Forum Discussion

Luis_54441's avatar
Luis_54441
Icon for Nimbostratus rankNimbostratus
Aug 01, 2008

Restricting user access rights to the BIGIP

Hi,

 

I am looking for a way to let a customer have SSH access so that he can:

 

+ see bigtop staticstics

 

+ view logs

 

+ run TCPDUMP & SSLDUMP

 

+ but, DO NOT want him to have access to configuration utilities like bigpipe commands

 

 

I have read that for any type of account (Guest, Operator, Application Editor, Application Security Policy Editor, Manager, User Manager, Resource Administrator, Administrator ) you have threepossible terminal access:

 

- disabled: no ssh access

 

- Advanced Shell: access to the unix bash shell.

 

- bigpipe shell: access to F5's shell.

 

 

But I do not understand if i have to enable the bigpipe shell to get the bigtop commands, and the TCPDUMP & SSLDUMP utilities. I also have not very clear if i select a guest role (no write permissions at all) but i give that guest SSH access to the bigpipe shell, will that user be able to change the BIGIP configuration using bigpipe commands?

 

 

 

I will really appreciate any information regarding this issue.

 

 

 

Thanks very much

 

5 Replies

  • V9.1.3.

     

     

    Would it be different with other V9.x.x?

     

     

    Thanks very much
  • In v4.x you could create an ordinary CLI user with a custom UID and then use sudo to allow access to certain commands. In v9.x this was removed. Now all CLI users have to have UID=0 (When I say have to, F5's response was that only UID=0 is supported) and there is now no sudo.

     

     

    In other words, there is currently no way (Short of compiling up a statically linked copy of sudo yourself for a 64-bit Linux and installing it) to do what you want.

     

     

    In 9.4.x it's supported to have web users with restricted access to certain groups of VS's, Pools etc... But still no CLI separation.
  • Thanks very much,

     

    Any idea if in the 9.4 versión the utilities ssldump and tcpdump can be launched from the web interface?
  • tcpdump is available in the web interface 9n 9.4, but I don't believe ssldump is.