Forum Discussion
Matthew_Hutchin
Nimbostratus
NimbostratusUser Access to CLI with Bash Wrappers
I would like to know if it is possible to create a user i tmsh that will pretty much no access to anything but cli aliases.
Is this possible and how would I go about it.
Thanks
Matt
10 Replies
hoolioCirrostratus
Hi Matt,
There isn't currently that level of granularity for admin access control. You could potentially create an iControl app that would only allow modification of the CLI aliases though. You could hard code the LTM credentials in the iControl app to restrict the users of that app to only making such changes.
You could also open a case with F5 Support to request this type of access control granularity.
Aaron
Matthew_HutchinOk - Thanks- Matthew_HutchinOk - if I can't do it with admin access, would I be able to provide this type of granular access with a "guest" type of access?
Thanks - hoolioNo, guest accounts can't make any config changes.
Aaron - Matthew_HutchinHi Aaron,
I understand that a guest couldn't make a config change but what if I wanted to let me use tail or cat to look at log files or maybe tcpdump or ping - stuff like that?
Thanks
Matt - hoolioI think I get your scenario now. You might be able to do something like this by creating a guest account with tmsh shell access using tmsh aliases. Alex Applebaum's done some good work documenting some related scenarios here:
http://devcentral.f5.com/wiki/TMSH.Bash-Command-Wrapper.ashx
Aaron - Matthew_HutchinThanks Aaron - yes that is the type of scenario of am referring to. Ok, now how to do I create a user id in the tmsh and how do I dump them directly into that bash shell when they login?
Thanks - nitass
Employee
e.g.root@ve1023(Active)(tmos) create auth user foo role admin shell bash prompt-for-password changing password for foo new password: confirm password: root@ve1023(Active)(tmos) list auth user foo auth user foo { description "foo" encrypted-password "$1$4AWir.wi$xDTPTXwnJI6aBKPlkkR/k0" group-id 500 home-dir "/home/foo" partition Common partition-access all role admin shell bash user-id 0 } login as: foo Using keyboard-interactive authentication. Password: Last login: Mon Jan 30 19:45:31 2012 from 192.168.206.154 [foo@ve1023:Active] ~ - Matthew_HutchinNit - thanks for the reply but can I also do this for a guest or limited user?
Thanks - nitassi got an error when trying role which is not admin.
root@ve1023(Active)(tmos) create auth user test shell bash role guest 01070825:3: Access denied - Administrators only: Custom shells are only available to administrators not test.
