In order for Sandfly to login to a remote host, it must have some SSH credentials. Sandfly can use two SSH credential types:

  1. Username and password.
  2. SSH private key and optional password.


Account Requirements

In order for Sandfly to run correctly, it will need an account that can access root level privileges. Superuser root credentials are needed because Sandfly looks into the operating system in areas where normal users cannot access.


You can have Sandfly login as root, but many systems do not allow this. Instead, set up an account that has sudo privileges for use by this application. Sandfly is able to login and determine if it needs sudo to run. If so, it will use sudo and if it has proper permissions it will run normally.


Credentials View

Clicking on Credentials under the Hosts sidebar will take you to the credentials view.

Credentials sidebar.

Credentials sidebar


All registered credentials will be shown. The view will be empty if no credentials exist. 


Username and Password

WARNING: Username and Password SSH Authentication is Dangerous!

We do not recommend username/password SSH authentication unless you have no other options. If the remote system is compromised, logging in with a username and password allows the attacker to steal your credentials and use them elsewhere.

To protect against this risk, we only recommend you use SSH public key authentication as outlined in the next section.


If you want Sandfly to use a username/password you can enter it in the dialog below when you click on Add under Host Credentials:

Adding username credentials.

Adding username credentials


The fields in the above image mean the following:


Name - A readable label that Sandfly uses to refer to this credential. For example, "webservers" could be used to associate that the credential is used to access web systems. The Name field can only be lowercase letters, numbers, and the underscore (_) character.


NOTE: Lowercase, Numbers And Underscore Only

In label fields in Sandfly, you can only use lowercase letters, numbers, and the underscore (_). This naming style is also known as snake_case.


Username - The username you want Sandfly to use to login to the remote host. This needs to be a legal Linux username.


Authentication Type - Select the Username/Password option.


Password - The password to use for this user. This also assumes that the same password is used for sudo access if needed.


WARNING: Sudo Password Should Match User Password

Sandfly assumes the user's login password will also be the sudo password if needed. If no sudo password is needed by this user, Sandfly will figure that out and not use it.


After you enter these values, click on the Add Credentials button. Sandfly takes the data you enter, public key encrypts it, and stores it. Once added, you cannot read the credentials again. Credentials can only be read by scanning nodes when ordered to by the Server.


SSH Private Key and SSH Certificates

The process for adding a SSH private key is largely identical to that for username and passwords. You can use a basic SSH private key, or use a private key and SSH certificate. Optionally if the key is encrypted you can enter the decryption password as well.

Adding SSH credentials.

Adding SSH credentials


The fields in the above image mean the following:


Name - A readable label that Sandfly uses to refer to this credential. For example, "production_fleet" could be used to associate that the credential is used to access production systems. The Name field can only be lowercase letters, numbers, and the underscore (_) character.


NOTE: Lowercase, Numbers And Underscore Only

In label fields in Sandfly, you can only use lowercase letters, numbers, and the underscore (_). This naming style is also known as snake_case.


Username - The username you want Sandfly to use to login to the remote host. This needs to be a legal Linux username.


Authentication Type - Select the SSH Private Key option.


Private Key - The SSH private key in standard SSH key export format.


SSH Password - Optional password used to decrypt the SSH private key if one was used.


Key Certificate - Optional SSH certificate that matches the private key as signed by your SSH Certificate Authority (CA). We recommend users utilize a SSH CA where possible.


Sudo Password - Optional sudo password for this user if one is needed. If supplied, Sandfly will use this password to obtain root privileges.


Again, after you enter these values, click on the Add Credentials button. Sandfly takes the data you enter, public key encrypts it, and stores it. Once added, you cannot read the credentials again. Credentials can only be read by scanning nodes when ordered to by the Server.



Previous
Previous Article:

Next Article:
Next