In this section:
This feature significantly improves the SBC instance security policies to align with AWS requirements.
The following significant changes are introduced in the SBC 07.02.00S400 instances on AWS:
- “root” login from “linuxadmin” is disabled
- "linuxadmin" user "sudo" access tightened:
- On AMI Instance start-up the "linuxadmin” user will not be in the “sudo” group
- When any valid licence is installed, the “linuxadmin” user will be given sudo access
support only SSH Key login for the “admin” user
- No default passwords for all Linux accounts on installation
- The “linuxadmin” and “admin” users permit only key based SSH
- The default "root" user password is removed
- To use EMA or other services which require passwords, the customer must add a user with a user password after installation/upgrade of the SBC has completed
- Sanity Checking - After AMI Instance Initiation
- Ensure only default users in sshd_config file
- No unexpected users are configured in the "sudo" group
- Logging in with "ssh" is only available to the "linuxadmin" and "admin" users
- For any unexpected users configured on the system:
- All accounts should be locked/removed from /etc/passwd (using "mod user -l")
- Ensure only white list users are configured in /etc/sudoers.d
New Fields
The following figure displays the new Key entry fields in the AWS Cloud Formation Templates (CFNs) to access the SBC for the “linuxadmin” and “admin” users.
Obtaining and Inserting Keys into the New AWS CFTs for “linuxadmin” and “admin” Users
Generate keys for use with SBC using AWS console EC2 > Network & Security > Key Pairs
- one for “linuxadmin”
- one for “admin” users on the SBC (ssh key for admin may be the same or different to the linuxadmin ssh key)
Using the Keys in the CFN:
- Field “LinuxAdminSshKey”: use the “linuxadmin” key(pem) obtained above.
- Field "AdminSshKey": enter the Public key string obtained using the following process:
- Transfer the .pem file generated by AWS to a Linux server. Use the following AWS instructions to generate the key pair: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair
- Run: ssh-keygen -y -f <pem_file>. It will output a Public key string
- Cut/paste the key: “ssh-rsa <key>” into the “AdminSshKey” field
Steps to install initial license on AWS SBC Swe
- Get the Chassis number from the SBC logging in as “admin” to CLI
- ssh -i <admin_pem> admin@<sbc_ip>
- show table system serverStatus
- Extract the SERIAL NUM – eg EC2655E1-AC17-C688-1C3E-72562BB72000
- Acquire license from Ribbon Support Portal / the account team.
- SCP the license file onto the SBC as “linuxadmin” user using port 2024:
- scp -i <pem_file> -P 2024 <license_file.xml> linuxadmin@<aws_ip>:/opt/sonus/external
- As the “admin” user run the CLI “request” command to initially install the license for “linuxadmin” to gain sudoers permissions
- ssh -i <admin_pem> admin@<sbc_ip>
- request system admin <system_name> license loadLicenseFile bundleName b1 fileName <license_file.xml>
sbcDiagnostic.sh
If the SBC fails to start and the “linuxadmin” user does not yet have Sudo permissions we can debug the issue with the Diagnostics tool.
Run the following command as “linuxadmin” user:
sudo /opt/sonus/sbx/scripts/sbcDiagnostic.sh 1
This diagnostics tool:
• Checks "cloud-init", "cps", "lca" and "sbx" services current status
• Report issue, if SBC application is not up
• Dumps limited set of logs for further investigation
Usage: Run the following command as “linuxadmin” user:
- sudo /opt/sonus/sbx/scripts/sbcDiagnostic.sh [0] - Dumps System Information and Status
- sudo /opt/sonus/sbx/scripts/sbcDiagnostic.sh 1 - Captures logs for investigation
- sudo /opt/sonus/sbx/scripts/sbcDiagnostic.sh 2 - Runs System Dump
The EMS and Platform Manager both require an admin password to login.
To set up an Admin password:
- log in to admin using SSH key.
set oam localAuth user admin passwordLoginSupport enabled
commit