我们有少数 F5 BIG IP 设备必须使用本地用户帐户。我们希望用户通过 SSH 密钥进行身份验证,然后可以使用它来设置他们的帐户密码。我们如何通过 SSH 和流量管理外壳 (TMSH) 实现这一点?
我们的设备使用以下版本:
username@(bigipwaf-vmss_0)(cfg-sync In Sync)(Active)(/Common)(tmos)# show sys version
Sys::Version
Main Package
Product BIG-IP
Version 13.1.0.2
Build 0.0.6
Edition Point Release 2
Date Tue Jan 16 08:46:28 PST 2018
步骤 1:在要用于自动化的 F5 帐户上启用SSH 公钥身份验证:
MY_KEY=$(cat ~/.ssh/id_rsa.pub)
WAF_IP=10.0.0.100
SSH_OPTIONS=' -p 50001 ' #Optional if you need to change the SSH port or other settings
#This will prompt for the admin password twice, after which the
ssh $SSH_OPTIONS admin@$WAF 'modify auth user admin shell bash'
ssh $SSH_OPTIONS admin@$WAF "echo '$MY_KEY' | sudo tee /home/admin/.ssh/authorized_keys"
第 2 步:设置自动化帐户后,您可以使用以下方法创建新的本地 F5 帐户:
Users="user1 user2 user3"
declare -A sshkeys=()
sshkeys[user1]=$(cat /home/USERNAME/.ssh/id_rsa.pub) #Source from local home folder
sshkeys[user2]=$(curl -s https://github.com/torvalds.keys) #Source from public github
sshkeys[user3]=$(curl -sn "https://github-enterprise.private.com/api/v3/users/USERNAME/keys" | jq --raw-output '.[] | .key') #Setup ~/.netrc with a line like: machine github-enterprise.private.com login x-oauth-basic password INSERT_Personal_Access_Token_HERE
for SSHUser in $Users
do
echo -e "Adding WAF account for $SSHUser"
ssh -p 50001 "admin@$WAF" "tmsh create auth user $SSHUser shell bash partition-access add { all-partitions { role admin } }"
ssh -p 50001 "admin@$WAF" "sudo mkdir -p /home/$SSHUser/.ssh && echo '${sshkeys[$SSHUser]}' | sudo tee /home/$SSHUser/.ssh/authorized_keys"
#Permissions don't seem to matter. all home files owned by root:webusers
done
done
第 3 步:然后用户可以登录并为其帐户设置密码。
#Login using ssh key:
ssh user1@10.0.0.100 -p 50001
#change password on account:
passwd
然后,该密码将允许用户登录 Web 门户。