Scripting without Passwords

When writing scripts or tools that use pmctl as a client, being able to avoid an interactive prompt is often essential. We have previously written about How to Avoid Passwords in Power Manager Scripts but in the twelve years since, the underlying tools have evolved and become cross platform. What worked then, is no longer appropriate today. Let’s revisit the topic.

Authorisation is required for Power Manager requests that access privileged information or make device wide changes. By default, only administrators can make these restricted requests.

The terminology can be confusing. Two key terms are authentication and authorisation:

• Authentication determines who is making the request;
• Authorisation determines who can make the request.

Power Manager and pmctl support multiple methods of authentication, including interactive prompts, netrc, and client side certificates.

For non-interactive scripts, we recommend using client side certificates.

Client Side Certificates

Power Manager supports client side Transport Layer Security (TLS) certificates for authentication.

A certificate can be associated with a specific user. When the certificate is used to connect to Power Manager, the associated user will be considerd to be making the requests with no additional authentication.

This approach avoids storing plain text credentials and is the preferred method of non-interactive authentication.

Let’s create a certificate pair and associate it with an administrator user.

Creating a Client Certificate

The certificate pair can be created using a wide range of tools. Power Manager will evaluate the certificate but does not enforce hostname validity; this allows self-signed certificates to be used.

To create a self-signed certificate pair with openssl, issue the command:

/usr/bin/openssl req -new -utf8 -x509 -days 3650 -newkey rsa:2048 -sha256 -nodes -keyout 'key.pem' -out 'certificate.pem'

When prompted, provide * for the Common Name and leave all other fields blank, ., to create a well-formed self-signed certificate.

The openssl command above creates two files:

• certificate.pem
• key.pem

Both files need to be passed to pmctl to authenticate the connection.

Associating a Client Certificate

To associate a certificate pair with a user, issue the following command to pmctl:

./pmctl -verbose -authenticate-on-connect -client-certificate certificate.pem -client-key key.pem

Power Manager will interactively authenticate the first time an unknown client certificate is used. If the authentication is successful, the certificate will be associated with the authenticated user.

Subsequent connections using the certificate will no longer require the interactive step.

The certificate remains associated with the user indefinitely and can now be used to avoid interactive authentication.

Both the certificate and key must be passed by the -client-certificate and -client-key flags with every connection.

To use a client certificate when disabling the scheduler, the pmctl command becomes:

./pmctl -verbose -client-certificate certificate.pem -client-key key.pem scheduler.setenabled enabled:boolean=false

Certificate pairs can be copied to other devices, and used by multiple scripts without needing to disclose authentication credentials. This approach can be useful for administrators wishing to provide non-administrators with access to Power Manager, but without revealing any credentials.