- Integrated Systems
- About Us
- Integrated Systems
- About Us
06-01-2012 04:57 AM
Discovery with restricted root access.
We are trying to discover a linux host in an environment where, for security reasons, the "powers that be" have forbidden and therefore disabled remote root login by ssh. I guess this may be a common issue.
The server does have the Proliant Support Pack installed and the firewall ports have been opened to allow access to the SMH.
The discovery as one would expect is somewhat incomplete. It does see the SMH and SNMP (although it fails to find a matching SNMP System Type Manager rule for sysObjID). It completes with the following major error: -
Major: The system cannot be identified properly for HP SIM to manage;
unable to get one or more of the following: model, serial number or
unique identifier (UUID). For management processors, verify the
system is running the latest firmware. For Linux based operating
systems, you must have dmidecode installed, enable the
PermitRootLogin and PasswordAuthentication in sshd, and use root
sign-in credential. For HP-UX, verify the sign-in credential. For
Windows, check if WMIMapper is configured correctly on the CMS and
verify the sign-in credential.
The powers that be are willing to type in the root password for the pupose of importing the management server certificate so that a trust relationship can be built between it and the SMH. I had hoped that this would allow the manager to gather all the extra information it needed to make a fuller discovery of the system. Sadly this was not the case, a subsequent discovery of the server did not gleen any further information depite the existence of a trust relationship between the SMH and the Manager.
We can trick the discovery by manualy entering the serial number of the server using "Edit System Properties" and then discovering the iLO. Information gleened from the iLO is then used to further populate the information held about the server. At this point the picture looks good but I suspect that the communication between host and manager is not working correctly, for instance the status of the SMH (currently major) is not being relected in the manager.
Most recently we have looked at "privilege elevation" using sudo, sadly we suspect that discovery is not coded to be able to use the "priviledge escalation" settings.
So, has anyone got any suggestions? Is there something we have overlooked? or are we destined never to be able to get this to work properly without using direct root credentials?
Any help or suggestions most welcome.
07-22-2012 06:05 PM
Re: Discovery with restricted root access.
- Most recently we have looked at "privilege elevation" using sudo, sadly
- we suspect that discovery is not coded to be able to use the "priviledge
- escalation" settings.
Sadly I suspect you're correct. :-(
I wanted to discover Llinux systems using a non-root user account with Privilege Elevation (sudo) but, while I could see SIM 7.0 login to the clients using the non-root account, there was never a sign of sudo (or other logging stubs I put in its place in my debugging) being invoked.
Root user or nothing, I believe.