SSH Connector

The SSH connector is an implementation of the Scripted Groovy Connector Toolkit, and is based on Java Secure Channel (JSch) and the Java implementation of the Expect library (Expect4j). This connector lets you interact with any SSH server, using Groovy scripts for the ICF operations.

The SSH connector is a poolable connector. This means that each connector instance is placed into a connection pool every time an action is completed. Subsequent actions can re-use connector instances from the connector pool. When a new connector instance is created, a new SSH client connection is created against the target SSH server. This SSH connection remains open as long as the connector instance is in the connection pool. Note that when a new action is performed, it finds the SSH connection in the exact state that it was left by the previous action.

The following image shows the relationship between SSH connector instances and SSH connections to the target server:

ssh-connector

Configure Authentication to the SSH Server

The SSH connector authenticates to the SSH server using either a login/password or a public/private key. The authentication method is specified in the authenticationType property in the connector configuration.

Authenticate with a login and password

To authenticate with a login and password, set the authenticationType to PASSWORD in the connector configuration file, and set a user and password. For example:

"configurationProperties" : {
    ...
    "authenticationType" : "PASSWORD",
    "user" : "<USERNAME>",
    "password" : "<PASSWORD>",
    ...

+ The password is encrypted when Identity Cloud loads the provisioner file.

Authenticate with a passphrase and private key

To authenticate with a secure certificate, generate a pair of public/private keys. Install the public key on the server side and the private key on the Identity Cloud host (where the connector is located). Set the authenticationType to PUBKEY in the connector configuration file and set the user, password, passphrase and privateKey properties. For example:

"configurationProperties" : {
    ...
    "authenticationType" : "PUBKEY",
    "user" : "<USERNAME>",
    "password" : "<PASSWORD>",
    "passphrase" : "secret",
    "privateKey" : ["-----BEGIN DSA PRIVATE KEY-----",
              "MIIBugIBAAKBgQDcB0ztVMCFptpJhqlLNZSdN/5cDL3S7aOVy52Ae7vwwCqQPCQr",
              "6NyUk+wtkDr07NlYd3sg7a9hbsEnlYChsuX+/WUIvbOKdMfeqcQ+jKK26YdkTCGj",
              "g86dBj9JYhobSHDoQ9ov31pYN/cfW5BAZwkm9TdpEjHPvMIaOxx7GPGKWwIVALbD",
              "CEuf1yJk9UB7v0dmJS7bKkbxAoGARcbAuDP4rB6MsgAAkVwf+1sHXEiGPShYWrVV",
              "qBgCZ/S45ELqUuiaN/1N/nip/Cc/0SBPKqwl7o50CUg9GH9kTAjmXiwmbkwvtUv+",
              "Xjn5vCHS0w18yc3rGwyr2wj+D9KtDLFJ8+T5HmsbPoDQ3mIZ9xPmRQuRFfVMd9wr",
              "DY0Rs7cCgYAxjGjWDSKThowsvOUCiE0ySz6tWggHH3LTrS4Mfh2t0tnbUfrXq2cw",
              "3CN+T6brgnpYbyX5XI17p859C+cw90MD8N6vvBxaN8QMDRFk+hHNUeSy8gXeem9x",
              "O0vdIxCgKvA4dh5nSVb5VGKENEGNEHRlYxEPzbqlPa/C/ZvzIvdKXQIUQMoidPFC",
              "n9z+mE2dAADnPf2m9vk=",
              "-----END DSA PRIVATE KEY-----"
             ],
    ...

+ The default value for the passphrase property is null. If you do not set a passphrase for the private key, the passphrase value must be equal to an empty string.

+ You must set a value for the password property, because the connector uses sudo to perform actions on the SSH server.

+ The private key (PEM certificate) must be defined as a JSON String array.

+ The values of the passphrase, password and privateKey are encrypted when Identity Cloud loads the provisioner file.

Configure the SSH Connector

You cannot configure the SSHL connector through the UI. Configure the connector over REST, as described in Configure Connectors Over REST.

Set the authentication properties, as described in Configure Authentication to the SSH Server. In addition, set at least the following properties:

host

Specify the hostname or IP address of the SSH server.

port

Set the port on which the SSH server listens.

Default: 22

user

The username of the account that connects to the SSH server.

This account must be able to ssh into the server, with the password provided in the next parameter.

password

The password of the account that is used to connect to the SSH server.

prompt

A string representing the remote SSH session prompt. This must be the exact prompt string, in the format username@target:, for example admin@myserver:~$ . Include any trailing spaces.

This list describes the required configuration properties of the SSH connector. You can generally use the default values. For a list of all the configuration properties, see [connector-reference:].

sudoCommand

A string that shows the full path to the sudo command, for example /usr/bin/sudo.

echoOff

If set to true (the default), the input command echo is disabled. If set to false, every character that is sent to the server is sent back to the client in the expect() call.

terminalType

Sets the terminal type to use for the session. The list of supported types is determined by your Linux/UNIX system. For more information, see the terminfo manual page (man terminfo).

Default: vt102

setLocale

If set to true, indicates that the default environment locale should be changed to the value of the locale property.

Default: false

locale

Sets the locale for the LC_ALL, LANG and LANGUAGE environment variables, if setLocale is set to true.

Default: en_US.utf8

connectionTimeout

Specifies the connection timeout to the remote server, in milliseconds.

Default: 5000

expectTimeout

Specifies the timeout used by the expect() calls in scripts, in milliseconds.

Default: 5000

authenticationType

Sets the authentication type, either PASSWORD or PUBKEY. For more information, see Configure Authentication to the SSH Server.

Default: PASSWORD

throwOperationTimeoutException

If true, the connector throws an exception when the expectTimeout is reached for an operation. Otherwise, the operation fails silently.

Default: true

scriptRoots

The path to the Groovy scripts that will perform the ICF operations, relative to your Identity Cloud installation directory. The sample connector configuration expects the scripts in project-dir/tools, so this parameter is set to &{idm.instance.dir}/tools in the sample configuration.

classpath

The directory in which the compiler should look for compiled classes. The default classpath, if not is specified, is install-dir/lib.

*ScriptFileName

The name of the Groovy script that is used for each ICF operation.

OpenICF Interfaces Implemented by the SSH Connector

The SSH Connector implements the following OpenICF interfaces. For additional details, see ICF Interfaces:

Authenticate

Provides simple authentication with two parameters, presumed to be a user name and password.

Create

Creates an object and its <literal>uid</literal>.

Delete

Deletes an object, referenced by its <literal>uid</literal>.

Resolve Username

Resolves an object by its username and returns the uid of the object.

Schema

Describes the object types, operations, and options that the connector supports.

Script on Connector

Enables an application to run a script in the context of the connector.

Any script that runs on the connector has the following characteristics:

  • The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.

  • The script has access to a connector variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration.

  • The script has access to any script arguments passed in by the application.

Script on Resource

Runs a script on the target resource that is managed by this connector.

Search

Searches the target resource for all objects that match the specified object class and filter.

Sync

Polls the target resource for synchronization events, that is, native changes to objects on the target resource.

Test

Tests the connector configuration.

Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.

This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).

You can invoke the test operation before a connector configuration has been validated.

Update

Updates (modifies or replaces) objects on a target resource.

SSH Connector Configuration

The SSH Connector has the following configurable properties:

Configuration Properties

Property Type Default Encrypted(1) Required(2)

customSensitiveConfiguration

GuardedString

null

Yes

No

Description is not available

createScriptFileName

String

null

Description is not available

targetDirectory

File

null

No

Description is not available

customizerScriptFileName

String

null

No

Description is not available

warningLevel

int

1

No

Description is not available

authenticateScriptFileName

String

null

Description is not available

scriptExtensions

String[]

['groovy']

No

Description is not available

scriptOnResourceScriptFileName

String

null

Description is not available

minimumRecompilationInterval

int

100

No

Description is not available

deleteScriptFileName

String

null

Description is not available

scriptBaseClass

String

null

No

Description is not available

scriptRoots

String[]

null

Yes

Description is not available

customConfiguration

String

null

No

Description is not available

resolveUsernameScriptFileName

String

null

Description is not available

searchScriptFileName

String

null

Description is not available

tolerance

int

10

No

Description is not available

updateScriptFileName

String

null

Description is not available

debug

boolean

false

No

Description is not available

classpath

String[]

[]

No

Description is not available

disabledGlobalASTTransformations

String[]

null

No

Description is not available

schemaScriptFileName

String

null

Description is not available

verbose

boolean

false

No

Description is not available

testScriptFileName

String

null

Description is not available

sourceEncoding

String

UTF-8

No

Description is not available

syncScriptFileName

String

null

Description is not available

recompileGroovySource

boolean

false

No

Description is not available

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.

    [[basic-configuration-properties-properties-org-forgerock-openicf-connectors-ssh-SSHConnector-1.5.20.2]]
== Basic Configuration Properties Properties
Property Type Default Encrypted(1) Required(2)

host

String

null

Yes

The hostname to connect to

port

int

22

Yes

TCP port to use (defaults to 22)

user

String

null

Yes

The user name used to login to remote server

password

GuardedString

null

Yes

No

The password used to login to remote server

passphrase

GuardedString

null

Yes

No

The passphrase used to read the private key when using Public Key authentication

privateKey

String[]

[]

Yes

No

The base 64 encoded value (PEM) of the private key used for Public Key authentication

authenticationType

String

PASSWORD

Yes

Defines which authentication type should be use: PASSWORD or PUBKEY (defaults to PASSWORD)

prompt

String

`root@localhost:# `

Yes

A string representing the remote SSH session prompt (defaults to root@localhost:# )

sudoCommand

String

/usr/bin/sudo

Yes

A string representing the sudo command (defaults to /usr/bin/sudo)

echoOff

boolean

true

Yes

Disable the input command echo (default to true)

terminalType

String

vt102

Yes

Defines the terminal type to use for the session (default to vt102)

locale

String

en_US.utf8

Yes

Define the locale for LC_ALL, LANG and LANGUAGE environment variables to use if setLocale=true

setLocale

boolean

false

Yes

Defines if the default environment locale should be changed with the value provided for locale (defaults to false)

connectionTimeout

int

5000

Yes

Defines the connection timeout to the remote server in milliseconds (default to 5000)

expectTimeout

long

5000

Yes

Defines the timeout used by the expect() calls in the scripts in milliseconds (default to 5000)

throwOperationTimeoutException

boolean

true

Yes

Defines if an OperationTimeoutException should be thrown if any call to expect times out (defaults to true)

promptReadyTimeout

long

20

No

Defines the "prompt ready" timeout for the promptReady() command in milliseconds (default to 20)

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.