Forum Discussion
Nimbostratusbash shell w/ TACACS+ authorisation
I'm having some issues around getting directly into the 'bash' console with TACACS+ authorisation.
I have engaged F5, but I haven't had much assistance so far.
First off, TACACS+ authorisation is working just fine.
The issue I'm having appears to be related to the limited choices of the 'console' attribute in the 'remoterole' profiles.
I have come across 2 options for the console selection, but neither will drop me directly into the bash shell I see when I have authenticated locally.
console "tmsh" - presents the TMOS shell
console enable - presents the bigpipe shell
While in the bigpipe shell I can manually enter '!/bin/bash' to get me into the bash shell, but this isn't really something I want to be doing every time I log into one of our F5s.
bp>!/bin/bash
[xx@device:Active] ~
Just in case I've missed something else, I've pasted an example of an administrator remoterole profile.
remoterole {
role info {
full_access {
attribute "F5-LTM-User-Info-1=remotepriv15"
console "tmsh"
deny disable
line order 1
role "administrator"
user partition "all"
}
}
Is there an option I could use locally, or even have the TACACS+ server return, that could get me into the bash shell?
Any help would be much appreciated.
Thanks,
Kristian
- nitass
Employee
Me too. I have tried autocmd attribute (to send !/bin/bash command automatically after logging in) but no luck. I guess F5 has not yet supported the autocmd.
If any body can do it, pls also let me know. ;-) 
plago_72578Can someone from F5 please respond? I am having to create local accounts once again because of this limitation. Can we please have an option to define 'advsh' or something similar so my admin logins can have full Advanced Shell? I've tried using every option available (bpsh, tmsh, & enable) and none of them drop me into the BASH shell by default.- nitass_89166
Noctilucent
As far as I know, we try to go away from bash shell to tmsh. So, if there is any function you are looking for but it is not available in tmsh, I suggest opening a support case and submit request for enhancement.
RiverFishAltostratus
The curl function.
- nitassAs far as I know, we try to go away from bash shell to tmsh. So, if there is any function you are looking for but it is not available in tmsh, I suggest opening a support case and submit request for enhancement.
- RiverFish
The curl function.
- hoolio
Cirrostratus
Hi Plago,
If you'd like an official response from F5, the best option is to open a support case. In this instance, I believe this is a known limitation as described in SOL10272. I think the man pages should be updated to reflect the issue though.
SOL10272: Accessing the bash shell as a remotely authenticated user
http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10272.html
Since remote users do not have an account defined in the /etc/passwd file, a custom shell cannot be defined there either. As a result, the shell for remote users defaults to the bigpipe shell.
You could potentially change the /usr/bin/bpsh script to reference bash, but this wouldn't be supported.
As nitass suggested, you could open a request for enhancement case if there's a specific reason you need bash access versus tmsh. Personally, I much prefer bash for flexibility. But I think they're looking for specific use cases.
Aaron 
crosson_16669Its nearly the year 2018. Here is a very simple command that still doesn't exist in tmsh.
list | no-moreInstead we are forced to drop into bash and send tmsh -q. Come on guys....
Skye_85590It is not clear what you want to do here, you should not do an "open list".
Trust me, you can get just about any config/state data with tmsh if you know how to use it right with bash.
Example to get each virtual server name and address:
tmsh list ltm virtual | grep 'ltm virtual \|address'
- crosson_16669
@Skye
Trust me, you can get just about any config/state data with tmsh if you know how to use it right with bash.
Your right. "tmsh -q list" would do just that. That isn't my ask. I shouldn't have to drop into bash to list the config with a "no-more" flag. I should be able to do this from right within tmsh. Something along the lines of "list | no-more".
Everyone knows you can call tmsh from bash and then pipe the output to standard nix commands. That isn't the ask.
- Skye_85590
I do not "drop into bash" but I probably would not leave it in the first place.
I am happy to discuss how to do it in UNIX, otherwise, good luck!
Andrew_HuskingCirrus
Inside TMSH, you can run the following command:
run util bash
and that will give you bash access as a remote user.
HTH
- Kevin_Davies
Nacreous
Direct advanced shell access for remote users is not available for the reasons already stated by F5 in K10272
If you want to support local shell access under specific user accounts then you have to create a local account on the BIG-IP. This means your automation needs to include this step in deploying a new advanced shell user. Specifically it needs to create a the local user account using tmsh or the api and specify the shell as advanced shell. This will then create the local user account that is required for this to work.
The reason they don't do this automatically is likely to be security. Every advanced shell user is a root level user. Their is no discrimination, nor any access control for root level users. Would you want external authentication systems triggering the creation of a root level user on your BIG-IP?
- Ravi_Kumar_Sha1
Output from OS ver 12.0, after TACACS+ integration, using bash it is taking to advanced shell xxxxxx@(Orxxxx)(cfg-sync In Sync)(Standby)(/Common)(tmos) bash [xxxxxx@Orxxxx:Standby:In Sync] ~
