Credentials You Must Have to Access UNIX and Linux Computers
Updated: March 10, 2017
Applies To: System Center 2012 R2 Operations Manager, System Center 2012 - Operations Manager, System Center 2012 SP1 - Operations Manager
This topic describes how you use credentials to install, maintain, upgrade, and uninstall agents.
Credentials for Installing Agents
Operations Manager uses the Secure Shell (SSH) protocol to install an agent and Web Services for Management (WS-Management) to discover previously installed agents. Installation requires a privileged account on the UNIX or Linux computer. There are two ways to provide credentials to the targeted computer, as obtained by the Computer and Device Management Wizard:
Specify a user name and password.
The SSH protocol uses the password to install an agent or the WS-Management protocol if the agent was already installed by using a signed certificate.
Specify a user name and an SSH key. The key can include an optional passphrase.
If you are not using the credentials for a privileged account, you can provide additional credentials so that your account becomes a privileged account through elevation of privilege on the UNIX or Linux computer.
The installation is not completed until the agent is verified. Agent verification is performed by the WS-Management protocol that uses credentials maintained on the management server, separate from the privileged account that is used to install the agent. You are required to provide a user name and password for agent verification if you have done one of the following:
Provided a privileged account by using a key.
Provided an unprivileged account to be elevated by using sudo with a key.
Ran the wizard with the Discovery Type set to Discover only computers with the UNIX/Linux agent installed.
Alternatively, you can install the agent, including its certificate, manually on the UNIX or Linux computer and then discover that computer. This method is the most secure way to install agents. For more information, see Install Agent and Certificate on UNIX and Linux Computers Using the Command Line.
Credentials for Monitoring Operations and Performing Agent Maintenance
Operations Manager contains three predefined profiles to use in monitoring UNIX and Linux computers and performing agent maintenance:
UNIX/Linux action account
This profile is an unprivileged account profile that is required for basic health and performance monitoring.
UNIX/Linux privileged account
This profile is a privileged account profile used for monitoring protected resources such as log files.
UNIX/Linux maintenance account
This profile is used for privileged maintenance operations, such as updating and removing agents.
In the UNIX and Linux management packs, all the rules, monitors, tasks, recoveries, and other management pack elements are configured to use these profiles. Consequently, there is no requirement to define additional profiles by using the Run As Profiles Wizard unless special circumstances dictate it. The profiles are not cumulative in the scope. For example, the UNIX/Linux maintenance account profile cannot be used in place of the other profiles simply because it is configured by using a privileged account.
In Operations Manager, a profile cannot function until it is associated with at least one Run As account. The credentials for accessing the UNIX or Linux computers are configured in the Run As accounts. Because there are no predefined Run As accounts for UNIX and Linux monitoring, you must create them.
To create a Run As account, you must run the UNIX/Linux Run As Account Wizard that is available when you select UNIX/Linux Accounts in the Administration workspace. The wizard creates a Run As account based on the choice of a Run As account type. There are two Run As account types:
Monitoring account
Use this account for ongoing health and performance monitoring in operations that communicate by using WS-Management.
Agent maintenance account
Use this account for agent maintenance such as updating and uninstalling in operations that communicate by using SSH.
These Run As account types can be configured for different levels of access according to the credentials that you supply. Credentials can be unprivileged or privileged accounts or unprivileged accounts that will be elevated to privileged accounts. The following table shows the relationships between profiles, Run As accounts, and levels of access.
Profiles | Run As account type | Allowable Access Levels |
---|---|---|
UNIX/Linux action account | Monitoring account | - Unprivileged - Privileged - Unprivileged, elevated to privileged |
UNIX/Linux privileged account | Monitoring account | - Privileged - Unprivileged, elevated to privileged |
UNIX/Linux maintenance account | Agent maintenance account | - Privileged - Unprivileged, elevated to privileged |
Note that there are three profiles, but only two Run As Account types.
When you specify a Monitoring Run As Account Type, you must specify a user name and password for use by the WS-Management protocol. When you specify an Agent Maintenance Run As Account Type, you must specify how the credentials are supplied to the targeted computer by using the SSH protocol:
Specify a user name and a password.
Specify a user name and a key. You can include an optional passphrase.
After you created the Run As accounts, you must edit the UNIX and Linux profiles to associate them with the Run As accounts you created. For detailed instructions, see How to Configure Run As Accounts and Profiles for UNIX and Linux Access.
Credentials for Upgrading and Uninstalling Agents
The UNIX/Linux Agent Upgrade Wizard and the UNIX/Linux Agent Uninstall Wizard provide credentials to their targeted computers. The wizards first prompt you to select the targeted computers to upgrade or uninstall, followed by options on how to provide the credentials to the targeted computer:
Use existing associated Run As Accounts
Select this option to use the credentials associated with the UNIX/Linux action account profile and the UNIX/Linux maintenance account profile.
The wizard alerts you if you or more of the selected computers do not have an associated Run As account in the required profiles, in which case you must go back and clear those computers that do not have an associated Run As account, or use the other option.
Specify credentials
Select this option to specify Secure Shell (SSH) credentials by using a user name and password or a user name and a key. You can optionally provide a passphrase with a key. If the credentials are not for a privileged account, you can have them elevated to a privileged account on the target computered by using the UNIX su or sudo elevation programs. The ‘su’ elevation requires a password. If you use sudo elevation, you are prompted for a user name and password for agent verification by using an unprivileged account.
For more information about upgrading and uninstalling, see Upgrading and Uninstalling Agents on UNIX and Linux Computers.
Important Security Considerations
The Operations Manager Linux/UNIX agent uses the standard PAM (Pluggable Authentication Module) mechanism on the Linux or UNIX computer to authenticate the user name and password specified in the Action Profile and Privilege Profile. Any user name with a password that PAM authenticates can perform monitoring functions, including running command lines and scripts that collect monitoring data. Such monitoring functions are always performed in the context of that user name (unless sudo elevation is explicitly enabled for that user name), so the Operations Manager agent provides no more capability than if the user name were to login to the Linux/UNIX system.
However, the PAM authentication used by the Operations Manager agent does not require that the user name have an interactive shell associated with it. If your Linux/UNIX account management practices include removing the interactive shell as a way to pseudo-disable an account, such removal does not prevent the account from being used to connect to the Operations Manager agent and perform monitoring functions. In these cases, you should use additional PAM configuration to ensure that these pseudo-disabled accounts do not authenticate to the Operations Manager agent.
See Also
How to Set Credentials for Accessing UNIX and Linux Computers
Accessing UNIX and Linux Computers in Operations Manager
How to Configure sudo Elevation and SSH Keys
Required Capabilities for UNIX and Linux Accounts
Configuring SSL Ciphers