Giving restricted users the ability to rsh to an APM without requiring root password knowledge

book

Article ID: 168015

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Giving restricted users the ability to rsh to an APM without requiring root password knowledgeBy default, only root can rsh to an APM from the CPM without entering a password. Some environments may find it desirable to grant rsh access as root to an APM (application management, for instance) while not providing the root password on the CPM and not granting privilege 15 to the user.

Cause

By default, the APM only allows password-less access via root on the primary CPM. While users can be added to the APM, it becomes tedius to manage passwords and expirations on each APM; all of these accounts would also need to be uid 0. Altneratively, removing the root password from the APM is a security risk.

Resolution

To giving restricted users the ability to rsh to an APM without requiring root password knowledge, the user will still require shell access to the CPM (though it won't be as root). This can be accomplished in one of two ways:

1. Created users still use the CLI as their login shell but the "unix" command in the CLI is reduced in privilege to a level they can use:

configure privilege level <0-14> unix (this command need only be done once for all users)


2. Created users log in with a /bin/bash shell and will need to execute /crossbeam/bin/cli to enter the CLI.

configure username <username> privilege 5
unix su
chsh
<username>
New shell [/crossbeam/bin/cli]: /bin/bash


Once one of these two steps is accomplished, as root you will need to rsh to each APM you wish to grant rsh access to. Once on each APM, there is a file in /root called .rhosts. By default, it looks like this:

primarycpm root

Edit this file and add, one per line, each username you wish to grant password-less access to the APM:

primarycpm root
primarycpm <username1>
primarycpm <username2>
...


Save the file. At this point, a user can now log on the CPM and from the bash shell issue:

rsh -l root <vap name>_<index>


It will not prompt for a password and the user will be root on the APM.

Workaround

N/A