Targeting the AIX Server system

Options marked with a are required.

Script file

Must be set to agtaix.py (Generic AIX Server (SSH) ) or agtaix.psl (AIX Server (SSH) (Legacy) )

(key: script)

Server

The IP address/domain name of the AIX Server.

(key: server)

Enable SSH public and authorized key discovery

Default is false, select this option to list all SSH public and authorized keys on the server.

SSH key files must be in OpenSSH format and must be less than 100,000 KB (by default) in order to be listed. To change the file size limit, modify the maximum file size to parse in unix-sshkey.psl.

(key: discoverkeys)

Privilege escalation type

Select:

Use ’sudo’ as privileged escalation When this option is selected, the credentials of the target administrator will be used to run the sudo command. Ensure that this user is defined in the /etc/sudoers file.

If the sudo password is configured to be different than the log-in password, add another set of credentials for sudo and select the System password option. The Administrator ID can be arbitrary. This is the default setting.

Use ’su’ as privileged escalation When this option is selected, along with the credentials of the target administrator, you must also specify another set of credentials for the built-in "root" account and select the System password option for this account. This will be used to run the su command.

Use ’dzdo’ as privileged escalation You can use this escalation type if a dzdo package exists for your target operating system and this package has been installed. When this option is selected for a Centrify system, the credentials of the target administrator will be used to run the ’dzdo’ command in a similar manner as the ’sudo’ command. Ensure that this user has role-based access rights for zones stored in Active Directory.

No privileged escalation Operations will be done without elevated privileges.

(key: privEscType)

Advanced

Port

TCP Port number. Default is 22.

(key: port)

Compression

Select to enable data compression for SSH connections. Default is false.

(key: compression)

Action for host keys

Select AllowAppend (default) or DenyUnmatch. For new targets, AllowAppend is recommended.

AllowAppend connects to SSH hosts whose public host keys have been previously recorded and have not been changed, and to SSH hosts whose keys have not been previously recorded. It will reject SSH hosts whose keys were previously recorded but have changed.

DenyUnmatch only connects to SSH hosts whose public host keys have been previously recorded and have not been changed. It will reject SSH hosts whose keys have not been previously recorded or were previously recorded but have changed.

(key: hostkeys)

Host keys file

Specify the name of the public host key file. It must be located in the \<instance>\script\ directory.

The file consists of a KVGroup with an entry that contains the host information as the key and the hostkey as the value. This information can be extracted from the PuTTY registry entries (HKEY_CURRENT_USER \Software\SimonTatham\PuTTY\SshHostKeys) where "Name" corresponds to the key and "Data" corresponds to the value.

(key: file)

Authentication key file

This attribute can be assigned to the administrator’s private key. This key must have a passphrase assigned which will be entered into the credential password field. Managing of this passphrase is not supported.

(key: authkey)

Timeout for connection

Amount of time the connector will wait for a response.

(key: timeout)

Enable SSH v1?

To enable SSH connection via SSH protocol version 1.

(key: enable_ssh_1)

Enter the filenames (comma delimited) to get the public keys from. Must be in the user’s /.ssh directory

The public key files to list from the server. Default is "id_rsa.pub,id_dsa.pub".

(key: pubkeyfiles)

Delete all matching keys upon access revocation

Default is true, deselect this option to remove only one copy of the specified public key upon access revocation.

(key: delallkeys)

Calculate SHA1 hashes of discovered public and authorized keys

Default is true, deselect this option to turn off calculation of hashes for public and authorized keys.

(key: makekeyhashes)

Unprivileged and password management operations only

The passwdAccessOnly option is useful for Bravura Pass and Bravura Privilege implementations where only passwords on Unix systems need to be managed.

When configuring for passwdAccessOnly with sudo escalation, the sudoer file can be secured down to one command: /usr/bin/passwd. With this authorization, the AIX connectors will gain access to list the accounts and administratively reset the user account.

Modification of the sudoer file would look something like the following example for the psadmin user (one line):

psadmin ALL=(ALL) /usr/bin/passwd,/usr/bin/pwdadm,/usr/sbin/lsuser

(key: passwdAccessOnly)

Max read timeout

The maximum time the connector will read data. Default is 6 seconds.

(key: maxReadTimeout)

Max write timeout

The maximum time the connector will write data. Default is 20 seconds.

(key: maxWriteTimeout)

Max read size

The maximum data read size. Default is 16384 characters.

(key: maxReadSize)

Max read lines

The maximum number of lines to read. Default is 50000 lines.

(key: maxReadLines)

Trace Logging

Provides detailed multiline logging for connectors. Default is None. Other options include Low, Medium, and High.

(key: trace)