Anonymous_User Absent Member.
Absent Member.
788 views

Unable to login with user having shell /usr/bin/cpcksh


I have installed PUM 2.3.1 & using AIX agent for privilege shell. I have
created user with login shell as /usr/bin/pcksh. When I try to login in
AIX server it hangs and unable to login.

In log file, I have see no error and unable to see logs related to
"user login".

Regards,
RK


--
rajeshemailto
------------------------------------------------------------------------
rajeshemailto's Profile: https://forums.netiq.com/member.php?userid=196
View this thread: https://forums.netiq.com/showthread.php?t=2982

0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Unable to login with user having shell /usr/bin/cpcksh

rajeshemailto,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following options:

- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://forums.novell.com/

0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: Unable to login with user having shell /usr/bin/cpcksh


Rajash,

While you can change the users login shell to cpcksh (our
non-privileged shell) you'd have to create a rule within the Command
Control console to authorize this shell. A very simple rule would look
like the following:

For example:

Begin Rule: cpcksh
If ((command IN Cpcksh))
Then
Set Authorize: yes
Set Session Capture: yes
Stop if authorized
End If
End Rule: cpcksh


This would give the user a audited shell, but does NOT grant any
additional privileges. If login as 'brett' - I still have 'brett's
rights, no more.

If you are trying to grant someone a root shell, you'll want to look at
pcksh. I wouldn't recommend to change the users login shell to pcksh,
but to use 'usrun' to invoke the shell when needed.

The way NPUM works is that you invoke commands using 'usrun' which then
sends the command, username, hostname and other environmental
information to the Command Control Manager (and Command Control rules
you've configured). We start at the top of the rules and run through
all of them until we either match or are told to stop.

If you are wanting a non-privileged user to 'become root' then you'd
create a rule that allowed the user to do so.

For example, here's a sample rule.

Begin Rule: pcksh as root
If ((command IN pcksh) AND (user IN Priviledged))
Then
Set Authorize: yes
Set Session Capture: yes
Set runUser = "root"
Stop if authorized
End If
End Rule: pcksh as root


From the agent, you'd then run 'usrun pcksh' or 'usrun -u root pcksh'
As long as the submit user (the user you are currently logged in as) is
in the "Privileged" Group, we should match this rule and start a
Privileged pcksh shell that is audited.


Hope this helps.

-Brett




rajeshemailto;12641 Wrote:
> I have installed PUM 2.3.1 & using AIX agent for privilege shell. I have
> created user with login shell as /usr/bin/pcksh. When I try to login in
> AIX server it hangs and unable to login.
>
> In log file, I have see no error and unable to see logs related to
> "user login".
>
> Regards,
> RK



--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=2982

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to login with user having shell /usr/bin/cpcksh


Thanks Deni!!

Its lil late but got resolved this via setting-up proper dirs & files
rights. Now as you specified rules above, I have created the rule which
worked fine for me. Now after creating different rules, I stuck with the
rule for commands like cd & pwd.

I want to stop user to run 'cd' command. For the same purpose, I have
created rule with with command as "cd*". But when I run command on
end-server, it is not getting blocked for the user. This behavior is
same for command cd & pwd.

I have disabled all rules except "cd" but still not able to stop. If I
replace command from "cd*" to "ls*", it works fine for command like "ls
-ltr". Not sure, are these commands are not controlled by -Command
Control -manager or some other issue.

Please help me to resolve this.

Rgds,
RK


--
rajeshemailto
------------------------------------------------------------------------
rajeshemailto's Profile: https://forums.netiq.com/member.php?userid=196
View this thread: https://forums.netiq.com/showthread.php?t=2982

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.