Remote Password Reset Using SSH Command Sets
- Overview
- How SSH Command Sets work in PAM360
- Supported resource types
- Steps to configure SSH Command Sets for custom resource types
- Adding a custom resource type and mapping Command Sets to it
- Adding a new resource and mapping it to the resource type
- Adding accounts to the resource
- Configuring remote password reset
- Applying Command Sets to accounts in bulk
1. Overview
PAM360 supports automatic remote password reset for a wide range of commonly-used resource types such as Windows local accounts, Windows domain accounts, Linux root accounts, etc. For custom devices that allow SSH connections, PAM360 provides SSH command sets option through which you can add the password reset commands used in the command-line interface of your resource type directly to the PAM360 web interface, without the need for a CLI terminal.
PAM360 offers a default set of basic commands that you can use right away; alternatively, you can add your own commands, arrange them in the order of execution, and combine them into a new command set. This way, you'll be able to add accounts that have varying password authentication methods but fall under a single custom resource type. For example, Linux resources have different password authentication flows for root passwords and regular user passwords; similarly, Cisco devices support five different types of users. In such cases, you will be able to add any number of custom commands and specify the order in which they are to be executed.
Note: While all Administrators can view the SSH command sets, only the Privileged Administrators will be able to add, edit, modify, and delete the commands and the command sets.
2. How SSH Command Sets Work in PAM360
To create your own set of commands in PAM360 and ensure they work as expected, you must follow the flow given below:
- Create one or more command sets
1.1 Choose from the existing commands or add your custom commands.
1.2 Combine commands in the correct sequence of execution and create a command set.
- Add a custom resource type in PAM360 in case of devices that are not supported by PAM360.
- Map one or more command sets to the custom resource type.
- Add a new resource and map it to the custom resource type.
- Create accounts in the new resource and map an individual command set to each account.
3. Supported Resource Types
You can configure remote password reset for the following SSH-based resource types using SSH Command Sets. In addition, you can also add custom commands and configure remote password reset for other SSH-based devices that are not included in this list.
- Aruba ATP
- ASA Firewall
- Audiocode
- AVAYA-GW
- Brocade
- Brocade VDX
- Brocade SAN Switch
- Checkpoint Firewall
- Cisco Management Integration Center
- Cisco Catalyst
- Cisco Nexus OS
- Cisco SG300
- Cisco UCS
- Cisco Wireless LAN Controller
- Citrix Netscaler SDX
- Citrix Netscaler VPX
- Dell IDRAC
- Extreme Networks
- F5
- Fortinet
- FortiGate Firewall
- Fortimail
- FortiManager-FortiAnalyzer
- Fujitsu Switch
- Gigamon
- H3C
- HMC
- HP Printer
- HP Onboard Administrator
- HPUX
- HP Virtual Connect
- HPE StoreOnce
- Huawei
- Juniper Netscreen ScreenOS
- JunOS
- Mac OS
- Magento
- Mikrotik
- Netapp 7Mode
- Netapp CDot
- Nimble Storage
- Nortel
- OpenGear
- Orange Firewall
- Palo Alto Networks
- Pfsense
- Routerboard
- Ruijie
- Sonicwall
- TPLINK
- VMWare VCenter, VMWare ESXi
- Linux
- IBM AIX
- Solaris
4. Steps to Configure SSH Command Sets for Custom Resource Types
Follow the below steps to add or delete new commands to PAM360 and create a new command set.
4.1 Adding Custom Commands
- Navigate to Admin >> Customization >> SSH Command Sets.
- Under the SSH Commands section, there are other default commands ready to use. You can pick the required commands from the list and create a new command set for your resource type.
- To add new commands for your custom resource, click the Add Commands option and enter the Command Name, Command, the appropriate prompt, a short description, a timeout period in seconds and click Save.
- The Command entered must be of the format specified in the tool tip below. Refer to the tooltip text for examples.
- The Command Prompt entered must be the same as in your CLI. For example, if the prompt in the device is a colon and a space, then it should be entered here as such ": " (without quotes).
- The Timeout period denotes the amount of time for which the system awaits for an input.
4.1.1 Deleting Commands
- To delete an existing command, click the delete icon beside the command under Actions.
- To delete multiple commands at once, select the commands and click the Delete Command option at the top.
Note:
- Default commands cannot be edited or deleted.
- Custom commands that are already associated with a resource type cannot be deleted.
- While deleting commands in bulk, in case you select a default command or a custom command that is already in use, those commands will be excluded and the rest will be deleted. Details of this operation will be registered in the Audit logs.
4.2 Creating a Command Set
- Once you have added your custom commands to PAM360, go to the SSH Command Sets section to create your command set.
- Click the Add command set option. In the Add command set dialog box, add a name and a description for your command set.
- The default commands and the custom commands you have added will be listed in the Command Name box.
- On the right, you will find two sections: Verify SSH Command Sequence and Reset Command Sequence.
4.2.1 Verify SSH Command Sequence
- Hover your mouse over a command in the Command Name box and you will see two options: Verify and Reset.
- Click Verify to move the commands into the Verify SSH Command Sequence box. Drag the commands to re-order them into the correct sequence. This is the command sequence that is to be carried out to verify the integrity of the password i.e., check if the password of an account is in sync with the one stored in PAM360.
- Click Save. A new verify password command set will be added to PAM360.
- Once this command set is associated with an account and remote password reset is configured for the resource it belongs to, the password verification check will be carried out in given sequence.
4.2.2 Reset Command Sequence
- Hover your mouse over a command in the Command Name box and you will see two options: Verify and Reset.
- Click Reset to move the commands into the Reset Command Sequence box. Place the commands in the correct sequence and click Save. A new command set will be added to PAM360.
- Once this command set is associated with an account and remote password reset is configured for the resource it belongs to, the password reset will be carried out in given sequence.
5. Adding a Custom Resource Type and Mapping Command Sets to It
Once your command sets are created, follow the below steps to create a custom resource type and map the command sets to it:
- Navigate to the Resources tab >> Resource Types and click Add.
- Enter a name and browse for an icon of your choice. This icon image will be displayed under Type in the Resources tab.
- Under the General section, select the Resource and Account Attributes for the resource type.
- In the Advanced section, select SSH Command Sets. Default and custom command sets will be listed under this option.
- Choose any by clicking on the names of the command sets. You can assign multiple command sets to one resource type.
- Once you have selected the required command sets, click Save. Now, the new resource type will be added to the list of resource types in PAM360.
6. Adding a New Resource and Mapping it to the Resource Type
Follow the below steps to add a new resource which can be mapped to the newly-created resource type:
- Navigate to the Resources tab >> Add Resource >> Add Manually.
- Enter the Resource Name, DNS Name, and choose the new resource type from the Resource Type drop down under Others.
- Click Save and Proceed to continue adding accounts to the resource.
7. Adding Accounts to the Resource
- In the Add Accounts dialog box, enter the User Account name, Password, and Password Policy.
- The SSH Command Sets drop down will display all the command sets mapped to this resource type. Pick a command set from the drop down, click Add and Save.
- The selected command set will be mapped to the account.
- You can add multiple accounts and map command sets to each account in the same way.
Note: The user account credentials provided here must be valid for the Verify and Reset command sets to work as expected.
8. Configuring Remote Password Reset
Once the command set is mapped to an account, follow the below steps to configure remote password reset and select a root account, if applicable.
- Navigate to the Resources tab.
- Click the Resource Actions icon beside the required resource and click Configure Remote Password Reset.
- Select the Remote Login Method and Remote Login Account as required. Fill in the other details such as User Mode Prompt, Configuration Mode Prompt.
- Click Save to save the changes.
Click here to read more about Remote Password Reset.
9. Applying Command Sets to Accounts in Bulk
Follow the below steps to apply a single command set to multiple accounts within a single resource:
- Navigate to the Resources tab and click any resource name. A list of all the accounts associated with that resource will be displayed.
- Select the accounts for which you want to apply a command set, and click Apply Command Set in Bulk from the top.
- In the Apply Command Set in Bulk pop-up form, choose the required command set from the drop down and click Save.
- The chosen command set will be applied to all the selected accounts, overriding their previous command set configuration, if any.