--- title: SSH connector description: The SSH connector is an implementation of the Scripted Groovy connector toolkit based on Java Secure Channel (JSch) and the Java implementation of the Expect library (Expect4j). This connector lets you interact with any SSH server, using Groovy scripts for the ICF operations. component: openicf page_id: openicf:connector-reference:ssh canonical_url: https://docs.pingidentity.com/openicf/connector-reference/ssh.html section_ids: ssh-authentication: Configure authentication to the SSH server install_the_ssh_connector: Install the SSH connector ssh-connector-config: Configure the SSH connector ssh_remote_connector: SSH remote connector config-connection-pooling-ssh: Configure connection pooling implemented-interfaces-org-forgerock-openicf-connectors-ssh-SSHConnector-1.5.20.33: OpenICF Interfaces Implemented by the SSH Connector config-properties-org-forgerock-openicf-connectors-ssh-SSHConnector-1.5.20.33: SSH Connector Configuration basic-configuration-properties-org-forgerock-openicf-connectors-ssh-SSHConnector-1.5.20.33: Basic Configuration Properties groovy-engine-configuration-org-forgerock-openicf-connectors-ssh-SSHConnector-1.5.20.33: Groovy Engine configuration operation-script-files-org-forgerock-openicf-connectors-ssh-SSHConnector-1.5.20.33: Operation Script Files --- # SSH connector The SSH connector is an implementation of the Scripted Groovy connector toolkit based on Java Secure Channel (JSch) and the Java implementation of the Expect library (Expect4j). This connector lets you interact with any SSH server, using Groovy scripts for the ICF operations. The SSH connector is a *poolable connector*. This means that each connector instance is placed into a connection pool every time an action is completed. Subsequent actions can re-use connector instances from the connector pool. When a new connector instance is created, a new SSH client connection is created against the target SSH server. This SSH connection remains open as long as the connector instance is in the connection pool. Note that when a new action is performed, it finds the SSH connection in the exact state that it was left by the previous action. The following image shows the relationship between SSH connector instances and SSH connections to the target server: ![ssh-connector](_images/ssh-connector.png) ## Configure authentication to the SSH server The SSH connector authenticates to the SSH server using either a login/password or a public/private key. The authentication method is specified in the `authenticationType` property in the connector configuration. * Authenticate with a login and password To authenticate with a login and password, set the `authenticationType` to `PASSWORD` in the connector configuration file, and set a `user` and `password`. For example: ```json "configurationProperties" : { ... "authenticationType" : "PASSWORD", "user" : "", "password" : "", ... ``` The password is encrypted when IDM loads the provisioner file. * Authenticate with a passphrase and private key To authenticate with a secure certificate, generate a pair of public/private keys. Install the public key on the server side and the private key on the IDM host (where the connector is located). Set the `authenticationType` to `PUBKEY` in the connector configuration file and set the `user`, `password`, `passphrase` and `privateKey` properties. For example: ```json "configurationProperties" : { ... "authenticationType" : "PUBKEY", "user" : "", "password" : "", "passphrase" : "secret", "privateKey" : ["-----BEGIN DSA PRIVATE KEY-----", "MIIBugIBAAKBgQDcB0ztVMCFptpJhqlLNZSdN/5cDL3S7aOVy52Ae7vwwCqQPCQr", "6NyUk+wtkDr07NlYd3sg7a9hbsEnlYChsuX+/WUIvbOKdMfeqcQ+jKK26YdkTCGj", "g86dBj9JYhobSHDoQ9ov31pYN/cfW5BAZwkm9TdpEjHPvMIaOxx7GPGKWwIVALbD", "CEuf1yJk9UB7v0dmJS7bKkbxAoGARcbAuDP4rB6MsgAAkVwf+1sHXEiGPShYWrVV", "qBgCZ/S45ELqUuiaN/1N/nip/Cc/0SBPKqwl7o50CUg9GH9kTAjmXiwmbkwvtUv+", "Xjn5vCHS0w18yc3rGwyr2wj+D9KtDLFJ8+T5HmsbPoDQ3mIZ9xPmRQuRFfVMd9wr", "DY0Rs7cCgYAxjGjWDSKThowsvOUCiE0ySz6tWggHH3LTrS4Mfh2t0tnbUfrXq2cw", "3CN+T6brgnpYbyX5XI17p859C+cw90MD8N6vvBxaN8QMDRFk+hHNUeSy8gXeem9x", "O0vdIxCgKvA4dh5nSVb5VGKENEGNEHRlYxEPzbqlPa/C/ZvzIvdKXQIUQMoidPFC", "n9z+mE2dAADnPf2m9vk=", "-----END DSA PRIVATE KEY-----" ], ... ``` The default value for the `passphrase` property is `null`. If you do not set a passphrase for the private key, the passphrase value must be equal to an empty string. You *must* set a value for the `password` property, because the connector uses sudo to perform actions on the SSH server. The private key (PEM certificate) must be defined as a JSON String array. The values of the `passphrase`, `password` and `privateKey` are encrypted when IDM loads the provisioner file. ## Install the SSH connector | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To check for an Advanced Identity Cloud application for this connector, refer to:- [Application management](https://docs.pingidentity.com/pingoneaic/latest/app-management/applications.html) - [App catalog](https://docs.pingidentity.com/pingoneaic/latest/app-management/app-catalog.html) | You can download any connector from [Backstage](https://backstage.forgerock.com/downloads/browse/idm/featured/connectors), but some are included in the default deployment for Advanced Identity Cloud, IDM, or RCS. When using an included connector, you can skip installing it and move directly to configuration. **Connector included in default deployment** | Connector | IDM | RCS | | --------------- | ------------------------ | ------------------------ | | [SSH](ssh.html) | [icon: check, set=fa]Yes | [icon: check, set=fa]Yes | Download the connector .jar file from [Backstage](https://backstage.forgerock.com/downloads/browse/idm/featured/connectors). * If you're running the connector locally, place it in the `/path/to/openidm/connectors` directory, for example: ``` mv ~/Downloads/ssh-connector-1.5.20.33.jar /path/to/openidm/connectors/ ``` * If you're using a remote connector server (RCS), place it in the `/path/to/openicf/connectors` directory on the RCS. ## Configure the SSH connector You cannot configure the SSH connector through the UI. Configure the connector over REST, as described in [Configure Connectors Over REST](configure-connector.html#connector-wiz-REST). Alternatively, copy the sample connector configuration file (`/path/to/openidm/samples/example-configurations/provisioners/provisioner.openicf-ssh.json`) to your project's `conf/` directory, and edit it to match your environment. Set the authentication properties, as described in [Configure Authentication to the SSH Server](#ssh-authentication). In addition, set at least the following properties: * `host` Specify the hostname or IP address of the SSH server. * `port` Set the port on which the SSH server listens. Default: `22` * `user` The username of the account that connects to the SSH server. This account must be able to `ssh` into the server, with the password provided in the next parameter. * `password` The password of the account that is used to connect to the SSH server. * `prompt` A string representing the remote SSH session prompt. This must be the exact prompt string, in the format `username@target:`, for example `admin@myserver:~$ `. Include any trailing spaces. This list describes the required configuration properties of the SSH connector. Typically, you can use the default values. For a list of all the configuration properties, refer to [SSH Connector Configuration](#ssh-config-prop-ezLink) * `sudoCommand` A string that shows the full path to the `sudo` command, for example `/usr/bin/sudo`. * `echoOff` If set to `true` (the default), the input command echo is disabled. If set to `false`, every character that is sent to the server is sent back to the client in the `expect()` call. * `terminalType` Sets the terminal type to use for the session. The list of supported types is determined by your Linux/UNIX system. For more information, refer to the `terminfo` manual page (`man terminfo`). Default: `vt102` * `setLocale` If set to `true`, indicates that the default environment locale should be changed to the value of the `locale` property. Default: `false` * `locale` Sets the locale for the LC\_ALL, LANG and LANGUAGE environment variables, if `setLocale` is set to `true`. Default: `en_US.utf8` * `connectionTimeout` Specifies the connection timeout to the remote server, in milliseconds. Default: `5000` * `expectTimeout` Specifies the timeout used by the `expect()` calls in scripts, in milliseconds. Default: `5000` * `authenticationType` Sets the authentication type, either `PASSWORD` or `PUBKEY`. For more information, refer to [Configure authentication to the SSH server](#ssh-authentication). Default: `PASSWORD` * `throwOperationTimeoutException` If `true`, the connector throws an exception when the `expectTimeout` is reached for an operation. Otherwise, the operation fails silently. Default: `true` * `scriptRoots` The path to the Groovy scripts that perform the ICF operations, relative to your IDM installation directory. The sample connector configuration expects the scripts in `project-dir/tools`, so this parameter is set to `&{idm.instance.dir}/tools` in the sample configuration. * `classpath` The directory in which the compiler should look for compiled classes. The default classpath, if not is specified, is `install-dir/lib`. * `*ScriptFileName` The name of the Groovy script that is used for each ICF operation. ### SSH remote connector If you want to run this connector outside of PingOne Advanced Identity Cloud or IDM, you can configure the SSH connector as a remote connector. Java Connectors installed remotely on a Java Connector Server function identically to those bundled locally within PingOne Advanced Identity Cloud or installed locally on IDM. You can download the SSH connector [from here](https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors). Refer to [Remote connectors](remote-connector.html) for configuring the SSH remote connector. ### Configure connection pooling The SSH connector uses [ICF pooling](pooling.html#icf-pooling) to manage connections. Learn more about the different pooling mechanisms in [Connectors by pooling mechanism](pooling.html#pooling-table). ## OpenICF Interfaces Implemented by the SSH Connector The SSH Connector implements the following OpenICF interfaces. For additional details, see [ICF interfaces](interfaces.html): * Authenticate Provides simple authentication with two parameters, presumed to be a user name and password. * Create Creates an object and its `uid`. * Delete Deletes an object, referenced by its `uid`. * Resolve Username Resolves an object by its username and returns the `uid` of the object. * Schema Describes the object types, operations, and options that the connector supports. * Script on Connector Enables an application to run a script in the context of the connector. Any script that runs on the connector has the following characteristics: * The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access. * The script has access to a `connector` variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration. * The script has access to any script arguments passed in by the application. * Script on Resource Runs a script on the target resource that is managed by this connector. * Search Searches the target resource for all objects that match the specified object class and filter. * Sync Polls the target resource for synchronization events, that is, native changes to objects on the target resource. * Test Tests the connector configuration. Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid. This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out). You can invoke the test operation before a connector configuration has been validated. * Update Updates (modifies or replaces) objects on a target resource. []() ## SSH Connector Configuration The SSH Connector has the following configurable properties: ### Basic Configuration Properties | Property | Type | Default | Encrypted(1) | Required(2) | | -------------------------------------------------------------------------------------------------- | --------------- | ---------------------- | ------------------------ | ------------------------- | | `host` | `String` | `null` | | [icon: check, set=fas]Yes | | The hostname to connect to. | | | | | | `port` | `int` | `22` | | [icon: check, set=fas]Yes | | TCP port to use. | | | | | | `user` | `String` | `null` | | [icon: check, set=fas]Yes | | The user name used to login to remote server. | | | | | | `password` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | The password used to login to remote server. | | | | | | `passphrase` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | The passphrase used to read the private key when using Public Key authentication. | | | | | | `privateKey` | `String[]` | `[]` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | The base 64 encoded value (PEM) of the private key used for Public Key authentication. | | | | | | `authenticationType` | `String` | `PASSWORD` | | [icon: check, set=fas]Yes | | Defines which authentication type should be use: PASSWORD or PUBKEY. | | | | | | `prompt` | `String` | \`root\@localhost:# \` | | [icon: check, set=fas]Yes | | A string representing the remote SSH session prompt. | | | | | | `sudoCommand` | `String` | `/usr/bin/sudo` | | [icon: check, set=fas]Yes | | A string representing the sudo command. | | | | | | `echoOff` | `boolean` | `true` | | [icon: check, set=fas]Yes | | Disable the input command echo. | | | | | | `terminalType` | `String` | `vt102` | | [icon: check, set=fas]Yes | | Defines the terminal type to use for the session. | | | | | | `locale` | `String` | `en_US.utf8` | | [icon: check, set=fas]Yes | | Define the locale for LC\_ALL, LANG and LANGUAGE environment variables to use if `setLocale=true`. | | | | | | `setLocale` | `boolean` | `false` | | [icon: check, set=fas]Yes | | Defines if the default environment locale should be changed with the value provided for `locale`. | | | | | | `connectionTimeout` | `int` | `5000` | | [icon: check, set=fas]Yes | | Defines the connection timeout to the remote server in milliseconds. | | | | | | `expectTimeout` | `long` | `5000` | | [icon: check, set=fas]Yes | | Defines the timeout used by the expect() calls in the scripts in milliseconds. | | | | | | `throwOperationTimeoutException` | `boolean` | `true` | | [icon: check, set=fas]Yes | | Defines if an OperationTimeoutException should be thrown if any call to `expect` times out. | | | | | | `promptReadyTimeout` | `long` | `20` | | [icon: times, set=fas]No | | Defines the `prompt ready` timeout for the promptReady() command in milliseconds. | | | | | (1) Whether the property value is considered confidential, and is therefore encrypted in IDM. (2) A list of operations in this column indicates that the property is required for those operations. ### Groovy Engine configuration | Property | Type | Default | Encrypted(1) | Required(2) | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- | ------------ | ------------------------ | ------------------------- | | `scriptRoots` | `String[]` | `null` | | [icon: check, set=fas]Yes | | The root folder to load the scripts from. If the value is null or empty the classpath value is used. | | | | | | `classpath` | `String[]` | `[]` | | [icon: times, set=fas]No | | Classpath for use during compilation. | | | | | | `debug` | `boolean` | `false` | | [icon: times, set=fas]No | | If true, debugging code should be activated. | | | | | | `disabledGlobalASTTransformations` | `String[]` | `null` | | [icon: times, set=fas]No | | Sets a list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. | | | | | | `minimumRecompilationInterval` | `int` | `100` | | [icon: times, set=fas]No | | Sets the minimum of time after a script can be recompiled. | | | | | | `recompileGroovySource` | `boolean` | `false` | | [icon: times, set=fas]No | | If set to true recompilation is enabled. | | | | | | `scriptBaseClass` | `String` | `null` | | [icon: times, set=fas]No | | Base class name for scripts (must derive from Script). | | | | | | `scriptExtensions` | `String[]` | `['groovy']` | | [icon: times, set=fas]No | | Gets the extensions used to find groovy files. | | | | | | `sourceEncoding` | `String` | `UTF-8` | | [icon: times, set=fas]No | | Encoding for source files. | | | | | | `targetDirectory` | `File` | `null` | | [icon: times, set=fas]No | | Directory into which to write classes. | | | | | | `tolerance` | `int` | `10` | | [icon: times, set=fas]No | | The error tolerance, which is the number of non-fatal errors (per unit) that should be tolerated before compilation is aborted. | | | | | | `verbose` | `boolean` | `false` | | [icon: times, set=fas]No | | If true, the compiler should produce action information. | | | | | | `warningLevel` | `int` | `1` | | [icon: times, set=fas]No | | Warning Level of the compiler. | | | | | | `customConfiguration` | `String` | `null` | | [icon: times, set=fas]No | | Custom Configuration script for Groovy ConfigSlurper. | | | | | | `customSensitiveConfiguration` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | Custom Sensitive Configuration script for Groovy ConfigSlurper. | | | | | (1) Whether the property value is considered confidential, and is therefore encrypted in IDM. (2) A list of operations in this column indicates that the property is required for those operations. ### Operation Script Files | Property | Type | Default | Encrypted(1) | Required(2) | | ----------------------------------------------------------------------------------------------------- | -------- | ------- | ------------ | ----------------------------------------------------------------------------------------------- | | `authenticateScriptFileName` | `String` | `null` | | * [Authenticate](interfaces.html#interface-AuthenticationApiOp) | | The name of the file used to perform the AUTHENTICATE operation. | | | | | | `createScriptFileName` | `String` | `null` | | - [Create](interfaces.html#interface-CreateApiOp) | | The name of the file used to perform the CREATE operation. | | | | | | `customizerScriptFileName` | `String` | `null` | | [icon: times, set=fas]No | | The script used to customize some function of the connector. Read the documentation for more details. | | | | | | `deleteScriptFileName` | `String` | `null` | | * [Delete](interfaces.html#interface-DeleteApiOp) | | The name of the file used to perform the DELETE operation. | | | | | | `resolveUsernameScriptFileName` | `String` | `null` | | - [Resolve Username](interfaces.html#interface-ResolveUsernameApiOp) | | The name of the file used to perform the RESOLVE\_USERNAME operation. | | | | | | `schemaScriptFileName` | `String` | `null` | | * [Schema](interfaces.html#interface-SchemaApiOp) | | The name of the file used to perform the SCHEMA operation. | | | | | | `scriptOnResourceScriptFileName` | `String` | `null` | | - [Script on Resource](interfaces.html#interface-ScriptOnResourceApiOp) | | The name of the file used to perform the RUNSCRIPTONRESOURCE operation. | | | | | | `searchScriptFileName` | `String` | `null` | | * [Read](interfaces.html#interface-GetApiOp) * [Search](interfaces.html#interface-SearchApiOp) | | The name of the file used to perform the SEARCH operation. | | | | | | `syncScriptFileName` | `String` | `null` | | - [Sync](interfaces.html#interface-SyncApiOp) | | The name of the file used to perform the SYNC operation. | | | | | | `testScriptFileName` | `String` | `null` | | * [Test](interfaces.html#interface-TestApiOp) | | The name of the file used to perform the TEST operation. | | | | | | `updateScriptFileName` | `String` | `null` | | - [Update](interfaces.html#interface-UpdateApiOp) | | The name of the file used to perform the UPDATE operation. | | | | | (1) Whether the property value is considered confidential, and is therefore encrypted in IDM. (2) A list of operations in this column indicates that the property is required for those operations.