Secure Shell (SSH)

Sections

Puppet Discovery provides two types of authentication methods for use with SSH; username and password using negotiated encryption, and private key files using asymmetric encryption.

CAUTION: As a dual-factor authentication with discovered remote hosts, it's recommended to use SSH private key files and to include a username and passphrase for each file. Using an SSH private key file, rather than an SSH username and password, is considered more secure against potential compromises on remote hosts due to the password not being sent over the network. For more information, see Adding SSH private key files.
When using SSH authentication to discover resources running on Linux hosts, there are a number of prerequisites:
  • To install the Puppet agent on target hosts, your SSH credentials must be for the root account.

    Note: When adding SSH credentials for non-root users, enable sudo escalate privileges to root. Privilege escalation occurs if the first attempt to run a task fails when using non-root privileges. See Adding SSH private key files or Adding SSH username and password.
  • To discover containers, your SSH credentials must be for the root account or an account that is a member of the Docker group. For more information, see managing Docker.

Adding SSH private key files

Upload a SSH private key file to discover resources and resource instances, and to run tasks on your Linux hosts.

  1. Select Settings > Add credentials, and then click SSH private key file.
  2. On the Upload your SSH private key file page, click Browse, select your files, and then click Open.
  3. Click Configure keys to continue to the Your SSH private key files page.
    Tip: When multiple private key files are uploaded, click each key file accordion to display the user input fields for each file.
  4. In the Name field enter a unique and descriptive name.
  5. Assign an individual scope, or both, to the SSH credential:
    • Discover data on hosts: This credential scope is valid only for discovering resources on your Linux hosts.

    • Run tasks on target hosts: This credential is valid only for running tasks on your Linux hosts. When this individual scope is selected, no attempts are made to discover resources.

      • Escalate privileges to root: When required to run tasks on target hosts, sudo escalate non-root account privileges to root. Privilege escalation occurs if the first attempt to run a task fails when using non-root privileges.

        Important: The user must be configured with passwordless sudo to escalate privileges to root. To do so, run the <user name> ALL=(ALL) NOPASSWD:ALL command.
  6. In the Username field, enter your SSH username.
  7. In the Passphrase field, enter your SSH passphrase, or leave it blank if your key is not encrypted.
  8. Click Add keys.

Adding SSH username and password

SSH username and password are used to discover resources and resource instances, and to run tasks on your Linux hosts.

  1. Select Settings > Add credentials, and then click SSH credential.
  2. In the Name field, enter a unique and descriptive name.
  3. Assign an individual scope, or both, to the SSH credential:
    • Discover data on hosts: This credential scope is valid only for discovering resources on your Linux hosts.

    • Run tasks on target hosts: This credential is valid only for running tasks on your Linux hosts. No attempts are made to discover resources.

      • Escalate privileges to root: When required to run tasks on target hosts, sudo escalate non-root account privileges to root. Privilege escalation occurs if the first attempt to run a task fails when using non-root privileges.

        Important: The user must be configured with passwordless sudo to escalate privileges to root. To do so, run the <user name> ALL=(ALL) NOPASSWD:ALL command.
  4. In the Username field, enter your SSH username.
  5. In the Password field, enter your SSH password, and then click Add credential.

How helpful was this page?
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.