Create a Service Account for the Keyfactor Bash Orchestrator

The Keyfactor Bash OrchestratorClosed The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise. uses a service account in the Active Directory domain where the Keyfactor Command server resides to allow it to communicate with Keyfactor Command. This can be the same service account used for other Keyfactor Command server services. This service account appears in the Management Portal as the Identity on the OrchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. Management grid for the Keyfactor Bash Orchestrator.

The service account needs to be created prior to installation of the Keyfactor Bash Orchestrator software, and the person installing the Keyfactor Bash Orchestrator software needs to know the domain, username and password of the service account.

Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

During installation of the orchestrator, a local Linux user account is created automatically as an identity under which the orchestrator service will operate. This allows the orchestrator to run as a non-root user. On servers on which you install the orchestrator directly, the following Linux user account is created:

keyfactor-bash

On servers configured as remote control targets, the following Linux user account is created:

keyfactor-bash-orchestrator-svc

These users are granted access to read authorized_keys files for inventory purposes and to update authorized_keys files when the orchestrator is operating in inventory and publish policy mode using sudo. On install, modifications are made to the sudo configuration with the addition of a file in the /etc/sudoer.d directory granting the orchestrator user select sudo rights. The commands the service account user may be granted the right to use via sudo include:

adduser, awk, cat, chmod, chown, flock, gpasswd, ls, mkdir, restorecon, rm, sed, tee, test, touch, usermod