized_keys, /var/opt/quest/home/questusr/.ssh/authorized_keys.
- Verifies the service account user can log in to the host.
Note: If you receive an error message saying you could not log in with the user service account, please refer to Service Account Login Fails in the online help to troubleshooting this issue.
The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing user and groups in a read-only fashion; however, the management console does not use questusr account to make changes to any configuration files.
If questusr is inadvertently deleted from the console, the console turns auto-profiling off.
To re-create the "questusr" account
- Re-profile the host.
- Reconfigure the host for automatic profiling.
- In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.
Note: This task requires elevated credentials.
If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
- If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
- If you selected multiple hosts and the Enter different credentials for each selected host option, a grid is displayed that allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.
To disable automatic profiling
- Select one or more hosts on the All Hosts view and choose Profile Automatically.
- Clear the Profile the host automatically option and click OK.
- In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.
When you disable auto-profiling for a host, the management console:
- Leaves the "questusr" and the corresponding "questgrp" accounts on the host, if they were previously created.
- Leaves questusr as an implicit member of questgrp, if it exists.
- Removes the user account (the "questusr" or your existing user account) from the cron.allow file.
- Removes the auto-profile SSH key from that user's authorized_keys file.