Managing users with dsh and chpasswd - (plus info on DSM and dping).Starting with AIX 7.1, CSM is no longer supported or available. It has been replaced by Distributed Systems Managment (DSM). Section 5.2 of the IBM AIX 7.1 Differences Guide Redbook provides details of the new DSM capabilities.
Fortunately DSM still provides access to the dsh command. I’ve written about how I’ve used this utility in the past. The new dsh command (and other tools) are provided in the new DSM filesets named dsm.core and dsm.dsh.
root@nim# lslpp -L dsm*
File
---- dsm. dsm.
root@nim# lslpp -w /usr/bin/dsh
Fil
----
/usr
These filesets are NOT installed by default. You must manually install them. They can be found on your AIX 7.1 media.
If dsh is something you use, then I recommend you read the section on DSM in the Redbook. Also take a look at section 5.2.7 Using DSM and NIM, in which it describes how you can integrate DSM and NIM and completely automate the installation of AIX:
“The AIX Network Installation Manager (NIM) has been enhanced to work with the Distributed System Management (DSM) commands. This integration enables the automatic installation of new AIX systems that are either currently powered on or off.”
Although I’ve written about the dsh command before, there’s one usage I’ve not covered. And that is using dsh to manage users across a group of LPARs. In particular, changing a user’s password.
Before I go any further, I should state that for the following to work you must first configure ssh keys on your NIM master (or central mgmt AIX system) so that you can communicate with all of your AIX systems via SSH, as root, without being prompted for a password. Read my article on dsh to find out how to do this if necessary.
In the following example, I use dsh from my NIM master. It is my central point of control for my AIX environment.
My ssh keys for root on my NIM master have been generated and distributed to all of my LPARs.
root@nim# ssh-keygen -d Generating public/private dsa key pair. Enter file in which to save the key (/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /.ssh/id_dsa. Your public key has been saved in /.ssh/id_dsa.pub. The key fingerprint is: ed:1 The key's randomart image is: +--[ DSA 1024]----+ | ... .. . | | . ..o .+ | | o . =. .+ | | . o = = = | |E + o S . | | . + + | | . o . | | | | | +-----------------+
root@nim# ls -ltra total 40 -rw------- 1 root system 214 17 Sep 2010 authorized_keys drwxr-xr-x 7 root system 4096 16 Nov 11:43 .. -rw-r--r-- 1 root system 3615 16 Nov 12:04 known_hosts -rw-r--r-- 1 root system 601 16 Nov 12:06 id_dsa.pub -rw------- 1 root system 672 16 Nov 12:06 id_dsa drwx------ 2 root system 256 16 Nov 12:06 .
On my AIX LPARs, the authorized_keys file has been updated with the public ssh key from my NIM master:
root@aixlpar1 [/.ssh]# chmod 600 known_hosts authorized_keys root@aixlpar1 [/.ssh]# ls -ltr total 0 -rw------- 1 root system 406 Sep 29 15:30 known_hosts -rw------- 1 root system 601 Nov 16 12:07 authorized_keys
root@aixlpar1 [/.ssh]# cat authorized_keys ssh-dss
AAAA
On the NIM master, the root user was configured for the DSH environment. The following entry was placed in roots .profile:
root@nim# cat /.profile ENV=$HOME/.kshrc
The following entry was placed in roots .kshrc file:
root@nim# cat /.kshrc export
DSH_ export
DSH_
A /usr
root@nim# cat /usr aixlpar1 aixlpar2 aixlpar3 aixlpar4 aixlpar5 aixlpar6 aixlpar7 aixlpar8 aixlpar9 aixlpar10 aixlpar11
The first time that the dsh command is run against a new host, the following message will be displayed. dsh uses the FQDN, and the FQDN needs to be added to the known_hosts file for ssh. Therefore you must make an ssh connection first with FQDN to the host:
root@nim# dsh uptime aixlpar1.cg.com.au : Host key verification failed. dsh: 2617-009 aixlpar1.cg.com.au remote shell had exit code 255
It is necessary to ssh directly to each node using its FQDN. This step is only required once for each node. For example:
root@nim# ssh aixlpar1.cg.com.au The authenticity of host 'aixlpar1.cg.com.au (172.1.6.17)' can't be established. RSA key fingerprint is
83:1 Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'aixlpar1.cg.com.au ' (RSA) to the list of known hosts. Last unsuccessful login: Tue Sep 27 03:04:33 GMT+10:00 2011 on ssh from 172.1.6.15 Last login: Wed Nov 16 12:08:08 GMT+11:00 2011 on /dev/pts/3 from nim
root@aixlpar1 [/root]# exit Connection to aixlpar1.cg.com.au closed.
Now we can use the dsh command to run a command across all the nodes defined in the DSH_NODE_LIST. For example, the following command will run the uptime command on all nodes:
root@nim# dsh uptime aixlpar1.cg.com.au : 12:14PM up 10 days, 22:32, 3 users, load average: 0.47, 0.53, 0.64 aixlpar2.cg.com.au : 12:14PM up 21 days, 21:13, 1 users, load average: 0.11, 0.31, 0.51 aixlpar3.cg.com.au : 12:14PM up 15 days, 20:33, 5 users, load average: 0.17, 0.43, 0.54 ...etc...
With dsh now configured, we can use it to perform several admin tasks from a central location. For example, the following commands will do the following:
1. Create a user, named cg, on all nodes. 2. Set cg’s password to abc123 using the chpasswd command. 3. Remove the ADMCHG flag for the user cg. This will stop them from being prompted to change their password on their first login attempt.
First I check that user does not exist on the AIX systems.
root@nim# dsh lsuser cg aixlpar1: 3004-687 User "cg" does not exist. aixlpar2: 3004-687 User "cg" does not exist. aixlpar3: 3004-687 User "cg" does not exist. aixlpar4: 3004-687 User "cg" does not exist. aixlpar5: 3004-687 User "cg" does not exist. ...etc...
I create the user with the mkuser command.
root@nim# dsh mkuser cg
I confirm that the user has been created on all the AIX systems, with the lsuser command.
root@nim# dsh lsuser cg aixlpar1: cg id=204 pgrp=staff
groups=staff home=/home/cg shell=/usr/bin/ksh login=true su=true rlogin=true
daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0
auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes=
loginretries=0 pwdwarntime=0 acco aixlpar2: cg id=204 pgrp=staff
groups=staff home=/home/cg shell=/usr/bin/ksh login=true su=true rlogin=true
daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0
auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes=
loginretries=0 pwdwarntime=0 acco aixlpar3: cg id=204 pgrp=staff groups=staff
home=/home/cg shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true
admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM
auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0
pwdwarntime=0 acco
I set the users password to abc123, using the chpasswd utility. I also remove the ADMCHG flag so that the user is not prompted to change their password on their first logon attempt.
root@nim# dsh 'echo cg:abc123 | chpasswd -c'
I confirm that I can logon with the new user with the specified password, on one of the AIX LPARs.
root@nim# ssh cg@aixlpar1 cg@aixlpar1’s password: Last login: Thu Mar 1 20:05:01 CST 2012 on /dev/pts/1 from aix71 $ id uid=204(cg) gid=1(staff)
Another nice feature of dsh is the dshbak utility. This utility presents formatted output from the dsh command. For example:
root@nim 520 [/.ssh]# dsh errpt | dshbak HOST: aixlpar1.cg.com.au ---- IDENTIFIER TIMESTAMP T C RESOURCE_NAME DESCRIPTION AA8AB241 1116110811 T O OPERATOR OPERATOR NOTIFICATION A6DF45AA 1104135011 I O RMCdaemon The daemon is started. 2BFA76F6 1104134111 T S SYSPROC SYSTEM SHUTDOWN BY USER 9DBCFDEE 1104134111 T O errdemon ERROR LOGGING TURNED ON
HOST: aixlpar2.cg.com.au ---- IDENTIFIER TIMESTAMP T C RESOURCE_NAME DESCRIPTION DE9A52D1 1111012611 I S rmt10 AAA1 4865FA9B 1111012211 P H rmt10 TAPE OPERATION ERROR DE9A52D1 1110233511 I S rmt0 AAA1 4865FA9B 1110225511 P H rmt0 TAPE OPERATION ERROR DE9A52D1 1109180311 I S rmt0 AAA1 4865FA9B 1109180011 P H rmt0 TAPE OPERATION ERROR DE9A52D1 1108180411 I S rmt2 AAA1 4865FA9B 1108180211 P H rmt2 TAPE OPERATION ERROR DE9A52D1 1108165711 I S rmt6 AAA1 4865FA9B 1108165111 P H rmt6 TAPE OPERATION ERROR A2205861 1102085311 P S SYSPROC Excessive interrupt disablement time F7FA22C9 1031134111 I O SYSJ2 UNABLE TO ALLOCATE SPACE IN FILE SYSTEM DE9A52D1 1030163411 I S rmt0 AAA1 4865FA9B 1030163411 P H rmt0 TAPE OPERATION ERROR ....etc....
WARNING: Please be VERY CAREFUL when using the dsh command. Issuing the wrong command can cause damage to all your AIX LPARS!
The dsm.dsh package contains the following utilities:
# lslpp -f dsm.dsh | grep /usr/bin
If you are a fan of the dping command, you are going to be disappointed. Although the command is currently included in the dsm.dsh fileset, it probably won’t be for much longer.
The command works, “sort of”:
root@nim# dping aixlpar1 aixlpar1: ping (alive)
But if you run ‘dping –a’:
root@nim# dping -a dping: 2651-095 CSM license has expired or has not been accepted. Run csmconfig -L if you have installed a new release.
According to
the developers, dping is no longer
supported and will eventually be removed from the DSM package. The response
from the developers was as follows: "The
reason "dping -a" is failing with the license check is because the
command is calling “/us “... please consider the dping command as being "deprecated" code pending removal from the dsm.dsh package.”
If you are planning on migrating to AIX 7.1 please be aware that CSM is no longer supported or available with AIX 7.1. CSM is now ‘end of life’.
http
http
|
A small note on dping: as of this post it was still being included in the dsm.dsh package 7.2.0.0
Copying root's SSH keys is nothing but compramosing on Security. and is not allowed as per ISEC in some of the customer encironment.in sucu do we have any laternate way to implement this without copying SSH keys client nodes