Adding Logons

Before adding a new logon, be sure that you have switched the server to which you will add your logon (or its server group) to inventory and publish policy mode (see Server Manager) so that the new logon will be published to the server. If the server is in inventory only mode and you add a new logon for it in Keyfactor Command, the logon will appear in Keyfactor Command only and will not be published out to the server.

Tip:  New logons can also be added from the access management options for server groups and servers while creating Linux logon to Keyfactor Command user mappings (see Editing Access to an SSH Server Group and Editing Access to an SSH Server).

To add a new logon:

  1. In the Management Portal, browse to SSH > Server Manager.
  2. On the Server Manager page, select the Logons tab.

  3. On the Logons tab, click Add.

    Figure 325: Add a Linux Logon—Basic Tab

  4. In the Add Logon dialog on the Details tab, enter a Linux Username for the user.

    Tip:   If you have enabled SSSD support for your Keyfactor Bash OrchestratorClosed The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise. and are adding a domain user, specify the user in username@domain format. For example bbrown@keyexample.com (or, depending on SSSD configuration, such as the case-sensitivity setting; BBROWN@keyexample.com). Note that the logon may be modified by the SSSD configuration file in ways in which Keyfactor Command cannot know about. Refer to SSH-SSSD Case Sensitivity Flag for guidance on what to enter based on how the SSSD case sensitivity flag is configured.
  5. In the Servers with Publish Policy dropdown on the Details tab, select an available SSH server on which to create the logon. Only servers that are configured in inventory and publish policy mode (see Server Manager) will appear in this dropdown. This field is required.

  6. On the Access Management tab in the Users & Groups with Login Access dropdown, select a user or service account to associate the logon with. Only accounts that have keys stored in Keyfactor Command or that have been designated as server group owners will appear in the dropdown. If desired, you may enter an Active Directory group name in this field. This will cause the keys stored in Keyfactor Command for any Active Directory users that are members of this group to be mapped to the selected Linux logon and published to the server on which the Linux logon exists. Any Active Directory users that are members of this group but who do not have keys stored in Keyfactor Command will not be mapped to the selected Linux logon. Click Add. The Access Management tab is optional.

    Tip:  For keys created through the My SSH Key portal (see My SSH Key), a Keyfactor user is an Active Directory user account. For keys created through the Service Account Keys page (see Service Account Keys), a Keyfactor user is a user-generated service account name of the form servicename@hostnameClosed The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername)..

    Figure 326: Add a Linux Logon—Access Management Tab

  7. Click Save to save the new logon.
Note:  When the logon is created on the Linux server, a home directory will be created for it and within this, the .ssh directory and authorized_keys file. The logon user will be made owner of the home directory and granted rwx permissions to it. No password is set for the user and as initially configured, the user will not be able to remotely login.
Tip:  The time it will take for new logons to appear on your Linux server will depend on the frequency of the server synchronization configured for the server group to which the server belongs (see Adding Server Groups).