Retrieving privileged account passwords

You can use the cgetaccount command to check out a password interactively or to retrieve a password silently in a script. For example, you might have a local service account named myoracle with a password that is managed by the Privileged Access Service on the registered computer sles12. To use this account to run a script or open a secure shell, you might need to look up the current password. You can check out the password for the managed account interactively by running a command like this:

cgetaccount --lifetime 5 myoracle

You are prompted to confirm the checkout and checkout lifetime.

Password for account "myoracle" will be checked out. The checkout will be logged and expire in 5 minutes.
Do you want to continue and display the password? (y/n) y

If you type y to confirm the checkout, the password is displayed as standard output (stdout). 0

Password for myoracle: Fo(*~7Ohh()>UOeO

Retrieving a remote password interactively

In a more complex scenario, you might need to check out the password for an account on a remote computer. To illustrate this scenario, the client computer is an registered SuSE Linux computer (sles12) with the local myoracle account that needs access to the password for the root user account on the remote CentOS Linux computer (centos-6).

For example, If you hare configured a command right for the myoracle account, you might retrieve the password for the root account interactively by running a command similar to the following:

If you have configured the sudoers file for the myoracle account, you might retrieve the password for the root account interactively by running commands similar to the following:

cgetaccount --lifetime 10 myoracle

Because this is a managed account you might need to display and copy the password. You can then use the myoracle account to get the password for the root account

su myoracle
sudo cgetaccount --lifetime 30 CentOS-6.cpubs.net/root
myoracle's password:

In this example, CentOS-6.cpubs.net is the name of the system as it is stored in the Privileged Access Service. The system name might be the same as or different from the host name or DNS name. You are prompted to confirm the checkout for the root account. If you type y to continue and the password for the root account is also managed in the Privileged Access Service, the current password is displayed and will be changed when the checkout period—in this example 30 minutes—expires.

Password for root: 8epM/qL3GtQ[D>aYe.*|

Retrieving a password using a command right

If you have configured a command right for the myoracle account, you might retrieve the password for the root account interactively by running a command similar to the following:

su myoracle
dzdo cgetaccount CentOS-6.cpubs.net/root

Retrieving a password in a script

You can call the cgetaccount command from within a script to silently retrieve an account password from the Privileged Access Service. By calling the command within a script using a dedicated user account such as the myoracle account, you can prevent other services or scripts from using the client service user account to retrieve a server account password. If you want to use the cgetaccount command to check out, use, and update a managed password from within a script, however, additional steps are necessary to configure the appropriate client and server accounts.

The following example illustrates a shell script that retrieves the password for the myoracle account silently on the sles12 system to perform a backup operation. In this example, the password is checked out for 10 minutes and is displayed as standard output (stdout).

#!/bin/bash
if PASSWORD=$(cgetaccount -s -t 10 sles12/myoracle); then
    .\run_backup.sh sles12/myoracle $PASSWORD
else
    echo "Failed to get the password for the account."
fi

For additional examples of calling the cgetaccount command within a script, see the sample scripts in the /usr/share/centrifycc/samples/apppassword directory.