Automation in the context of multifactor authentication: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 12: Line 12:
The only accepted means of authentication for the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <i>.ssh/authorized_keys</i> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints.   
The only accepted means of authentication for the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <i>.ssh/authorized_keys</i> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints.   


=== <code>restrict</code> constraint === <!--T:4-->
=== <code>restrict</code> === <!--T:4-->
This constraint disables port forwarding, agent forwarding, and X11 forwarding. It also disables the pseudo teletype (PTY), blocking most interactive workloads. This is required because these automation nodes are not intended to be used to start long-running or interactive processes. Regular login nodes must be used instead.  
This constraint disables port forwarding, agent forwarding, and X11 forwarding. It also disables the pseudo teletype (PTY), blocking most interactive workloads. This is required because these automation nodes are not intended to be used to start long-running or interactive processes. Regular login nodes must be used instead.  


=== <code>from="pattern-list"</code> constraint === <!--T:5-->
=== <code>from="pattern-list"</code> === <!--T:5-->
This constraint specifies that the key can only be used from IP addresses that match the patterns. This is to ensure that this key is not used from computers other than the ones intended. The patterns list must include only IP addresses that fully specify at least the network class, the network, and the subnet, which are the first 3 sections of an IP address. For example, <code>192.168.*.*</code> would not be accepted, but <code>192.168.1.*</code> would be accepted.  
This constraint specifies that the key can only be used from IP addresses that match the patterns. This is to ensure that this key is not used from computers other than the ones intended. The patterns list must include only IP addresses that fully specify at least the network class, the network, and the subnet, which are the first 3 sections of an IP address. For example, <code>192.168.*.*</code> would not be accepted, but <code>192.168.1.*</code> would be accepted.  


=== <code>command="COMMAND"</code> constraint === <!--T:6-->
=== <code>command="COMMAND"</code> === <!--T:6-->
This constraint forces the command <code>COMMAND</code> to be executed when the connection is established. This is so that you may restrict which commands can be used with this key.  
This constraint forces the command <code>COMMAND</code> to be executed when the connection is established. This is so that you may restrict which commands can be used with this key.  


rsnt_translations
56,420

edits