Running Scripts at The Beginning of an SSH Session
In some use cases, running automated commands at the beginning of the SSH session may be necessary.
To give an example of one of these scenarios, the end user may be requested to use an account with restricted access to start an SSH session. In this case, a privilege escalation script can be written using the auth-script feature.
In this way, even though that particular account isn't allowed to reach the device with SSH protocol, the end user will be able to be connected to the device with another account's credential in the background (via global username or SAPM). Then due to running the script, the end-user will be able to use the restricted account's privilege commands on that device through SSH protocol.
To use this feature, an authScript property key is defined at the Device Group level and the defined script runs on the target SSH device at the beginning of the end user's SSH session:
Accounts on SAPM can also be used in the script. The following format is used for this:
- ${sapm:<Username of SAPM Account>}
This allows all devices in the device group to use their own SAPM account password.
Device Group level property keys apply to all of the devices in it.