Scripting without Passwords
How to script Power Manager without needing to enter passwords or credentials.
When writing scripts or tools that use
pmctl as a client, being able to avoid an interactive prompt is often essential. We have previously written about
How to Avoid Passwords in Power Manager Scripts but in the twelve years since, the underlying tools have evolved and become cross platform. What worked then, is no longer appropriate today. Let’s revisit the topic.
Authorisation is required for Power Manager requests that access privileged information or make device wide changes. By default, only administrators can make these restricted requests.
The terminology can be confusing. Two key terms are authentication and authorisation:
- Authentication determines who is making the request;
- Authorisation determines who can make the request.
Power Manager and
multiple methods of authentication, including interactive prompts, netrc, and client side certificates.
For non-interactive scripts, we recommend using client side certificates.
Client Side Certificates
Power Manager supports client side Transport Layer Security (TLS) certificates for authentication.
A certificate can be associated with a specific user. When the certificate is used to connect to Power Manager, the associated user will be considerd to be making the requests with no additional authentication.
This approach avoids storing plain text credentials and is the preferred method of non-interactive authentication.
Let’s create a certificate pair and associate it with an administrator user.
Creating a Client Certificate
The certificate pair can be created using a wide range of tools. Power Manager will evaluate the certificate but does not enforce hostname validity; this allows self-signed certificates to be used.
To create a self-signed certificate pair with
openssl, issue the command:
/usr/bin/openssl req -new -utf8 -x509 -days 3650 -newkey rsa:2048 -sha256 -nodes -keyout 'key.pem' -out 'certificate.pem'
When prompted, provide
* for the
Common Name and leave all other fields blank,
., to create a well-formed self-signed certificate.
openssl command above creates two files:
Both files need to be passed to
pmctl to authenticate the connection.
Associating a Client Certificate
To associate a certificate pair with a user, issue the following command to
./pmctl -verbose -authenticate-on-connect -client-certificate certificate.pem -client-key key.pem
Power Manager will interactively authenticate the first time an unknown client certificate is used. If the authentication is successful, the certificate will be associated with the authenticated user.
Subsequent connections using the certificate will no longer require the interactive step.
The certificate remains associated with the user indefinitely and can now be used to avoid interactive authentication.
Both the certificate and key must be passed by the
-client-key flags with every connection.
To use a client certificate when disabling the scheduler, the
pmctl command becomes:
./pmctl -verbose -client-certificate certificate.pem -client-key key.pem scheduler.setenabled enabled:boolean=false
Certificate pairs can be copied to other devices, and used by multiple scripts without needing to disclose authentication credentials. This approach can be useful for administrators wishing to provide non-administrators with access to Power Manager, but without revealing any credentials.