Connecting CLI & SSH
The CLI (Command Line Interface) and SSH connectors enable MyPass to reset passwords on custom or remote systems via executable scripts or secure shell sessions. Both connectors are installed automatically with the MyPass Gateway Server and operate under the Password Manager Sync Server to extend self-service password management to non-standard targets.
These connectors empower customers to build tailored integrations by defining external executables or remote scripts. MyPass passes user and password data securely, executes the operation, and interprets standardized return codes to confirm success, failure, or user absence.
Quick Implementation Pointers (UPDATE)
Network and Infrastructure Pre-requisites
To ensure successful integration, the following network and infrastructure components must be in place:
- Target SSH/CLI Systems: Any Linux, Unix (AIX, Solaris, HP-UX), network device (Cisco, Juniper, Palo Alto, F5, etc.), or appliance that supports inbound SSH (preferred) or Telnet access.
- MyPass Gateway Server: A Windows Server (2016 or later) to host the MyPass Gateway application.
- Network Connectivity: Outbound connectivity from the Gateway Server to each target host on TCP port 22 (SSH) or TCP port 23 (Telnet). No inbound ports need to be opened on the Gateway.
- SSH Host Key Acceptance: The Gateway Server must be able to accept and cache the target hosts’ SSH host keys (automatically handled on first connection or can be pre-seeded).
- Non-interactive SSH Sessions: Target hosts must allow non-interactive logins without disruptive banners, motd, or forced commands that break automation.
- Encryption & Jump Hosts (Optional) Full support for SSH key authentication, bastion/jump hosts, SSH tunneling, and proxy commands when direct connectivity is restricted.
CLI Connector
The CLI connector executes a local command-line program to reset passwords on a target system.
Overview
MyPass invokes a specified executable with structured parameters:
- User Repository (Name)
- Operation:
PWRESET - Username
- Password
Data is transmitted via Base64 encoding or custom encryption (refer to the API Integration and Implementation Guide for custom DLL development).
The executable must complete within 60 seconds by default (configurable). Upon timeout, MyPass marks the transaction for retry.
Return Codes
| Code | Meaning | Action |
|---|---|---|
0 | Success | Transaction completed |
3 | Failure (e.g., network, system down) | Triggers retry |
2 | User not present | Transaction aborted |
Results and messages are logged in Gateway-CLIconnector.log.
Required System Parameters
| Parameter | Description |
|---|---|
| Check Connection | Path to script verifying connectivity |
| Check Password | (Not used in standard setups) Align with Check Connection |
| Reset Password | Full path to the password reset executable |
| InstanceID | (Optional) Identifier passed to script for multi-connector routing |
| Working Directory | Local directory for execution context |
| Admin Account | Optional privileged account passed to executable |
| Admin Password | Password for Admin Account |
| Method | Encryption mode: None (not recommended), Base64, Custom |
| Assembly Path | Path to custom encryption DLL |
| Class Name | Class name in custom DLL |
| Username Manipulation | (Optional) Convert username to UPPER/lower case |
| Password Manipulation | (Optional) Convert password to UPPER/lower case |
| Unlock After Reset | (Reserved) Not used in current version |
| Mode | Impersonation: None, Impersonate as FPIISuser, Impersonate as specific user |
| Account / Password | Credentials for impersonation (if selected) |
Command Line Format
<Reset Password Script> ResetPassword <Encoding> <AdminUser> <AdminPass> <InstanceID> <Username> <Password>
Expected Output
0; Password for user johnd set successfully
2; User johnd not present in system
3; Failed to set password – system unavailable
Sample CLI Connector
A working example is included at:
<INSTALLPATH>\FastPassCorp\FastPassGateway\bin\ConnectorCLI
Includes a readme.txt and sample using osql.exe to reset local MSSQL user passwords.
SSH Connector
The SSH connector establishes a secure tunnel to a remote host and executes a script to reset passwords.
Overview
MyPass opens an SSH session and runs a remote script with defined parameters. Data transmission uses Base64 or custom encryption.
Default timeout: 60 seconds. On failure or timeout, MyPass retries and closes the tunnel.
Return Codes
Same as CLI:
0→ Success3→ Failure (retry)2→ User not present (abort)
SSH-specific failures (e.g., tunnel drop) are logged directly in Gateway-SSHconnector.log.
Configuration Parameters
| Parameter | Description |
|---|---|
| Check Connection | Path to remote connectivity test script |
| Check Password | (Not used in standard setups) Match Check Connection |
| Reset Password | Path to remote password reset script |
| Hostname | Target SSH server |
| Port | SSH service port (default: 22) |
| Admin Account | SSH login account |
| Admin Password | Password for SSH account |
| InstanceID | (Optional) Identifier for routing logic |
| Working Directory | Local path for certificate-based auth |
| Method | None, Base64, Custom |
| Assembly Path / Class Name | For custom encryption |
| Username / Password Manipulation | Case conversion before transmission |
| Unlock After Reset | (Reserved) |
| Mode | Impersonation: None, FPIISuser, Specific User |
| Account / Password | Impersonation credentials |
Remote Script Call
<Reset Password Script> ResetPassword <Encoding> <InstanceID> <Username> <Password>
Expected Output
0; Password user johnd successfully set
2; The user johnd is not present in this system
3; Failed to set password for johnd – system unavailable
Sample SSH Connector
Included at:
<INSTALLPATH>\FastPassCorp\FastPassGateway\bin\ConnectorSSH
Contains readme.txt and a sample Linux user password reset script.
For advanced scripting, encryption DLL development, or integration scoping, contact your MyPass representative.
Licensing – Simple Summary
| What you pay for | How it’s calculated |
|---|---|
| Active Directory (required) | One fee per managed user |
| Each additional system (Linux, Unix, network devices, AIX, Solaris, etc. via SSH/CLI) | Additional fee per managed user × per target host / device |
Real-world example
If you manage 1 500 users:
- Active Directory → 1 500 × base user license
-
- 120 SSH/CLI systems (e.g., 80 Linux servers, 30 Cisco routers, 10 Solaris hosts) → + 180 000 × SSH/CLI connector user license (1 500 users × 120 hosts)
- Total = base AD license + SSH/CLI connector license for 180 000 “user-host” seats
Simple rule - you only pay for the local or privileged accounts that MyPass actually rotates on each individual SSH-enabled host or device.