KBEC-00368 - Passwordless credentials

Summary

This document describes how to configure impersonation using passwordless credentials to allow an agent user (for example, ecbuild) on Ubuntu to su to another user without a password.

Solution

The following procedures show how to configure passwordless credentials. In this example, the CloudBees CD (CloudBees Flow) agent runs under a user named ecbuild, and the following procedures show how to allow this user to su - testuser without a password.

Configuring the Agent Machine

Perform the following steps on each agent machine:

(Optional) If you do not want to use an existing group, create a group by entering

`sudo addgroup `
(Optional) If you do not want to use an existing user, create a user by entering

`sudo adduser `
Make the password empty by entering

`sudo passwd -d `

For details, see "Can I set my user account to have no password?"
Allow the ecbuild user to su - ` by adding the following two lines to the `/etc/pam.d/su file just below the pam_rootok.so line:
```
    auth       [success=ignore default=1] pam_succeed_if.so user = testuser

    auth       sufficient   pam_succeed_if.so use_uid user = ecbuild
```
The first line ensures that the target user is testuser. If it is, the next line takes
control and authorizes the su if the calling user is ecbuild.

You can also restrict su to a group. In the following example, the group
allowedpeople can su without a password:

auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople

For details, see "Allow user1 to "su - user2" without password."

Now you can run a procedure with credentials other than the ecbuild user without
specifying a password for this user.

Adding a New Credential to a Project

Open a project in the Automation Platform and click the Credentials tab.

For example:
On the right side of the tab, click the Create Credential button.

The New Credential dialog box appears:
Fill in the fields. For example:

Note that you do not need to enter a password in this dialog box. The
credential name (the Name field) can be different than the user name.
Click OK.

Adding a New Credential to a Procedure

For every procedure that you want to run with the new credential:

Click the Use specific credential radio button.
Specify the Credential Name that you specified in the Name field above.
Click OK.

Running the Procedure to Test the Configuration

Click the Run button on the procedure to execute the procedure.
Check the Job Step Details >General tab for the job step that you just ran to ensure that the job was executed with the specified credential.

For example: