Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
2797 views

SSHD restrictions

Hi,
I am following the manual for SSH excludes. The problem is there is no
attribute: uamPosixPAMServiceExcludeList

Any ideas of a workaround or fix?
Thanks

http://www.novell.com/documentation/oes2/oes_implement_lx_nw/index.html?page=/documentation/oes2/oes_implement_lx_nw/data/manage-ssh.html#manage-ssh
Restricting SSH Access to Only Certain LUM-Enabled Users

SSH Access is easily restricted for one or more users by making them
members of a LUM-enabled group and then disabling SSH access for that
group. All other groups assignments that enable SSH access are then
overridden.

1.

Open iManager in a browser using its access URL:

http://IP_Address/iManager.html

where IP_Address is the IP address of an OES 2 server with
iManager 2.7 installed.
2.

In the Roles and Tasks list, click Groups > Create Group.
3.

Type a group name, for example NoSSHGroup, and select a context,
such as the container where your other Group and User objects are
located. Then click OK.
4.

In the Roles and Tasks list, click Directory Administration >
Modify Object.
5.

Browse to the group you just created and click OK.
6.

Click the Linux Profile tab.
7.

Select the Enable Linux Profile option.
8.

In the Add UNIX Workstation dialog box, browse to and select the
UNIX Workstation objects for the servers you are restricting SSH access
to, then click OK > OK.
9.

Click Apply > OK.
10.

In the Roles and Tasks list, click Modify Object, browse to the
group again, then click OK.
11.

Click the Other sub-tab.
12.

In the Unvalued Attributes list, select
uamPosixPAMServiceExcludeList, then click the left-arrow to move the
attribute to the Valued Attributes list.
13.

In the Add Attribute dialog, click the plus sign (+) next to the
empty drop-down list.
14.

In the Add item field, type sshd, then click OK > OK.
15.

Click the Members tab.
16.

Browse to and select the User objects that you don’t want to have
SSH access, then click OK.
17.

Click Apply > OK.

Labels (2)
0 Likes
10 Replies
Brunold Rainer
New Member.

Re: SSHD restrictions

DrumDude,

are you on oes 1 or 2 ?

Rainer
0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: SSHD restrictions

brunold wrote:
> DrumDude,
>
> are you on oes 1 or 2 ?
>
> Rainer
>
>

Hi,
Sorry, OES2.
Thanks
0 Likes
Brunold Rainer
New Member.

Re: SSHD restrictions

DrumDude,

I did this on a oes 2 test server and the instruction fits my configuration.

I would guess that the uamPosix extension of your noSSHGroup is missing because the uamPosixPAMServiceExcludeList attribute is part of that auxiliary class.

You can check that in iManager if open in the roles and tasks the schema selection adn choose object extensions. There browse to your NoSSHGroup and check if the "posixGroup" and the "uamPosixGroup" are listed as extensions.

If they are missing the lum-enabling of your group has failed. You can do that in the roles and tasks under Linux User Management selection / Enable Group for Linux.

After that try again to add the attribute to teh group.

Rainer
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSHD restrictions

brunold wrote:
> DrumDude,
>
> I did this on a oes 2 test server and the instruction fits my
> configuration.
>
> I would guess that the uamPosix extension of your noSSHGroup is missing
> because the uamPosixPAMServiceExcludeList attribute is part of that
> auxiliary class.
>
> You can check that in iManager if open in the roles and tasks the
> schema selection adn choose object extensions. There browse to your
> NoSSHGroup and check if the "posixGroup" and the "uamPosixGroup" are
> listed as extensions.
>
> If they are missing the lum-enabling of your group has failed. You can
> do that in the roles and tasks under Linux User Management selection /
> Enable Group for Linux.
>
> After that try again to add the attribute to teh group.
>
> Rainer
>
>


The groups are LUM enabled correctly and the "posixGroup" and the
"uamPosixGroup" are listed as extensions.
Still I can not add uamPosixPAMServiceExcludeList as it does not exist.
If I create the attribute are there any more hooks required? Also what
should the ASN1 ID: value be?
Thanks
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSHD restrictions

DrumDude wrote:
> brunold wrote:
>> DrumDude,
>>
>> I did this on a oes 2 test server and the instruction fits my
>> configuration.
>>
>> I would guess that the uamPosix extension of your noSSHGroup is missing
>> because the uamPosixPAMServiceExcludeList attribute is part of that
>> auxiliary class.
>>
>> You can check that in iManager if open in the roles and tasks the
>> schema selection adn choose object extensions. There browse to your
>> NoSSHGroup and check if the "posixGroup" and the "uamPosixGroup" are
>> listed as extensions.
>>
>> If they are missing the lum-enabling of your group has failed. You can
>> do that in the roles and tasks under Linux User Management selection /
>> Enable Group for Linux.
>>
>> After that try again to add the attribute to teh group.
>>
>> Rainer
>>
>>

>
> The groups are LUM enabled correctly and the "posixGroup" and the
> "uamPosixGroup" are listed as extensions.
> Still I can not add uamPosixPAMServiceExcludeList as it does not exist.
> If I create the attribute are there any more hooks required? Also what
> should the ASN1 ID: value be?
> Thanks


It already exists in the Attribute Information????
I am confused to why it does not show up following the directions from
the URL link in the documentation I sent in the first news mail?
Thanks
0 Likes
Brunold Rainer
New Member.

Re: SSHD restrictions

DrumDude,

open iManager / Schema / Attribute Information, select the uamPosixPAMServiceExcludeList attribute and select view.

There is on the bottom ab box called "Class using attribute:". Is there the uamPosixGroup listed in ?

If not something happened during the schema extension of oes 2 and that attribute was not added to the uamPosixGroup and therefor is not available at the group object.

Rainer
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSHD restrictions

brunold wrote:
> DrumDude,
>
> open iManager / Schema / Attribute Information, select the
> uamPosixPAMServiceExcludeList attribute and select view.
>
> There is on the bottom ab box called "Class using attribute:". Is there
> the uamPosixGroup listed in ?
>
> If not something happened during the schema extension of oes 2 and that
> attribute was not added to the uamPosixGroup and therefor is not
> available at the group object.
>
> Rainer
>
>

Hi,
No it is empty.
How do I add it?
Thanks
0 Likes
Brunold Rainer
New Member.

Re: SSHD restrictions

DrumDude,

so it seems there were schema extension problems during the installation of the oes 2 server.

Is this single server tree or was this oes 2 server added to a netware tree ?

Can you check the schema in your tree if that is synchronized through all the server ?

The missing schema part regarding uamPosixPAMServiceExcludeList is in the file /opt/novell/sch/NAM.SCH stored. That one could be imported to edir using imanager. Importing might be a solution but the question is what else is missing from the edir schema. From my point importing the NAM.SCH should not brake anything on this server or the other server. It should just add the missing attributes and class assignments for them.

Do you expect other problems as well on that server ?

Rainer
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSHD restrictions

brunold wrote:
> DrumDude,
>
> so it seems there were schema extension problems during the
> installation of the oes 2 server.
>
> Is this single server tree or was this oes 2 server added to a netware
> tree ?
>
> Can you check the schema in your tree if that is synchronized through
> all the server ?
>
> The missing schema part regarding uamPosixPAMServiceExcludeList is in
> the file /opt/novell/sch/NAM.SCH stored. That one could be imported to
> edir using imanager. Importing might be a solution but the question is
> what else is missing from the edir schema. From my point importing the
> NAM.SCH should not brake anything on this server or the other server.
> It should just add the missing attributes and class assignments for
> them.
>
> Do you expect other problems as well on that server ?
>
> Rainer
>
>

Hi,
No this server was added to existing NetWare 6.5 Tree.
Yes the Tree is in sync, there is only one partition "SLP" as broadcast
and multicast is disabled on the Cisco routers. Partition "SLP" is in sync.

Should I just use the OES Schema Tool to fix this?

No, I do exptec other issues; I can login, manipulate files and trustee
file right were migrated over OK to the NSS volume.
Thanks

0 Likes
Brunold Rainer
New Member.

Re: SSHD restrictions

DrumDude,

you can do it where you want.
I would use imanager / schema / extend schema for it.

There you can select "Add schema from a file" on the first page, switch the file type to schema file on the second page and activate the "Run in verbose mode" and "Do not add but compare schema" for a dry run and if that is okay import it.

After importing wait a few minutes till the schema was distributed in the tree (checking that is a good idea) and then check the lum enabled group for that attribute once again.

Rainer
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.