Unix/Linux Local Account Rotation

Due to how Unix/Linux local account passwords are rotated, retired credentials will not be able to authenticate with the SSH provider during their inactive period.This is a limitation of the SSH provider and cannot be rectified by Infisical.

Prerequisites

Create an SSH Connection with the Secret Rotation requirements
Ensure your network security policies allow incoming requests from Infisical to this rotation provider, if network restrictions apply.

Create a Unix/Linux Local Account Rotation in Infisical

Infisical UI
API

Navigate to your Secret Manager Project’s Dashboard and select Add Secret Rotation from the actions dropdown.
Select the Unix/Linux Local Account option.
Select the SSH Connection to use and configure the rotation behavior. Then click Next.
- SSH Connection - the connection that will perform the rotation of the configured user’s password.
- Rotation Interval - the interval, in days, that once elapsed will trigger a rotation.
- Rotate At - the local time of day when rotation should occur once the interval has elapsed.
- Auto-Rotation Enabled - whether secrets should automatically be rotated once the rotation interval has elapsed. Disable this option to manually rotate secrets or pause secret rotation.
Due to Unix/Linux Local Account Rotations rotating a single credential set, auto-rotation may result in service interruptions. If you need to ensure service continuity, we recommend disabling this option.
Configure the required Parameters for your rotation. Then click Next.

Rotation Method - The method to use when rotating the target user’s password.
- Login as Target - Infisical will use the provided SSH username and password to log in and rotate its own password.
- Login as Root - Infisical will use the SSH Connection’s credentials to log in and rotate the provided user’s password.
Username - The target SSH username whose password will be rotated.
Current Password - The current password of the target user (required when Rotation Method is set to Login as Target).
Password Requirements - The constraints to apply when generating new passwords.

Specify the secret names that the Unix/Linux credentials should be mapped to. Then click Next.
- Username - the name of the secret that the Unix/Linux username will be stored in.
- Password - the name of the secret that the rotated password will be stored in.
Give your rotation a name and description (optional). Then click Next.
- Name - the name of the secret rotation configuration. Must be slug-friendly.
- Description (optional) - a description of this rotation configuration.
Review your configuration, then click Create Secret Rotation.
Your Unix/Linux Local Account credentials are now available for use via the mapped secrets.

Reconcile Unix/Linux Local Account

If you suspect the credentials are out of sync (for example, after a manual password change on the server), you can regain access by using Reconcile. This will use the configured SSH App Connection’s root account to reset the target user’s password and sync it with Infisical. Reconcile Option

To create a Unix/Linux Local Account Rotation, make an API request to the Create Unix/Linux Local Account Rotation API endpoint.

Sample request

Request

curl --request POST \
--url https://us.infisical.com/api/v2/secret-rotations/unix-linux-local-account \
--header 'Content-Type: application/json' \
--data '{
    "name": "my-unix-linux-rotation",
    "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "description": "my unix/linux local account rotation",
    "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "environment": "dev",
    "secretPath": "/",
    "isAutoRotationEnabled": false,
    "rotationInterval": 30,
    "rotateAtUtc": {
        "hours": 0,
        "minutes": 0
    },
    "parameters": {
        "rotationMethod": "login-as-root",
        "username": "appuser",
        "passwordRequirements": {
            "length": 48,
            "required": {
                "digits": 2,
                "lowercase": 2,
                "uppercase": 2,
                "symbols": 2
            },
            "allowedSymbols": "-_.~!*"
        }
    },
    "secretsMapping": {
        "username": "UNIX_USERNAME",
        "password": "UNIX_PASSWORD"
    }
}'

Due to Unix/Linux Local Account Rotations rotating a single credential set, auto-rotation may result in service interruptions. If you need to ensure service continuity, we recommend disabling this option.

Sample response

Response

{
    "secretRotation": {
        "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "name": "my-unix-linux-rotation",
        "description": "my unix/linux local account rotation",
        "secretsMapping": {
            "username": "UNIX_USERNAME",
            "password": "UNIX_PASSWORD"
        },
        "isAutoRotationEnabled": false,
        "activeIndex": 0,
        "folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "createdAt": "2023-11-07T05:31:56Z",
        "updatedAt": "2023-11-07T05:31:56Z",
        "rotationInterval": 30,
        "rotationStatus": "success",
        "lastRotationAttemptedAt": "2023-11-07T05:31:56Z",
        "lastRotatedAt": "2023-11-07T05:31:56Z",
        "lastRotationJobId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "nextRotationAt": "2023-11-07T05:31:56Z",
        "connection": {
            "app": "ssh",
            "name": "my-ssh-connection",
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
        },
        "environment": {
            "slug": "dev",
            "name": "Development",
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
        },
        "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "folder": {
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "path": "/"
        },
        "rotateAtUtc": {
            "hours": 0,
            "minutes": 0
        },
        "lastRotationMessage": null,
        "type": "unix-linux-local-account",
        "parameters": {
            "rotationMethod": "login-as-root",
            "username": "appuser",
            "passwordRequirements": {
                "length": 48,
                "required": {
                    "digits": 2,
                    "lowercase": 2,
                    "uppercase": 2,
                    "symbols": 2
                },
                "allowedSymbols": "-_.~!*"
            }
        }
    }
}

Secrets Management

Product Reference

Infrastructure Integrations

Secret Syncs

CI/CD Integrations

Framework Integrations

Build Tool Integrations

Others

Unix/Linux Local Account Rotation

Prerequisites

Create a Unix/Linux Local Account Rotation in Infisical

Reconcile Unix/Linux Local Account

Sample request

Sample response

Secrets Management

Product Reference

Infrastructure Integrations

Secret Syncs

CI/CD Integrations

Framework Integrations

Build Tool Integrations

Others

​Prerequisites

​Create a Unix/Linux Local Account Rotation in Infisical

​Reconcile Unix/Linux Local Account

​Sample request

​Sample response

Prerequisites

Create a Unix/Linux Local Account Rotation in Infisical

Reconcile Unix/Linux Local Account

Sample request

Sample response