Re: p650 HMC software version Upgrade?

From: Stefan Strandfelt (stefan_strandfelt@YAHOO.COM)
Date: Tue Mar 23 2004 - 03:07:04 EST

• Next message: Kiran Maraju: "Multiple Routing Tables"
• Previous message: Miller, Dave (I.S.): "3582 library and TSM/AIX"
• In reply to: Ralph R. Rye: "Re: p650 HMC software version Upgrade?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

How to get around the new security implementation running HMC R3v2.6
lshmc -V
Release: 3
 Version: 2.6
HMC Build level 20040113.1

0. If you follow this HowTo, you do in at your own risk, no guarantee are given at all, you are on
your on!

1. Enable Remote Command Execution with ssh
Hardware Management Console -> Navigation Area -> HMC Maintenance
Enable or Disable Remote Command Execution
Tick the box next to "Enable remote command execution using the ssh facility"

2. Create the hscpe user.
Hardware Management Console -> Navigation Area -> HMC Management -> Users
Users -> New -> Users
Login name: hscpe
Full name: hscpe
User role: System Administrator

3. Get PE Password
3a. Logon the HMC with ssh as the user hscpe and run the following
    command to get the serialnumber of the HMC.
    [hscpe@hmc1 hscpe]$ lshmc -v | grep ^*SE
    *SE 10AA01A
    [hscpe@hmc1 hscpe]$

3b. Contact IBM and supply them with the serialnumber of your HMCs.

4. Get around the new security implementation and export the HMC GUI to another machine!

Get around the restricted shell and get a working environment.

aix1:/ ssh hscpe@hmc1 # Logon to the HMC with ssh as the user hscpe
hscpe@aixhmc1's password:
[hscpe@hmc1 hscpe]$ SE=`lshmc -v | grep ^*SE | cut -c 5-`
[hscpe@hmc1 hscpe]$ pesh $SE
Password: # Use the password you got from IBM.
[hscpe@hmc1 hscpe]$
[hscpe@hmc1 hscpe]$ echo $PATH
/opt/IBMJava2-131/jre/bin:/bin:/usr/bin:/usr/local/bin:/usr/bin/X11:/usr/X11R6/bin:/opt/hsc/bin:/opt/csm/bin:/opt/IBMJava2-131/jre/bin:
[hscpe@hmc1 hscpe]$
[hscpe@hmc1 hscpe]$ vi /home/hscpe/.mysshrc # Add the path you got above to the PATH line. And
comment the set -r row.
[hscpe@hmc1 hscpe]$
[hscpe@hmc1 hscpe]$ cat /home/hscpe/.mysshrc/.mysshrc
PATH=/opt/IBMJava2-131/jre/bin:/bin:/usr/bin:/usr/local/bin:/usr/bin/X11:/usr/X11R6/bin:/opt/hsc/bin:/opt/csm/bin:/opt/IBMJava2-131/jre/bin:
#PATH=/opt/IBMJava/jre/bin/:/usr/local/bin:/hmcrbin/:/usr/hmcrbin:
export PATH
#set -r
[hscpe@hmc1 hscpe]$

Now we need to make sure that the file "/home/hscpe/.mysshrc" does NOT get changed
and we need to get the X11 forwarding working, since IBM has not followed the
sshd manpage regaring the use of "$HOME/.ssh/rc" and "/etc/ssh/sshrc",
this can however have been done on purpose to prohibit X11 forwarding to work.

[hscpe@hmc1 hscpe]$ su - # Become root
Password: # Use the default password which is "passw0rd" if you haven't changed it.
[root@hmc1 root]#
[root@hmc1 root]# cat /etc/ssh/sshrc
cp /opt/hsc/data/ssh/hmcsshrc $HOME/.mysshrc 2>/dev/null
chmod 555 $HOME/.mysshrc 2>/dev/null
cp /opt/hsc/data/ssh/bashrc $HOME/.bashrc 2>/dev/null
chmod 555 $HOME/.bashrc 2>/dev/null
cp /opt/hsc/data/ssh/hmcprofile $HOME/.bash_profile 2>/dev/null
chmod 555 $HOME/.bash_profile 2>/dev/null
[root@hmc1 root]#
[root@hmc1 root]# mv /etc/ssh/sshrc /etc/ssh/sshrc.`date +%Y%m%d` # move the file
[root@hmc1 root]#
[root@hmc1 root]# cat /home/hscpe/.ssh/rc
cp /opt/hsc/data/ssh/hmcsshrc $HOME/.mysshrc 2>/dev/null
chmod 555 $HOME/.mysshrc 2>/dev/null
cp /opt/hsc/data/ssh/bashrc $HOME/.bashrc 2>/dev/null
chmod 555 $HOME/.bashrc 2>/dev/null
cp /opt/hsc/data/ssh/hmcprofile $HOME/.bash_profile 2>/dev/null
chmod 555 $HOME/.bash_profile 2>/dev/null
[root@hmc1 root]#
[root@hmc1 root]# mv /home/hscpe/.ssh/rc /home/hscpe/.ssh/rc.`date +%Y%m%d` # move the file
[root@hmc1 root]#

Logout from the HMC

Now to verify that we got a working environment where we can export
the HMC GUI to another machine without running pesh and requesting
PE passwords all the time.

aix1:/ export DISPLAY=10.10.10.10:0.0 # export the display to the machine where you want to have
the HMC GUI exported to!
aix1:/ xclock # To verify that the export of the display works.
aix1:/
aix1:/ ssh hscpe@hmc1 # Logon to the HMC with ssh as the user hscpe
hscpe@aixhmc1's password:
[hscpe@hmc1 hscpe]$ wsm & # NOw you should get the HMC GUI after a little while.

Now you should have a working environment where you can export the HMC GUI to another machine
without the need for PE passwords!

This short How To has been made by:
Stefan Strandfelt
stefan_strandfelt@yahoo.com

If you update this HowTo, you must send the updated HowTo to the author.
2003-11-26 v1.0 First version for R3v2.5
2003-11-27 v1.1 Corrected some typos.
2004-02-09 v1.2 Updated for R3V2.6

--- "Ralph R. Rye" <RyeR@SCHNEIDER.COM> wrote:
> We are running Release 3 Version 2.6 on our HMC's, and it seems to work
> fine.
>
> You can still ssh into the system remotely but your are given a restricted
> shell. You can get around this by logging into the hmc directly as hmcroot
> and then su to root. Then go to your home dir and edit your .bashrc and
> remove the entries for sourcing the .mysshrc file. You can then su and
> modify your .bashrc as you like.
>
> Let me know if you have any issues.
>
> Ralph
>
>
>
>
> John F Riordan
> <jriorda2@CSC.COM To: aix-l@Princeton.EDU
> > cc:
> Sent by: IBM AIX Fax to:
> Discussion List Subject: p650 HMC software version Upgrade?
> <aix-l@Princeton.
> EDU>
>
>
> 03/22/2004 10:28
> AM
> Please respond to
> IBM AIX
> Discussion List
>
>
>
>
>
>
> Hi All,
>
> Looking to see if anyone has updated their HMC software version to the
> latest.
> We are running Release 3 Version 2.2. IBM wants us to upgrade to the
> latest, 2.6 (I think) however, I was told by support that the newer version
> does not support remote connections to the HMC via ssh. I really don't
> want to lose this feature.
>
> Has anyone upgraded and has anyone found a work around for this new "lack
> of feature".
>
> Thanks in advance.
> John
>
>
>
> John Riordan
> Unix Systems Administrator
> CSC / Bath Iron Works
> Bath, Maine
> jriorda2@csc.com
> 207.442.1094
>
>
> ----------------------------------------------------------------------------------------
>
>
> This is a PRIVATE message. If you are not the intended recipient, please
> delete without copying and kindly advise us by e-mail of the mistake in
> delivery. NOTE: Regardless of content, this e-mail shall not operate to
> bind CSC to any order or other contract unless pursuant to explicit written
> agreement or government initiative expressly permitting the use of e-mail
> for such purpose.
> ----------------------------------------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

• Next message: Kiran Maraju: "Multiple Routing Tables"
• Previous message: Miller, Dave (I.S.): "3582 library and TSM/AIX"
• In reply to: Ralph R. Rye: "Re: p650 HMC software version Upgrade?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:44 EDT