Configuring the SSH Data Provider

Tags ssh

This concepts article will help admins understand how Asset Discovery Service works with SSH.

Overview

This article describes how TeamDynamix Asset Discovery works with Secure Shell (SSH) to collect information about Unix, Linux and Macintosh computers. The Asset Discovery Service will issue SSH queries using a user defined in these settings, and computers that are configured to respond to SSH requests from that user will respond with their data. 

Configuring the SSH Asset Discovery Data Provider

TeamDynamix provides the following settings to configure the SSH Data Provider on a discovery job:

  • Target Selection Type – Controls which IP addresses within the job's range are targeted by SSH. See the Ping, Active Directory, and ARPDNS Data Providers article for more information. 
  • Port Number – Allows you to override the default SSH port. Defaults to 22 when not provided.
  • Retry Count – The number of times to retry a query when there is a timeout or error. Defaults to 3 when not provided.
  • Timeout Length – The length of time to wait for a timeout (ms). Defaults to 8000 when not provided.
  • Max Concurrent Requests – The number of concurrent requests that can be sent. Defaults to 50 when not provided.
  • Authentication Mechanism – The discovery process supports user accounts that are authenticated using username and password as well as accounts that are authenticated using public key. Public key authentication involves generating a public and private key pair, placing the public key in the appropriate file on the target machine, and providing the TDX Discovery Service with the private key. Detailed configuration information can be found in this Public Key Authentication article by SSH.COM.
  • Username – The username under which SSH will run. 
  • Password – The password for that username.
  • Key – The authentication key to use. 
  • Passcode – The passcode that corresponds to the key entered above. 

Configuring SSH for Unix and Linux 

SSH is included in distributions of Unix and Linux and is enabled by default. As such, there is little configuration to perform other than ensuring you have a properly authorized account that can be provided to the Discovery Module for performing its discovery commands.

The user account that the discovery process uses must have sudo privileges for two commands:

lshw and dmidecode -t system

This can be accomplished by either using a full sudo-authorized user or by using an unprivileged account with sudo access to those two specific commands. The latter can be accomplished by placing the proper entry into the sudoers file of the target machine.

While this procedure can vary, this can typically be accomplished by adding the following lines to the sudoers file located in the /etc directory where [your user name] is replaced with the name of the user account to be used for discovery:

Cmnd_Alias TDX_COMMANDS = usr/sbin/dmidecode -t system, /usr/bin/lshw
[your user name] ALL=(ALL) TDX_COMMANDS

Note that the sudoers file should not be edited directly, but using the command sudo visudo from a privileged account.

Configuring SSH for Macintosh

SSH is included on Macintosh systems, but remote SSH is disabled by default.

To enable remote SSH on a Macintosh computer:

  1. Click the Apple menu and open System Preferences.
  2. Click the Sharing preference panel.
  3. Select the Remote Login checkbox.
  4. If desired, limit remote login to only specific users by selecting them in the Allow access for section.

The user account that the discovery process uses must have sudo privileges to the following commands:

systemsetup -getcomputername and systemsetup -gettimezone

This can be accomplished by either using a full sudo-authorized user or administrator, or by using an unprivileged account with sudo access to those two specific commands. The latter can be accomplished by placing the proper entry into the sudoers file of the target machine.

While there are different ways to do this, one way it can be accomplished is by adding the following lines to the sudoers file located in the /etc directory where [your user name] is replaced with the name of the user account to be used for discovery:

Cmnd_Alias TDX_COMMANDS = usr/sbin/systemsetup -getcomputername, /usr/sbin/systemsetup -gettimezone
[your user name] ALL=(ALL) TDX_COMMANDS

Note that the sudoers file should not be edited directly but rather using the command sudo visudo from a privileged account.

Details

Article ID: 73517
Created
Mon 3/11/19 11:47 AM
Modified
Fri 6/9/23 10:18 AM

Related Articles (1)

Asset Discovery Data Providers
Data Providers are configured in Discovery Jobs to tell the Scanner which methods to use to scan for devices. We explain the Data Providers in further detail in this article.