oxidized icon indicating copy to clipboard operation
oxidized copied to clipboard
verified publisher icon ytti

Credential Dispatcher Not Used When Global Username/Password Set

Open andrewburke1 opened this issue 1 month ago • 2 comments

Is it expected behavior that credential dispatcher is bypassed entirely when global username/password are set?

And more importantly:

What is the correct or recommended way to configure Oxidized so that:

Cisco devices using SSH keys continue to authenticate properly

Vault-managed devices in specific groups get credentials only from the dispatcher

Global username/password do not override dispatcher-provided credentials

Right now the only workaround that works is:

Set global username/password to null

Force Cisco groups to use publickey only

Allow vault-managed groups to use password only, so dispatcher supplies them

Is this how Oxidized is designed to work, or is there a cleaner/more supported configuration approach?

Any guidance or examples would be very appreciated!

Expected behavior Devices in a group using auth_methods: ["password"] should rely on Vault credentials

But Oxidized always logs authentication attempts using a global username (e.g. null or oxidized)

Credential dispatcher script is never invoked

Cisco devices using SSH keys break depending on how global auth is configured

Setting global username/password seems to override the dispatcher completely

So the problem appears to be a combination of:

Dispatcher only activates when username/password are nil

Cisco devices requiring key-only auth

Net::SSH trying password before publickey if password auth is allowed and username is empty/non-nil

Configuration

---
username: null
password: null
use_credential_dispatcher: true
credentials:
  exec:
    type: ruby
    script: "/home/oxidized/.config/oxidized/credentials/vault.rb"
groups:
  VAULT:
    vars:
      auth_methods: ["password"]

Logs

[username@server oxidized-latest]$ docker exec -it oxidized-latest-oxidized-1 bash -c '
export OXIDIZED_HOME="/home/oxidized/.config/oxidized";
ruby -e "
require \"oxidized\";
Oxidized::Config.load;
Oxidized.mgr = Oxidized::Manager.new;

n = Oxidized::Node.new(name:\"IP-HOST"\", model:\"ironware\", group:\"VAULT\");

puts \"FINAL USERNAME=#{n.auth[:username].inspect}\";
puts \"FINAL PASSWORD=#{n.auth[:password].inspect}\";
puts \"FINAL GROUP=#{n.group.inspect}\";
puts \"MODEL=#{n.model.class.name}\";
"
'

FINAL USERNAME=nil
FINAL PASSWORD=nil
FINAL GROUP="VAULT"
MODEL=IronWare

Running environment (please complete the following information):

  • OS: [RHEl9]
  • oxidized version: [e.g. 0.34.3]
  • oxidized-web version: [e.g. 0.17.1, if applicable]
  • Manufacturer model an software version: d
  • oxidized model name:

Additional context

andrewburke1 avatar Dec 01 '25 23:12 andrewburke1

(Edited Issue for readability)

robertcheramy avatar Dec 02 '25 10:12 robertcheramy

There is no such configuration option use_credential_dispatcher in Oxidized.

robertcheramy avatar Dec 02 '25 10:12 robertcheramy