How to make automatic logons to an AppGate system
Description:
In some situations it can be desirable to have a computer automaticaly perform the procedure of loging on to an AppGate system. It can for example be that some external organization needs to fetch data from a AppGate protected database in a regular, and then preferably automatic, maner
The background problem, that we here give a solution to, is that an AppGate system is mainly geared towards interactive use. This means that there normaly has to be a real human user interacting with an AppGate client, supplying usernames, password and actually click the different buttons to be able to get access to services and applications.
As the AppGate clients are inherently depending on a real user we recommend that you instead make use of a plain implementaion of ssh2. This will make it much more easy to interface in a programatic way. An ordinary ssh2-client can operate directly with an AppGate server. The AppGate server detects that it is not speaking with an AppGate client and reverts to a normal command line oriented way of interaction.
We can recommend the free implemenation of ssh, OpenSSH. It is very well suited for the task and you will find it at OpenSSH .
Using OpenSSH as the client works perfectly good as the AppGate server ssh implementation is also based on OpenSSH.
With an ssh-client in place we are well suited to the task, but a few other things also have to be considered.
Most but not all autentication methods require user intercation. In order to automate the logon process either localy stored clear text passwords or the public key method is the easiest way to go.
A password or the private key that is then located on the connecting computer is of course a security risk - a fact that you should aware of. For example, it would probably be a good idea to give this automatic user access to just a single application through a dedicate role, and you should also add an Access Rule that allows this user access to the application from only one host - the known connecting computer.
To make a non intercative automatic login from script it is usefull to first set up an AppGate account with Public Key authentication. See the FAQ on Public Key on how to get the id_rsa file needed below.
When that is done it is easy:
#!/bin/sh
ssh -i id_rsa -L 1234:databasehost:1234 appgatehost -l autouser
The above code logs on to the AppGate server named appgatehost as user autouser with the key stored in the file id_rsa . It also sets up ssh to use a portforward from the local port 1234 to the secured host databasehost at port 1234.
To have the port forward work you have to configure the AppGate server to give this user access to a service with a corresponding IP-access component. This service should also be configured to start automaticaly using the "Auto start" checkbox.