Forum Discussion

Kristian_89589's avatar
Kristian_89589
Icon for Nimbostratus rankNimbostratus
Apr 15, 2010

bash shell w/ TACACS+ authorisation

Hi,

 

 

I'm having some issues around getting directly into the 'bash' console with TACACS+ authorisation.

 

I have engaged F5, but I haven't had much assistance so far.

 

 

First off, TACACS+ authorisation is working just fine.

 

The issue I'm having appears to be related to the limited choices of the 'console' attribute in the 'remoterole' profiles.

 

 

I have come across 2 options for the console selection, but neither will drop me directly into the bash shell I see when I have authenticated locally.

 

 

console "tmsh" - presents the TMOS shell

 

console enable - presents the bigpipe shell

 

 

While in the bigpipe shell I can manually enter '!/bin/bash' to get me into the bash shell, but this isn't really something I want to be doing every time I log into one of our F5s.

 

 

bp>!/bin/bash

 

[xx@device:Active] ~

 

 

Just in case I've missed something else, I've pasted an example of an administrator remoterole profile.

 

 

remoterole {

 

role info {

 

full_access {

 

attribute "F5-LTM-User-Info-1=remotepriv15"

 

console "tmsh"

 

deny disable

 

line order 1

 

role "administrator"

 

user partition "all"

 

}

 

}

 

 

Is there an option I could use locally, or even have the TACACS+ server return, that could get me into the bash shell?

 

Any help would be much appreciated.

 

 

Thanks,

 

Kristian

 

config
design

15 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 18, 2010
    Me too. I have tried autocmd attribute (to send !/bin/bash command automatically after logging in) but no luck. I guess F5 has not yet supported the autocmd.

     

     

    If any body can do it, pls also let me know. ;-)
  • plago_72578's avatar
    plago_72578
    Icon for Nimbostratus rankNimbostratus
    Nov 09, 2010
    Can someone from F5 please respond? I am having to create local accounts once again because of this limitation. Can we please have an option to define 'advsh' or something similar so my admin logins can have full Advanced Shell? I've tried using every option available (bpsh, tmsh, & enable) and none of them drop me into the BASH shell by default.
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Nov 09, 2010
    As far as I know, we try to go away from bash shell to tmsh. So, if there is any function you are looking for but it is not available in tmsh, I suggest opening a support case and submit request for enhancement.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 09, 2010
    As far as I know, we try to go away from bash shell to tmsh. So, if there is any function you are looking for but it is not available in tmsh, I suggest opening a support case and submit request for enhancement.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 09, 2010
    Hi Plago,

     

     

    If you'd like an official response from F5, the best option is to open a support case. In this instance, I believe this is a known limitation as described in SOL10272. I think the man pages should be updated to reflect the issue though.

     

     

     

    SOL10272: Accessing the bash shell as a remotely authenticated user

     

    http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10272.html

     

     

    Since remote users do not have an account defined in the /etc/passwd file, a custom shell cannot be defined there either. As a result, the shell for remote users defaults to the bigpipe shell.

     

     

     

    You could potentially change the /usr/bin/bpsh script to reference bash, but this wouldn't be supported.

     

     

    As nitass suggested, you could open a request for enhancement case if there's a specific reason you need bash access versus tmsh. Personally, I much prefer bash for flexibility. But I think they're looking for specific use cases.

     

     

    Aaron
  • crosson_16669's avatar
    crosson_16669
    Icon for Nimbostratus rankNimbostratus
    Oct 20, 2017

    Its nearly the year 2018. Here is a very simple command that still doesn't exist in tmsh.

    list | no-more

    Instead we are forced to drop into bash and send tmsh -q. Come on guys....

    • Skye_85590's avatar
      Skye_85590
      Icon for Nimbostratus rankNimbostratus
      Oct 20, 2017

      It is not clear what you want to do here, you should not do an "open list".

       

      Trust me, you can get just about any config/state data with tmsh if you know how to use it right with bash.

       

      Example to get each virtual server name and address:

       

      tmsh list ltm virtual | grep 'ltm virtual \|address'

       

    • crosson_16669's avatar
      crosson_16669
      Icon for Nimbostratus rankNimbostratus
      Oct 23, 2017

      @Skye

       

      Trust me, you can get just about any config/state data with tmsh if you know how to use it right with bash.

       

      Your right. "tmsh -q list" would do just that. That isn't my ask. I shouldn't have to drop into bash to list the config with a "no-more" flag. I should be able to do this from right within tmsh. Something along the lines of "list | no-more".

       

      Everyone knows you can call tmsh from bash and then pipe the output to standard nix commands. That isn't the ask.

       

    • Skye_85590's avatar
      Skye_85590
      Icon for Nimbostratus rankNimbostratus
      Oct 23, 2017

      I do not "drop into bash" but I probably would not leave it in the first place.

       

      I am happy to discuss how to do it in UNIX, otherwise, good luck!

       

  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Oct 22, 2017

    Inside TMSH, you can run the following command:

     

    run util bash

     

    and that will give you bash access as a remote user.

     

    HTH

     

  • Kevin_Davies's avatar
    Kevin_Davies
    Icon for MVP rankMVP
    Oct 22, 2017

    Direct advanced shell access for remote users is not available for the reasons already stated by F5 in K10272

     

    If you want to support local shell access under specific user accounts then you have to create a local account on the BIG-IP. This means your automation needs to include this step in deploying a new advanced shell user. Specifically it needs to create a the local user account using tmsh or the api and specify the shell as advanced shell. This will then create the local user account that is required for this to work.

     

    The reason they don't do this automatically is likely to be security. Every advanced shell user is a root level user. Their is no discrimination, nor any access control for root level users. Would you want external authentication systems triggering the creation of a root level user on your BIG-IP?

     

  • Ravi_Kumar_Sha1's avatar
    Ravi_Kumar_Sha1
    Icon for Nimbostratus rankNimbostratus
    Jan 18, 2018

    Output from OS ver 12.0, after TACACS+ integration, using bash it is taking to advanced shell xxxxxx@(Orxxxx)(cfg-sync In Sync)(Standby)(/Common)(tmos) bash [xxxxxx@Orxxxx:Standby:In Sync] ~