Forum Discussion

kelkin_337742's avatar
kelkin_337742
Icon for Nimbostratus rankNimbostratus
Oct 16, 2017

TACAS & SSH Host Based Auth - Any way to make this happen?

From everything I've read, if you are using remote authentication such as TACAS or LDAP, and want to use SSH host based authentication, you just plain can't since local authentication is disabled except for the default root and admin account.

 

We need to be able to have scripts connect to the Big IPs via SSH, run a few command, and authentication without storing the password for the credentials in the script itself. Ideally, this would be SSH host based authentication.

 

Since SSH host based auth isn't supported when using remote auth, how are we supposed to be able to automate processes which require scripts to SSH in and authenticate on their own without storing credentials in the script? Are there any work-arounds here? Thanks -Keith

 

BIG-IP
security

1 Reply

Sort By
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Oct 16, 2017

    Using remote authentication for management, you can still create users. The system will create the user called Other External Users, that means any remote user. You can then create a new user, however, the password will come from the remote server.

    Imagine that you want all remote users to have guest role, but some users to have administrator role. You setup the Other External Users to guest, and manually create any user that needs administrator role in the remote server and also in the F5.

    For your problem, that means users with Linux access still exists, and they exist locally without a password. This should allow you setup the SSH and run the script you need. You will need to test to see if works. 😛

    As an example the user test1 I created after setup the remote authentication.

    [root@LABBIGIP1:Peer Time Out of Sync:Changes Pending] log  cat /etc/passwd | grep test1
test1:x:0:500:test1:/home/test1:/bin/bash
[root@LABBIGIP1:Peer Time Out of Sync:Changes Pending] log  cat /etc/shadow | grep test1
test1:!!:17455:0:99999:7:::