Create a Service Account for the Keyfactor Bash Orchestrator

The Keyfactor Bash Orchestrator The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise. uses a service account in the Active Directory domain where the Keyfactor Command server resides to allow it to communicate with Keyfactor Command. This can be the same service account used for other Keyfactor Command server services. This service account appears in the Management Portal as the Identity on the Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. Management grid for the Keyfactor Bash Orchestrator.

The service account needs to be created prior to installation of the Keyfactor Bash Orchestrator software, and the person installing the Keyfactor Bash Orchestrator software needs to know the domain, username and password of the service account.

During installation of the orchestrator, a local Linux user account is created automatically as an identity under which the orchestrator service will operate. This allows the orchestrator to run as a non-root user. On servers on which you install the orchestrator directly, the following Linux user account is created:

On servers configured as remote control targets, the following Linux user account is created:

These users are granted access to read authorized_keys files for inventory purposes and to update authorized_keys files when the orchestrator is operating in inventory and publish policy mode using sudo. On install, modifications are made to the sudo configuration with the addition of a file in the /etc/sudoer.d directory granting the orchestrator user select sudo rights. The commands the service account user may be granted the right to use via sudo include: