Giving restricted users the ability to rsh to an APM without requiring root password knowledge
Article ID: 168015
Giving restricted users the ability to rsh to an APM without requiring root password knowledgeBy default, only root can rsh to an APM from the CPM without entering a password. Some environments may find it desirable to grant rsh access as root to an APM (application management, for instance) while not providing the root password on the CPM and not granting privilege 15 to the user.
By default, the APM only allows password-less access via root on the primary CPM. While users can be added to the APM, it becomes tedius to manage passwords and expirations on each APM; all of these accounts would also need to be uid 0. Altneratively, removing the root password from the APM is a security risk.
To giving restricted users the ability to rsh to an APM without requiring root password knowledge, the user will still require shell access to the CPM (though it won't be as root). This can be accomplished in one of two ways:
1. Created users still use the CLI as their login shell but the "unix" command in the CLI is reduced in privilege to a level they can use:
configure privilege level <0-14> unix (this command need only be done once for all users)
2. Created users log in with a /bin/bash shell and will need to execute /crossbeam/bin/cli to enter the CLI.
configure username <username> privilege 5 unix su chsh <username> New shell [/crossbeam/bin/cli]: /bin/bash
Once one of these two steps is accomplished, as root you will need to rsh to each APM you wish to grant rsh access to. Once on each APM, there is a file in /root called .rhosts. By default, it looks like this:
Edit this file and add, one per line, each username you wish to grant password-less access to the APM: