Adding Credentials

Adding Credentials

In order for Sandfly to login to a remote host, it must have some SSH credentials. Sandfly can use two SSH credential types:

  1. Username and password.
  2. SSH private key and optional password.

Account Requirements

In order for Sandfly to run correctly, it will need an account that can access root level privileges. Superuser root credentials are needed because Sandfly looks into the operating system in areas where normal users cannot access.

You can have Sandfly login as root, but many systems do not allow this. You can setup an account for Sandfly to use that has sudo privileges instead. Sandfly is able to login and determine if it needs sudo to run. If so, it will use sudo and if it has proper permissions will run normally.

Credentials View

Clicking on Credentials under the Hosts sidebar will take you to the credentials view.

Credentials sidebar.Credentials sidebar.

Credentials sidebar.

All registered credentials will be shown. The view will be empty if no credentials exist.

Username and Password

❗️

Username and Password SSH Authentication is Dangerous!

We do not recommend username/password SSH authentication unless you have no other options. If the remote system is compromised, logging in with a username and password allows the attacker to steal your credentials and use them elsewhere.

To protect against this risk, we only recommend you use SSH public key authentication as outlined in the next section.

If you want Sandfly to use a username/password you can enter it in the dialog below when you click on Add under Host Credentials:

Adding username credentials.Adding username credentials.

Adding username credentials.

The fields in the above mean the following:

Name - A readable form of the credential for Sandfly to use to refer to this credential. In the above example we called it "webservers" so we know that this key is used to access web systems. The Name field can only be lowercase letters, numbers, and the underscore (_) character.

🚧

Lowercase, Numbers And Underscore Only

In label fields in Sandfly, you can only use lowercase letters, numbers, and the underscore (_).

Username - The username you want Sandfly to use to login to the remote host. This needs to be a legal Linux username.

Authentication Type - Select Username/Password in the drop down for login type.

Password - Password to use for this user. This also assumes the same password is used for sudo access if needed.

❗️

Sudo Password Should Match User Password

Sandfly assumes the user's login password will also be the sudo password if needed. If no sudo password is needed by this user, Sandfly will figure that out and not use it.

After you enter these values, click on the Add and Encrypt button. Sandfly takes the data you enters, public key encrypts it, and stores it. Once added, you cannot read the credentials again. Credentials can only be read by scanning nodes when ordered to by the Server.

SSH Private Key and SSH Certificates

The process for adding a SSH private key is largely identical to that for username and passwords. You can use a basic SSH private key, or use a private key and SSH certificate. Optionally if the key is encrypted you can enter the decryption password as well.

Adding SSH credentials.Adding SSH credentials.

Adding SSH credentials.

The fields above mean the following:

Name - A readable form of the credential for Sandfly to use to refer to this credential. In the above example we called it "production_fleet" so we know that this key is used to access production systems. The Name field can only be lowercase letters, numbers, and the underscore (_) character.

🚧

Lowercase, Numbers And Underscore Only

In label fields in Sandfly, you can only use lowercase letters, numbers, and the underscore (_).

Username - The username you want Sandfly to use to login to the remote host. This needs to be a legal Linux username.

Authentication Type - Select SSH/Private Key in the drop down menu.

Private Key - The SSH private key in standard SSH key export format.

Password - Optional password used to decrypt the SSH private key if one was used.

Key Certificate - Optional SSH certificate that matches the private key as signed by your SSH Certificate Authority (CA). We recommend users utilize a SSH CA where possible.

Sudo Password - A sudo password for this user if one is needed. Sandfly will use this password if supplied to obtain root privileges.

Again, after you enter these values, click on the Add and Encrypt button. Sandfly takes the data you enters, public key encrypts it, and stores it. Once added, you cannot read the credentials again. Credentials can only be read by scanning nodes when ordered to by the Server.


Did this page help you?