Forum Discussion

Matthew_Hutchin's avatar
Matthew_Hutchin
Icon for Nimbostratus rankNimbostratus
Jan 26, 2012

User Access to CLI with Bash Wrappers

I would like to know if it is possible to create a user i tmsh that will pretty much no access to anything but cli aliases.

 

 

Is this possible and how would I go about it.

 

 

 

Thanks

 

 

 

Matt

 

10 Replies

  • Hi Matt,

     

     

    There isn't currently that level of granularity for admin access control. You could potentially create an iControl app that would only allow modification of the CLI aliases though. You could hard code the LTM credentials in the iControl app to restrict the users of that app to only making such changes.

     

     

    You could also open a case with F5 Support to request this type of access control granularity.

     

     

    Aaron
  • Ok - if I can't do it with admin access, would I be able to provide this type of granular access with a "guest" type of access?

     

     

    Thanks
  • Hi Aaron,

     

     

    I understand that a guest couldn't make a config change but what if I wanted to let me use tail or cat to look at log files or maybe tcpdump or ping - stuff like that?

     

     

    Thanks

     

     

    Matt
  • I think I get your scenario now. You might be able to do something like this by creating a guest account with tmsh shell access using tmsh aliases. Alex Applebaum's done some good work documenting some related scenarios here:

     

     

    http://devcentral.f5.com/wiki/TMSH.Bash-Command-Wrapper.ashx

     

     

    Aaron
  • Thanks Aaron - yes that is the type of scenario of am referring to. Ok, now how to do I create a user id in the tmsh and how do I dump them directly into that bash shell when they login?

     

     

    Thanks
  • e.g.

    root@ve1023(Active)(tmos) create auth user foo role admin shell bash prompt-for-password
    changing password for foo
    new password:
    confirm password:
    
    root@ve1023(Active)(tmos) list auth user foo
    auth user foo {
        description "foo"
        encrypted-password "$1$4AWir.wi$xDTPTXwnJI6aBKPlkkR/k0"
        group-id 500
        home-dir "/home/foo"
        partition Common
        partition-access all
        role admin
        shell bash
        user-id 0
    }
    
    login as: foo
    Using keyboard-interactive authentication.
    Password:
    Last login: Mon Jan 30 19:45:31 2012 from 192.168.206.154
    [foo@ve1023:Active] ~ 
    
    
  • Nit - thanks for the reply but can I also do this for a guest or limited user?

     

     

    Thanks
  • i got an error when trying role which is not admin.

    root@ve1023(Active)(tmos) create auth user test shell bash role guest
    01070825:3: Access denied - Administrators only: Custom shells are only available to administrators not test.