-One is to modify the permission of the grub configuration using a Knoppix CD, then
becoming a "semi" root and then injecting the newly created user to the shadow
and passwd files. Now this option is also a great option specially
when you have 2 versions Of Unified Communications Manager running
on the BOX, for example UC 6.X in the inactive partition and UC 7 in
the active partition, the complete process will be in the other lesson :), this process
is a little bit complicated but it works like a champ when you have
2 versions running in the server, also you will need to know the
partition structure to boot up succesfully, although after trying
couple of times I found out that you will need to boot from the
/dev/sda2 single to gain complete access, if you boot from another
sda's, root will not perform as "super root" this one took me a
while to find out.
-Before proceeding I am assuming that you have already a working
Unified Communications Manager 6 or 7 running in an approved MCS server.
-Download an iso of CentOS 5.2 CD DIsk 1
-Transfer the image to a CD
-Insert the CD into the Drive
-Turn on the Server
-Let the server boot from the CD
-On the CentOS startup screen, type linux rescue and press enter
boot: linux rescue
-Select the appropiate language
-Select the Country
-Select if you want to start the network service or not, if so
-Highlight eth0
-Configure eth0
-Continue the pre-boot process
-The server will continue the booting process until you are in the shell
-Once in the shell type
#chroot /mnt/sysimage
#lsattr /etc/passwd /etc/group /etc/shadow /etc/gshadow
#chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow
#useradd [enter a desire username] <---such as cesar #passwd [enter the newly desired username] <----this will create a password for the new user twice #usermod -g root [your new username] <---this will add this user to the root group, although you are not a real superuser, but you can move around freely connecting to the unified communications manager console. #service network start <---this will really start the network services #service sshd start <-----this will start the ssh server #ifup eth0 <------this will turn up the eth0 for sure! Great, we are almost done, now while you are here you can do the following -Mount a USB Drive for example, so you can copy files between the server and your USB drive. -To do this. -Insert the USB drive -while on the shell type #cd /etc/dev #ls -Look for the newly mounted USB drive, it should be something like (sdb1), if so proceed to mount the usb drive by doing the following: #mount sdb1 /mnt/usb -Your USB drive should now be mounted and ready for use. You can also mount the USB drive permanently as well, but thats on a later lesson... -Remenber that this newly created account it will not let you do much, but you can browse around while using the new user and remotely via ssh. Now if you want to modify a file remotely and this file is secured..You may need to log in as root first, change the permission of the file, so you can later modify the file using the new user account you just created. How to change a file permissions? #chmod 777 [filename] -It will be a good idea to put the file back to the original permissions settings after you have modify it, this just to keep the integrity of the file structure. :::::::::::::::::::::::;Please read carefully before doing anything else::::::::: Anything you do from here it may cause the Unified Communications Manager not to start!! -Now while on the root shell you can change the permissions on any file you want to modify, remenber you cant do this on the user you just have created...this is because you will still need to move out the root account out of the equation by doing the following #usermod -u 20000 root #usermod -u 0 [your new username] ****NOTE:At this point you are now the super user of the box, but when you do this Unified communications Manager may not start properly...So BECAREFUL!! -Also while in root we can go ahead and modify iptables for example to install webmin and manage the box via web port 10000, although you may need to install couple of other scripts, but not hard. Also if you are not a "vi" fanatic, go ahead and install nano via usb or by using the wget command, again you may also need some other scripts to run nano, and of course access to the internet. *Also FYI The platform user belongs to the following groups. administration sftpuser platform tomcat ccmbase ccmsyslog The root user belongs to the following groups. Wheel root bin daemon sys adm disk -Remenber how you allocate your user and groups, it will mandate it's access.
*****************UPDATE*************************************
After reviewing several corners, I thought, wait why add another user, play
with the groups allocations and all that, when can just access the Unified Communications
Manager like a member of Cisco TAC would?, I mean what I am trying to accomplish
here is to access the box and at the same time maintain the integrity of the box
as much as possible, without modifying too many things on the UCM server platform
So, I will call this the Remote Account Process.
On a working server or environment we will do the following:
-Connect to the UCM Console using an SSH Client
-Proceed to a enable a remote account
admin:utils remote_account enable
-Proceed to create a remote_account user
admin:utils remote_account create [ournew_remote_account_username] [amount of day's that
we want this account to remain active]
example
admin:utils remote_account create ciscotac 30
-the above example will create a remote account user named ciscotac and it will be valid
for 30 days.
-Once we have succesfully created a remote_account we will proceed to reboot the server
cleanly.
admin:utils system restart
-Proceed to insert the CentOS 5.2 Disk 1
-on the Boot option enter linux rescue
boot:linux rescue
-Once you are in the linux shell
-Proceed to do the following
#lsattr /etc/passwd /etc/group /etc/shadow /etc/gshadow
#chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow
#passwd [enter the username that you have created for the remote account user]
-Enter the new password that you want for the new remote account user twice
-eject the CentOS 5.2 DISK 1
-Reboot the server by doing the following
#shutdown -r now
-Once Unified Communications Manager have completed rebooted, simply using an SSH
client login to UCM using the remote account username and password, you will see
the following message
No comments:
Post a Comment