Credential Dispatcher Not Used When Global Username/Password Set #3682
Description
- [ X] I have read and understood docs/Issues.md.
Is it expected behavior that credential dispatcher is bypassed entirely when global username/password are set?
And more importantly:
What is the correct or recommended way to configure Oxidized so that:
Cisco devices using SSH keys continue to authenticate properly
Vault-managed devices in specific groups get credentials only from the dispatcher
Global username/password do not override dispatcher-provided credentials
Right now the only workaround that works is:
Set global username/password to null
Force Cisco groups to use publickey only
Allow vault-managed groups to use password only, so dispatcher supplies them
Is this how Oxidized is designed to work, or is there a cleaner/more supported configuration approach?
Any guidance or examples would be very appreciated!
Expected behavior
Devices in a group using auth_methods: ["password"] should rely on Vault credentials
But Oxidized always logs authentication attempts using a global username (e.g. null or oxidized)
Credential dispatcher script is never invoked
Cisco devices using SSH keys break depending on how global auth is configured
Setting global username/password seems to override the dispatcher completely
So the problem appears to be a combination of:
Dispatcher only activates when username/password are nil
Cisco devices requiring key-only auth
Net::SSH trying password before publickey if password auth is allowed and username is empty/non-nil
Configuration
---
username: null
password: null
use_credential_dispatcher: true
credentials:
exec:
type: ruby
script: "/home/oxidized/.config/oxidized/credentials/vault.rb"
groups:
VAULT:
vars:
auth_methods: ["password"]Logs
[username@server oxidized-latest]$ docker exec -it oxidized-latest-oxidized-1 bash -c '
export OXIDIZED_HOME="/home/oxidized/.config/oxidized";
ruby -e "
require \"oxidized\";
Oxidized::Config.load;
Oxidized.mgr = Oxidized::Manager.new;
n = Oxidized::Node.new(name:\"IP-HOST"\", model:\"ironware\", group:\"VAULT\");
puts \"FINAL USERNAME=#{n.auth[:username].inspect}\";
puts \"FINAL PASSWORD=#{n.auth[:password].inspect}\";
puts \"FINAL GROUP=#{n.group.inspect}\";
puts \"MODEL=#{n.model.class.name}\";
"
'
FINAL USERNAME=nil
FINAL PASSWORD=nil
FINAL GROUP="VAULT"
MODEL=IronWare
Running environment (please complete the following information):
- OS: [RHEl9]
- oxidized version: [e.g. 0.34.3]
- oxidized-web version: [e.g. 0.17.1, if applicable]
- Manufacturer model an software version: d
- oxidized model name:
Additional context