OpenBSD (SSH)
Connector name |
|
Connector type | PSLang script, |
Type (UI field value) | OpenBSD Server with 'sudo' (SSH) (Legacy) |
Target system versions supported / tested | The |
Connector status / support | Customer-Verified Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system. |
The following Bravura Security Fabric operations are supported by this connector (depending on your product license and version):
expire password
check password expiry
administrator reset password
unlock account
user verify password
verify+reset password
create account
delete account
disable account
enable account
create group
delete group
add user to group
delete user from group
check account enabled
check account lock
get server information
update attributes
List:
accounts
attributes
groups
members
For a full list and explanation of each connector operation, see Connector operations.
See also
Secure Shell for details about agtssh .
Targeting the OpenBSD system
For each OpenBSD system, add a target system in Bravura Security Fabric (Manage the system > Resources > Target systems):
Type is OpenBSD Server with 'sudo' (SSH) (Legacy).
Address uses options described in the table below.
The full list of target parameters is explained in Target system options .
Option | Description |
|---|---|
Options marked with a | |
Script file | Must be set to agtopenbsd.psl (key: script) |
Server | The IP address/domain name of the OpenBSD server. (key: server) |
Target system’s internal hostname | This is the internally-defined host name that, along with the logged in user’s name, comprises the OpenBSD prompt. The script generates the expected prompt using this value, then uses the generated prompt to know when commands have completed. (key: name) |
Privilege escalation type | Select:
If the sudo password is configured to be different than the log-in password, add another set of credentials for sudo and select the System password option. The Administrator ID can be arbitrary. This is the default setting.
(key: privEscType) |
Advanced | |
Port | TCP Port number. Default is 22. (key: port) |
Compression | Select to enable data compression for SSH connections. Default is false. (key: compression) |
Action for host keys | Select DenyUnmatch (default) or AllowAppend. For new targets, AllowAppend is recommended. DenyUnmatch only connects to SSH hosts whose public host keys have been previously recorded and have not been changed. It will reject SSH hosts whose keys have not been previously recorded or were previously recorded but have changed. AllowAppend connects to SSH hosts whose public host keys have been previously recorded and have not been changed, and to SSH hosts whose keys have not been previously recorded. It will reject SSH hosts whose keys were previously recorded but have changed. (key: hostkeys) |
Host keys file | Specify the name of the public host key file. It must be located in the \<instance>\script\ directory. (key: file) |
Authentication key file | This is a generic SSH target field that is ignored for OpenBSD target systems. Login must be done with username and password. |
Timeout for connection | Amount of time the connector will wait for a response. (key: timeout) |
Enable SSH v1? | To enable SSH connection via SSH protocol version 1. (key: enable_ssh_1) |
Trace Logging | Provides detailed multiline logging for connectors. Default is None. Other options include Low, Medium, and High. (key: trace) |
The Trace Logging option provides detailed multi-line logging for the connectors and exposes a way to engage trace logging to a file. Trace logging are things that are generally multi-line such as input/output kvg options, http request/response data, and generally verbose data for diagnosing and troubleshooting issues. It provide a simple mechanism to redirect multi-lined information to an output file.
A trace log file is created within the <Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance> directory and has a format of trc-<connector-name>-<unix-time>-<process-id>.log.
The Trace Logging option can be found in the advanced section when modifying the target system address configuration page for individual target systems. It can be set to the following values:
None | Default value. Log no trace information and no trace log file is created. |
Low | Contains kvgroup data for the Input KVG and for the Output KVG. |
Medium | Telemetry data for Http Post/Get request/response data. |
High | Not yet used, to be implemented in a future release. |
(key: trace)
Creating a template account
Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts on OpenBSD.
Consult the documentation included with your specific application to learn how to create an account to use as a template in Bravura Identity . You can then add account attributes to determine how new accounts should be created based on the template account’s parameters.
Note
Bravura Security Fabric still requires a template account, even though attributes may or may not be copied from the template account, for example, if the configured action for all account attributes is Set.