Originally posted by: SystemAdmin

Any way to get around the restricted shell that the p5-570 HMC provides?
#AIX-Forum

Originally posted by: VirtualGreg

There isn't supposed to be! 8^)

The HMC is a hardened appliance. What is your objective?

AIX SupportLine has the ability to generate temporary passwords to get to a root shell, but that's to gather debug data or to perform an emergency fix for a problem a customer might encounter. It's not meant to customize the HMC installation.
#AIX-Forum

Originally posted by: SystemAdmin

I think this was a recent change to the HMC software and while I've read a lot about it from IBM with regard to support and such, it just seems like the HMC could be used for a lot of admin tasks. This is sort of related to my post about scripting the shutdown of LPARs and whatnot in another thread. I would like to build scripts that run on my HMC to do various admin tasks, but the restricted shell does not permit this. For a while I didn't realize there was anything else installed on the HMC until I was on the phone with IBM and actually went through the process of using pesh and getting root access. It just seems like most of the time the machine is not doing anything and could be better utilized. That is why I am trying to figure out if there is a way to get more access.
#AIX-Forum

Originally posted by: SystemAdmin

Before the HMC was 'locked down', I had a script that ran a bunch of commands to capture LPAR configuration. The captured data was then sent to our NIM server and converted into a web page for documentation purposes.

Now that the HMC is 'locked down', I'm unable to run some commands and therefore unable to automate the process for documenting my LPAR config's.

If IBM are going to stop the customer from running commands on the HMC to document their system they should at least provide the customer with another way to collect the information??
#AIX-Forum

Originally posted by: SystemAdmin

I feel the HMC on these systems is such a central piece for control and administration, being able to use the full potential of the Linux OS running on them would be very helpful.
#AIX-Forum

Originally posted by: SystemAdmin

I wouldn't even ask for the full potential of Linux...I'd be happy with the ability to run the LPAR commands remotely.

I guess there's always expect...
#AIX-Forum

Originally posted by: SystemAdmin

I think a lot of the commands can be run interactively in the restricted shell if you login via SSH. Again, you can't script it so you have to do it all manually.
#AIX-Forum

Originally posted by: KentPerrier

You can set up ssh key-based authentication and run the lshwres commands via ssh from any host on your network if you need to. Or are you looking for something else?
#AIX-Forum

Originally posted by: SystemAdmin

Using that method is a very good idea. Ive thought about trying to do it that way. However it doesnt totally solve me issue. I would need another system to act as the host where those commands would be initiated. Currently, I do not have another Unix machine (other then the LPARs that are managed by this HMC) to act as the host. This led me to the question of doing a lot of these admin tasks from the HMC itself. Since the HMC needs to be up and running to do admin tasks on the p5, I felt I could count on its uptime for scripts. Whereas if I tried to store these scripts on another machine it would not be a guarantee that it would be up all the time the p5 is up. I could pretty much guarantee the HMC is up if the p5 is up.
#AIX-Forum

Originally posted by: SystemAdmin

How do you set up key-based authentication? I've never been able to update the .ssh/authorized_keys2 file because the .ssh directory is owned by root. Am I missing something?

Anker
#AIX-Forum

Originally posted by: KentPerrier

I used the copy_ssh_key.ksh script from the dlpartoolset on Alphaworks to do this, but what it does is copy hscroot's authorized_keys2 file to the local machine, adds the public key to the file, and copies it back to the HMC. On my hmc, the authorized_keys2 file is owned by hscroot so there is not problem overwriting it.

I used this to script a bunch of chhwres commands to move system resources from one LPAR to another.

Kent
#AIX-Forum

Originally posted by: SystemAdmin

I got the copy_ssh_key.ksh script from AlphaWorks...still no joy. The script appears to run successfully, but the HMC still prompts me for a password. I also tried the mkauthkeys HMC command and got the same results. Am I the only one too stupid to get this to work?

I'm wondering if it has something to do with permissions. Here are the permissions on my home and .ssh directories and the authorized_keys2 file on the HMC:

drwxr-xr-x 6 anker root 4096 2005-10-24 12:25 /home/anker
drwxr-xr-x 2 root hmc 4096 2005-09-13 11:01 /home/anker/.ssh
-rw-rw-r-- 1 anker hmc 1288 2005-10-24 12:36 /home/anker/.ssh/authorized_keys2

I know that ssh typically doesn't want the authorized_keys file to writable to anyone but the user. I can't find a chmod command, though.

What am I missing?
Anker
#AIX-Forum

Originally posted by: KentPerrier

When you ssh over I assume you are doing ssh hscroot@hostname?
#AIX-Forum

Originally posted by: SystemAdmin

Here is the link to the documentation on how to do it.

http://publib.boulder.ibm.com/infocenter/eserver/v1r3s/index.jsp?topic=/iphai/settingupsecurescriptexecutionsbetweensshclientsandthehmc.htm
#AIX-Forum

Originally posted by: SystemAdmin

FWIW, I finally found the problem in my secure shell setup. I was being numb-brained; the permissions were wrong on the authorized_keys2 file. I should have known to check the simple ssh stuff.

anker
#AIX-Forum

Originally posted by: MisterX

im interested in these tools that you have. Any chance you can email them? I had a perl script that grabbed lpar info on power4 and converted into an execl spreadsheet. Now it's broken. The hmc can be hacked. Boot off of knoppix live cd and edit the root bshrc (IIRC).
#AIX-Forum

Originally posted by: SystemAdmin

I am searching as best I can to find out where the restricted bash shell gets started. Doesn't seem to be in /etc/bash.bashrc or in .bashrc. Is it possible it is not running the standard bash -r (or rsh) that comes with Suse?
#AIX-Forum

Originally posted by: SystemAdmin

The restricted shell is started by the following file.

$HOME/.mysshrc
#AIX-Forum

Originally posted by: SystemAdmin

>> The restricted shell is started by the following file.
>> $HOME/.mysshrc

So, other then booting the HMC with a live Linux CD and then mounting / and editing the file, is there any other way to edit that file? Has anyone tried editing the file and getting a full shell? I am figuring out which of my HMCs I want to try this on. The file is owned by root.root so not too easy to edit from within the restricted shell.
#AIX-Forum

Originally posted by: SystemAdmin

FYI,

I have written a script that uses ssh to execute commands on the HMC for management and reporting purposes. I've got a separate discussion thread relating to that. But here is a link to the script. Take a look at it and let me know what you think.

http://www.the-welters.com/professional/scripts/hmcMenu.txt

#AIX-Forum

Originally posted by: SystemAdmin

Wow... 2000+ views, I guess people want to know how to do this!
#AIX-Forum

Originally posted by: SystemAdmin

Type:
man -p /bin/more lssyscfg

Then once man is loaded type:
!/bin/bash

This gets you a plain bash shell. Which is a good start. Don't know if that step can be scripted. Still doesn't help remove the restricted shell that loads by default since the .bashrc file is owned by root. Can't get the root password without using pesh.

#AIX-Forum

Originally posted by: SystemAdmin

Still no luck getting around the whole restricted shell in any easy way in a script. Wish there was a little more flexibility available on these HMCs.
#AIX-Forum

Originally posted by: SystemAdmin

FYI - Knoppix is your friend.
#AIX-Forum

Originally posted by: noelsr

> Any way to get around the restricted shell that the
> p5-570 HMC provides?

OK, If Knoppix allow you to mount the root file system and edit the files, this is what you need to do to be able to add an xterm on your menu when you right click with your mouse:
vi /opt/hsc/data/fluxbox/en_US/menu

and add the following line:
exec (xterm) {xterm -sb -bg black -fg orange}
you could also add/edit the path on your environment by editing .mysshrc:

vi /home/hscroot/.mysshrc

Let me know if you want me to tell you how to disable the firewall and enable telnet... :)

just kidding.... (Am I??)
#AIX-Forum

Originally posted by: jdmeek

OK. You wanted it, here it is. To remove all restriced shells and work the box like you owned it follow the directions below.

[b]!!!! FOLLOWING THIS PROCEDURE WILL PROBABLY VOID ANY WARRANTY AND/OR SUPPORT CONTRACT YOU MAY HAVE. THIS INFO IS PROVIDED AS A DEMONSTRATION AND YOU SHOULD REALLY THINK TWICE, MAYBE EVEN THREE TIMES, BEFORE DOING THIS!!!![/b]

Now that that is said... Without further adeiu...

[i][b]
Setup HMC As usual...

When prompted, add your user account

Finish initial config

After GRUB Loading Stage2 screen, hit E to edit the hmc boot line
Highlight the line beginning with kernel and hit E to edit the line.
Add a <space> and the word single at the end of the line and hit enter
Now hit b to boot the modified line.

When prompted, enter the root password that you gave in the initial hmc config.

You now need to remount the filesystem read-write. Enter the following

mount -o remount /dev/hdc1 /

You will now change your accounts shell.
At the command line, enter chsh (username)
when prompted, enter /bin/bash
do this for hscroot and your user account.

Finally, edit the file /etc/pam.d/su and comment out the following line.
auth required /lib/security/pam_hsc.so
session optional /lib/security/pam_hsc.so

You can add a non-restriced shell to your X environment by appending the following to the /opt/hsc/data/fluxbox/en_US/menu file.

exec (xterm) {xterm -sb -bg black -fg orange}

Now, reboot the box.

Once it comes back, enable ssh logins to the system and you are now free to roam locally (using the xterm that we added) and will have a standard bash shell that you can su to root from on ssh login.
[/b][/i]

Thanks to the previous poster for the fluxbox hint.
#AIX-Forum

Originally posted by: SystemAdmin

I've followed the directions in the previous post. I enter the [u]root[/u] password and the HMC is then locked up. I never get a command prompt. CTRL-Cs and CTRL-ALT-DELs have no effect. The only thing I can do at that point, is power-off the HMC. I'm running 5.2.1 with fixes MH00688, MH00746 and MH00695 (InfoCenter update). Any thoughts? Here's my GRUB [u]menu.lst[/u] if it's any help. Thanks.
code
prompt 0
timeout 1
default hmc

title hmc
root (hd0,0)
kernel (hd0,1)/boot/bzImage ro root=/dev/hdc2 vga=0x317 apm=power-off
[/code]
#AIX-Forum

Originally posted by: jdmeek

Well, better late that never...

I would imagine that as tight as the HMC group tends to be, they probably saw the thread and fixed the hole that I found. Probably via PAM. Bummer.

In my copious spare time I plan to workout how to hack a Fedora/RHEL box into a full blown HMC. I know that the HMC is SUSE based but I REALLY don't like working with SUSE boxes. YaST Sux!

I have several older boxes that require serial HMCs and I can't really justify another HMC purchase to the powers that be. I wouldn't worry about them too much but firmware management is just too dang easy with the HMC. Hopefully, I can get suma, nim and some other goodies to run properly as well.

I'll update the list as I work through it...

#AIX-Forum

Originally posted by: SystemAdmin

I am going to continue to watch this thread to see if you are successful with your plan. I don't think I want to go so far as to replace my HMC with a different OS, I would just be happy with unrestricted access to the system. I guess now that v7 of the HMC software is out, we'll have to find the way to unlock it. I guess the HMC guys watch this thread too to patch our finds. Cat and mouse! Just let us have unrestricted access, we paid for the hardware!

#AIX-Forum

Originally posted by: 30JW_Bill_Harvey

Jumping all the way to chsh to change the login shell away from the restricted-shell (Rsh) seems quite excessive.  I'm not admitting to ever having broken out of the Rsh jail, but, if I had, I think I'd only want to do that on very rare occasions...  I think I'd be able to live quite happily 80% or 90% of the time inside the Rsh env, and only jump out on the very rare occasion when I wanted to explore the HMC setup in detail, or set up some scripted commands for my users...  It's interesting to note that Rsh becomes completely impotent as soon as a writable directory is added to your $PATH...  If you open Rsh, and run the following command:

# echo $(</proc/$$/cmdline)

you can see that the --rcfile that sets up the Rsh env is /opt/hsc/data/ssh/hmcsshrc

If anyone ever breaks out of Rsh (or cons IBM into granting a temp password), all you really need to do is add $HOME/bin to the PATH assignment in that file.  Then copy your favorite shell into $HOME/bin, and you're $HOME/free...  You have immediate access to an unrestricted shell any time you want it...  You might find that you don't really need it as often as you think...

 

Still, without admitting that I ever have, if I were going to do that, I might limit unrestricted-shell access to root-holders.  Changing the PATH assignment in  /opt/hsc/data/ssh/hmcsshrc to something like:

if [[ -f /usr/local/etc/allow-bash/$USER ]]
then PATH=/hmcrbin/:/usr/hmcrbin:$HOME/bin
else PATH=/hmcrbin/:/usr/hmcrbin
fi
export PATH
 

and only populating  /usr/local/etc/allow-bash/ with trusted users...

Or, even better, use a similar trigger to partition users into 3 categories: 1) root-users; 2) power-users; & 3) Rsh-users:

if [[ -f /usr/local/etc/allow-sbash/$USER ]]
then PATH=/hmcrbin/:/usr/hmcrbin:/usrlocal/sbin

elif [[ -f /usr/local/etc/allow-bash/$USER ]]
then PATH=/hmcrbin/:/usr/hmcrbin:/usrlocal/bin

else PATH=/hmcrbin/:/usr/hmcrbin
fi
export PATH

 

'course...  if you don't want to go to all that trouble, you could simply:

# ln -s /bin/su /usr/hmcrbin

and you get a very similar result...

 

Disclaimer: If you act on any of the suggestions in this post, you're almost certainly violating your support agreement...  However, I'd prefer to think of it as misdemeanor assault, rather than the violent battery of a chsh command...

 

All of that demands the question:  Why IS IBM so dedicated to closing loopholes that allow escape from Rsh???  WHAT have they to hide such that trusted holders of root-password aren't allowed to logon as root????  Is there some flaw in the HMC environment that they have to hide by keeping everyone locked up?  The mind boggles at the possibilities...

#AIX-Forum

Originally posted by: woofer

The supported way to disable the restricted shell is to request a PTF from IBM that does just that. The customer accepts responsibility for any ill effects this action might have.
#AIX-Forum

Originally posted by: SystemAdmin

Can you really request a PTF from IBM to have the restricted shell removed? Did anyone try this?

If not, do the methods described earlier in this thread work with version 6.x of the HMC?
#AIX-Forum