Blogs Classifieds Downloads FlashChat Gallery Googlemap Invite Friends Links Projects Reviews Wiki
 


Welcome to the pSeries Tech Forums, our free peer-based support site for administrators, engineers and architects working with IBM pSeries servers and software.

You are currently viewing our site as a guest which gives you limited access to view most discussions, articles, tutorials and access our other free features. By joining our community you will be able to collaborate with administrators, engineers and architects charged with designing, delivering or maintaining IBM pSeries server environments.

Founded by a recognized IBM pSeries consultant and IBM Redbook author, pSeries Tech Forums was developed with the single mission of bringing IBM pSeries professionals together into a single self-help community.

Registration is fast, simple and absolutely free to all IT professionals with responsibility for or interest in IBM pSeries servers. We invite you to join our community today!

If you have any problems with the registration process or your account login, please contact contact support.

Our Sponsors
Want to advertise?  


Comment
 
LinkBack (1) Tutorial Tools
<!-- google_ad_section_start -->HMC Unrestricted Root Access<!-- google_ad_section_end -->
HMC Unrestricted Root Access
Fred Sherman, pSeries Engineer
Published by FASherman
May 26th, 2006
<!-- google_ad_section_start -->HMC Unrestricted Root Access<!-- google_ad_section_end -->

As we all know, the Hardware Management Console (HMC) is considered to be an "appliance" by IBM . It has tight security, such that users are not typically granted root access to the HMC itself. The user is kept within the system management interface or granted a restricted access shell for HMC CLI commands.

But did you know that you can get root access to the HMC - along with all the potential risk that always come with root access? Occasionally, it is a necessity and here is how you do it:

1. Make sure your HMC has the user account HSCPE. This is a special ID, as you shall soon see.

To create the HSCPE user, do the following:
  • In the Navigation area, expand the HMC Management folder.
  • Click the HMC users icon.
  • In the Contents area, click Manage HMC Users and Access. The User Profiles window opens.
  • Click User > Add. Fill in the appropriate fields and click OK.
2. Enable Remote Command Execution with ssh

To enable ssh, do the following:
  • In the Navigation area, click the HMC Management icon.
  • In the Contents area, double-click the HMC Configuration icon.
  • In the Contents area, click Enable/Disable Remote Command Execution.
  • Select the appropriate check box.
  • Click OK.
3. Logon the HMC with ssh as the user hscpe and run the following
command to get the serialnumber of the HMC:

[hscpe@hmc hscpe]$ lshmc -v | grep ^*SE

4. Contact IBM and request the PE password. You will need to supply them with the serial number of your HMC as determined above.

5. Login to the PE Shell (pesh)

[hscpe@hmc1 hscpe]$ SE=`lshmc -v | grep ^*SE | cut -c 5-`
[hscpe@hmc1 hscpe]$ pesh $SE
Password:


Use the password you got from IBM.

6. Switch shell to root

[hscpe@hmc1 hscpe]$ su - # Become root
Password:


Use the default password which is "passw0rd" if you haven't changed it.

NOTE: The PE password that IBM supplies to you is time based. It is only valid until midnight of the day that IBM generates it. If you are performing some type of action close to midnight, you might want to have them generate the passowrd for the next day as well. Despite what they tell you, they can do that if you press them.
Tutorial Tools

Featured Tutorials
Read more
Virtualization and Power

Starting with Virtualization
  #1  
By loot on June 21st, 2006
Re: HMC Unrestricted Root Access

I don't like the idea that you have to call IBM support to get the PE password. IBM should have a website that let user generate the password as least
Reply With Quote
  #2  
By FASherman on June 21st, 2006
Re: HMC Unrestricted Root Access

Thats not such a bad idea. You provide the serial number of the server, the customer support ID and then it generates the password. I think their goal isn't to enable access, its to control it as tightly as possible.

Seems a bit draconian since it really isn't their property once the HMC is shipped.
Reply With Quote
  #3  
By rzs0502 on August 8th, 2006
Re: HMC Unrestricted Root Access

This must be an error, but after our last HMC upgrade, hscroot no longer has a restricted shell.
And we can su to root as well!

"version= Version: 5
Release: 2.1
HMC Build level 20060502.1
MH00688: CVE-2006-0225, CVE-2006-0058 Security updates for HMC V5R2.1 (05-31-2006)
","base_version=V5.2.1
Reply With Quote
  #4  
By jakubgaj on September 3rd, 2007
Re: HMC Unrestricted Root Access

Hey,

There's easier method by using simple 'man', it works on 4.x and 5.x, but seems to not work on 6.x and 7.x versions, maybe someone can play around:

$ man -P /bin/more chhwres // get 'more' as module instead of restricted 'less'
!/bin/bash // run root shell from man (HMC v4)
!ksh // run root shell from man (HMC v5)
$ export PATH=$PATH:/bin:/usr/bin
$ su -
Reply With Quote
  #5  
By Mark Taylor on September 18th, 2007
Re: HMC Unrestricted Root Access

I think they have plugged those "man" page security holes now. you can get an rpm from IBM support that gives you root access permanently but you have to accept the terms and conditions. i.e. you wont be supported.

there are a few other ways, scp off the bash binary, then scp it back on into /hmcrbin then just type bash to get a bash shell, then you can set your PATH and su -

or, when the HMC boots, you can catch it at the grub menu and set the grub boot line to <grub boot line> 1 # to go into single user mode as root.

of course, you will be in single user mode so not a lot will be running, but you can use this method to copy logs and other stuff around for when you reboot etc ..


Rgds
Mark Taylor
Reply With Quote
  #6  
By Jorke on October 4th, 2007
Re: HMC Unrestricted Root Access

We have had quite some problems with our HMC and RSCT deamon. (100% load HMC all day long etc) .

And in my experience IBM is very willing to give you the pesh passwords as long as you have a valid reason.
And why would you want it anyhow unless you have a problem with your HMC. there is nothing interesting to see anyhow, just regard it as a black box that usually works..

Regards,

JK
AIX system expert
Reply With Quote
  #7  
By ThomasMockridge on November 7th, 2007
Re: HMC Unrestricted Root Access

Hi

Brute force method:
-boot your hmc off a PCLinuxOS "live" CD, (or other distribution this was what I had and it mounts the HMC7 discs fine)
-mount /dev/sda2 on /tmp/mnt, (/etc/may be another disk but fairly easy to find)
-edit /tmp/mnt/etc/inittab to put a getty on tty5 (there should be a commented out getty for tty1 but rather put it on an unused tty)
-umount /tmp/mnt
-reboot the HMC normally

Hey presto ctrl-alt and F5 to get a console Linux login. user hscroot/abc123 and su -, root password default was passw0rd. No rsh, and an unrestricted root, WooHoo, but as someone said don't tell IBM...And make sure you know what you are doing or you'll be looking for your HMC restore discs. This method can be used to "fix" various gotchas. I found it out when I broke networking completely and had to recover without restoring the HMC. IBM suggested rebuild HMC, so I had nothing to lose, network setup is in /etc/sysconfig. Pretty standard Linux stuff.

Thomas
Last edited by ThomasMockridge; November 7th, 2007 at 16:27. Reason: typo
Reply With Quote
Comment

Bookmarks

These are the 100 most searched terms
Search Cloud
0042-001 0042-001 nim 0513-001 the system resource controller daemon is not active 0513-001 the system resource controller daemon is not active. 0514-061 0514-061 cannot find a child device 0514-061 cannot find a child device. 0516-787 0516-787 extendlv 0516-787 extendlv: maximum allocation for logical volume 110000ac aa00e1f3 aio aix aix aio aix freeware aixif_arp_dup_addr b150f22a b181fb53 ba010004 c1001020 d133c002 dacnone dcb47997 dlpar fcp_array_err6 fget_config gnu tar aix gsclvmd gtar aix hi yall hmc root password hmc vmware hscl05db ibm p6 ibm p6 520 libpopt aix libpopt.a libpopt.a(libpopt.so.0) is needed by rsync-2.6.2-1 migratelv mksysb navisphere agent nim server pseries pseriestech rsync aix sc_disk_err4 scan_error_chrp vio server websm xhost file ... powered by Simple Search Cloud


LinkBacks (?)
LinkBack to this Thread: http://www.pseriestech.org/forum/tutorials/hmc-unrestricted-root-access-6.html
Posted By For Type Date
How to open HMC linux shell? This thread Refback June 13th, 2008 12:58

Currently Active Users Viewing This Tutorial: 2 (0 members and 2 guests)
 
Tutorial Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Tutorial Tutorial Starter Category Comments Last Post
HMC Root access FASherman Hardware Management Console 4 September 14th, 2007 05:49
Dual HMC connection to P570 eraserhead Hardware Management Console 4 November 3rd, 2006 11:39
Backing UP Your Hardware Management Console FASherman Tutorials 9 October 23rd, 2006 15:01
HMC losing connectivity to managed system dthacker Hardware Management Console 3 September 19th, 2006 09:26
HMC Problem Herzt Hardware Management Console 2 August 18th, 2006 07:42



Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.2.0
Powered by vbWiki Pro 1.3 RC5. Copyright ©2006-2007, NuHit, LLC

vBulletin Skin developed by: vBStyles.com

Tutorial powered by GARS 2.1.8m ©2005-2006


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50