Forum Discussion

Matthew_Hutchin's avatar
Matthew_Hutchin
Icon for Nimbostratus rankNimbostratus
Jan 26, 2012

User Access to CLI with Bash Wrappers

I would like to know if it is possible to create a user i tmsh that will pretty much no access to anything but cli aliases.

 

 

Is this possible and how would I go about it.

 

 

 

Thanks

 

 

 

Matt

 

config
design
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 26, 2012
    Hi Matt,

     

     

    There isn't currently that level of granularity for admin access control. You could potentially create an iControl app that would only allow modification of the CLI aliases though. You could hard code the LTM credentials in the iControl app to restrict the users of that app to only making such changes.

     

     

    You could also open a case with F5 Support to request this type of access control granularity.

     

     

    Aaron
  • Matthew_Hutchin's avatar
    Matthew_Hutchin
    Icon for Nimbostratus rankNimbostratus
    Jan 26, 2012
    Ok - if I can't do it with admin access, would I be able to provide this type of granular access with a "guest" type of access?

     

     

    Thanks
  • Matthew_Hutchin's avatar
    Matthew_Hutchin
    Icon for Nimbostratus rankNimbostratus
    Jan 26, 2012
    Hi Aaron,

     

     

    I understand that a guest couldn't make a config change but what if I wanted to let me use tail or cat to look at log files or maybe tcpdump or ping - stuff like that?

     

     

    Thanks

     

     

    Matt
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 26, 2012
    I think I get your scenario now. You might be able to do something like this by creating a guest account with tmsh shell access using tmsh aliases. Alex Applebaum's done some good work documenting some related scenarios here:

     

     

    http://devcentral.f5.com/wiki/TMSH.Bash-Command-Wrapper.ashx

     

     

    Aaron
  • Matthew_Hutchin's avatar
    Matthew_Hutchin
    Icon for Nimbostratus rankNimbostratus
    Jan 30, 2012
    Thanks Aaron - yes that is the type of scenario of am referring to. Ok, now how to do I create a user id in the tmsh and how do I dump them directly into that bash shell when they login?

     

     

    Thanks
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 31, 2012
    e.g. 

    root@ve1023(Active)(tmos) create auth user foo role admin shell bash prompt-for-password
changing password for foo
new password:
confirm password:

root@ve1023(Active)(tmos) list auth user foo
auth user foo {
    description "foo"
    encrypted-password "$1$4AWir.wi$xDTPTXwnJI6aBKPlkkR/k0"
    group-id 500
    home-dir "/home/foo"
    partition Common
    partition-access all
    role admin
    shell bash
    user-id 0
}

login as: foo
Using keyboard-interactive authentication.
Password:
Last login: Mon Jan 30 19:45:31 2012 from 192.168.206.154
[foo@ve1023:Active] ~
  • Matthew_Hutchin's avatar
    Matthew_Hutchin
    Icon for Nimbostratus rankNimbostratus
    Feb 03, 2012
    Nit - thanks for the reply but can I also do this for a guest or limited user?

     

     

    Thanks
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Feb 04, 2012
    i got an error when trying role which is not admin. 

    root@ve1023(Active)(tmos) create auth user test shell bash role guest
01070825:3: Access denied - Administrators only: Custom shells are only available to administrators not test.