What we want to do is that from the Workbench client and the Administrator Tool the operator user can connect without knowing the password to a harvest agent (solaris, linux, windows) either by trust keys, ssh, LDAP or double authentication factor.

CA Harvest Software Change Manager v13.0.3 and up

One thing you should know about the Harvest Agent is that it can run in 2 different modes:

- If the agent is started as a service on Windows or from the "root" user ID on Unix / Linux, it is running in "Multi-user" mode. That means anyone who has permission to log in to the computer the agent is running on can connect to the agent with their own user ID and password login credentials.
- If the agent is started from a command prompt in Windows or from a user ID other than the "root" user ID, it is running in "Single-user" mode. That means that all users connecting to that agent will use the same user ID and password. In this case, you choose the password when you start the agent process, and it does not have to be the same as the Windows / Linux / Unix login password for the user ID.

In both cases, when logging into Workbench, the user will use their own login credentials and already know their password. When connecting to the agent, in Multi-user mode, the user will use their own login credentials for the agent server and also know that password, or in Single-user mode, they will all use the same agent-specific user ID and password.

For "Multi-user" mode, the way users and passwords are authenticated can be configured in the HAgent.arg file on the Agent server:

- authmode = internal
  This is the mode most often used on Windows because it allows the Windows operating system to authenticate in the same way that it would if the user logged on to the agent machine with Remote Desktop. If the Windows machine is a member of a domain, Windows automatically manages LDAP, and you do not need to configure it separately for the agent.
  On Linux / Unix, the operating system tries to authenticate the user ID and password based on whether the user ID and password are in the local "passwd" file.
- authmode = openldap
  The operating system of the agent machine will use the settings in the HAgent.arg file to contact an LDAP server and authenticate the user ID that way.
- authmode = pam
  This mode is only available on Linux / Unix operating systems and uses the operating system's "Pluggable Authentication Module" (PAM) to provide the specific method for authenticating users.

So, whether you run the Harvest agent in multi-user mode and allow users to provide their own user IDs and passwords (which they already know) or in single-user mode and provide an agent-specific password other than the same as the operating system password for the agent user ID,  the user does not need to know the login credentials of another user to use the Harvest agent.