Install Remote Control Targets

After you complete the installation of at least one Keyfactor Bash OrchestratorClosed The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise., you can configure other Linux servers in the environment as control targets for this orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores.. This is done by running a script on the target servers that installs the SSHClosed The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. public keyClosed In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. matching the orchestrator's private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. on the target server, along with making a few configuration changes. This allows the orchestrator service on the orchestrator (the local Linux user keyfactor-bash) to communicate with the targets using secured SSH.

Important:  Any remotely controlled targets of a server using SSSD logons with the Keyfactor Bash Orchestrator must also be configured for SSSD logons and must have the same configuration value for fallback_homedir or override_homedir.

To configure orchestrator targets:

  1. On the orchestrator machine, locate the remoteinstall.sh script in the /opt/keyfactor-bash-orchestrator directory. Do not use the remoteinstall-templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received..sh script found in the source material under Installation. This script has not been modified to contain the specific public key of your orchestrator.
    Tip:  A copy of the configured remoteinstall.sh script may also be found in the directory from which you executed the installation of the Keyfactor Bash Orchestrator.
  2. Copy the customized remoteinstall.sh script to the orchestrator target that you wish to configure and place it in a temporary working directory.
  3. On the Linux machine you wish to control with the orchestrator, in a command shell change to the temporary directory where you placed the remoteinstall.sh script.
  4. Use the chmod command to make the script file executable. The file ships in a non-executable state to avoid accidental execution. For example:

    sudo ./chmod +x remoteinstall.sh

  5. In the command shell, run the remoteinstall.sh script as root with no parameters. There is no output from the command when it completes successfully.

    sudo ./remoteinstall.sh

The script creates a directory, /opt/keyfactor-bach-orchestrator-client, and places the public key of the orchestrator Linux service account user in an authorized_keys file within it. It also creates a local service account user (see Create a Service Account for the Keyfactor Bash Orchestrator) and grants this user ownership on this file to allow the orchestrator server service account to perform tasks on the target.

Log messages are written to the standard Linux syslog. The location of these will vary depending on the system OS.

Tip:  Once the installation of the orchestrator and any targets for it to control is complete, you need to use the Keyfactor Command Management Portal to approve the orchestrator (if you don't have auto-registration for Keyfactor Bash Orchestrators enabled) and configure SSH server groups and servers as per Server Manager in the Keyfactor Command Reference Guide. SSH server records are not automatically created for remote targets, even if you enable auto-registration for bash orchestrators and use the -i switch when registering the bash orchestrator that will control your targets.