Linuxadmin sudo Permissions for SBC SWe in AWS

Overview

 The following SBC SWe instance security policies align with the latest AWS requirements:

•  “root” login from “linuxadmin” is disabled
• "linuxadmin" user "sudo" access tightened:
  • On AMI Instance start-up the "linuxadmin” user will not be in the “sudo” group
  • When any valid licence is installed, the “linuxadmin” user will be given sudo access

• Support only SSH Key login for the “admin” user 

  • Update CFTs to support SSH Key login for "admin" user 

  • Revert change to set "admin" user password to primary interface-id

• No default passwords for all Linux accounts on installation
  • The “linuxadmin” and “admin” users permit only key based SSH
  • The default "root" user password is removed
  • To use EMA or other services which require passwords, the customer must add a user with a user password after installation/upgrade of the SBC has completed
• Sanity Checking - After AMI Instance Initiation
  • Ensure only default users in sshd_config file
  • No unexpected users are configured in the "sudo" group
  • Logging in with "ssh" is only available to the "linuxadmin" and "admin" users
  • For any unexpected users configured on the system:
    • All accounts should be locked/removed from /etc/passwd (using "mod user -l")
    • Ensure only white list users are configured in /etc/sudoers.d

Security Configuration Window

The following figure displays the Key entry fields in the AWS Cloud Formation Templates (CFNs) to access the SBC SWe for “linuxadmin” and “admin” users.

Security Configuration Window

Obtaining and Inserting Keys into the New AWS CFTs

Perform the following steps to obtain and insert the keys into the new AWS CFTs for “linuxadmin” and “admin” Users

Generate keys for the SBC SWe 

Generate the following keys to to use with the SBC using AWS console EC2 > Network & Security > Key Pairs 

• “linuxadmin”
• “admin” users on the SBC (You can create the admin SSH key that is the same or different to the linuxadmin SSH key)

Use the Keys in the CFN

1. Field “LinuxAdminSshKey”: use the “linuxadmin” key(pem) obtained above.
2. Field "AdminSshKey": enter the Public key string obtained using the following process:
   1. Transfer the .pem file generated by AWS to a Linux server. Use the following AWS instructions to generate the key pair: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair
   2. Run: ssh-keygen -y -f <pem_file>. It will output a Public key string
   3. Cut/paste the key: “ssh-rsa <key>” into the “AdminSshKey” field

Installing License 

Steps to install initial license on AWS SBC Swe

1. Get the Chassis number from the SBC logging in as “admin” to CLI
   • ssh -i <admin_pem> admin@<sbc_ip>
   • show table system serverStatus
   • Extract the SERIAL NUM – eg EC2655E1-AC17-C688-1C3E-72562BB72000
     
     
2. Acquire license from Ribbon Support Portal / the account team.
   
   
3. SCP the license file onto the SBC as “linuxadmin” user using port 2024:
   1. scp -i <pem_file> -P 2024 <license_file.xml> linuxadmin@<aws_ip>:/opt/sonus/external
      
      
4.  As the “admin” user run  the CLI “request” command to initially install the license for “linuxadmin” to gain sudoers permissions
   •  ssh -i <admin_pem> admin@<sbc_ip>
   • request system admin <system_name> license loadLicenseFile bundleName b1 fileName <license_file.xml>
     
     

Diagnostic Tools

sbcDiagnostic.sh

If the SBC fails to start and the “linuxadmin” user does not yet have Sudo permissions we can debug the issue with the Diagnostics tool.

EMS and Platform Manager (PM) Admin Login

The EMS and Platform Manager both require an admin password to login.

To set up an Admin password: