Configuring Administrators to Run Remote Compliance Commands

In this release, you must use Secure Shell as the RAD URI for remote compliance assessments and storage. RAD recognizes the following formats for Secure Shell:

```
ssh://username@hostname|IP-address:port
```
```
username@hostname|IP-address:port
```
```
hostname|IP-address:port
```

username and port are optional. username defaults to the login user, and port defaults to the RAD IANA port, 12302.hostname can be expanded to the fully qualified domain name, as in hostname.domain.suffix.

Note:

Secure Shell treats a simple host name as a separate host from its host name in FQDN format. Therefore, the RAD URIs jdoe@host1 and jdoe@host1.example.org require separate authentication.

User-to-user authentication is the safest method. Host-based authentication is less secure. You can configure user-to-user in two ways: by having an LDAP user authenticate to all the clients and servers, or by creating an identical local user on all hosts, then copying each local user's public key to all hosts where the local user will run or store assessments. The LDAP method works well for a large enterprise. The local user method is useful for smaller networks and testing.

After you assign the Compliance Assessor rights profile to trusted users, the users configure a no-password-prompt ssh connection over RAD to every system where they will run or store assessments.

The trusted user's main steps are the following:

Generate a Secure Shell key pair with no passphrase.
In the ldap scope, add the user's key to the ssh-agent daemon on all hosts where the user will run remote commands.
In the files scope, copy the public key to the user's .ssh/authorized_keys file on every system.
On every system where the user will run the compliance command, verify that the ssh command does not prompt for a password.
Run remote compliance commands in a profile shell.

For detailed steps, go to the following procedures: