Blogs Classifieds Downloads FlashChat Gallery Googlemap Invite Friends Links Projects Reviews Wiki
 
Home Forums Register FAQ Members List Calendar Mark Forums Read

Go Back pSeries Tech Talk Forums pSeries Tech Info Tech Support Library Tutorials
Reload this Page

HMC Unrestricted Root Access

Discuss HMC Unrestricted Root Access on the 'Tutorials' forum of pSeriesTech.org. Talk about HMC Unrestricted Root Access with the IBM pSeries Technical Support Community.

Our Sponsors
Want to advertise?  


Comment
 
LinkBack (2) Tutorial Tools
<!-- google_ad_section_start -->HMC Unrestricted Root Access<!-- google_ad_section_end -->
HMC Unrestricted Root Access
Fred Sherman, pSeries Engineer
Published by FASherman
May 26th, 2006
<!-- google_ad_section_start -->HMC Unrestricted Root Access<!-- google_ad_section_end -->
As we all know, the Hardware Management Console (HMC) is considered to be an "appliance" by IBM . It has tight security, such that users are not typically granted root access to the HMC itself. The user is kept within the system management interface or granted a restricted access shell for HMC CLI commands.

But did you know that you can get root access to the HMC - along with all the potential risk that always come with root access? Occasionally, it is a necessity and here is how you do it:

1. Make sure your HMC has the user account HSCPE. This is a special ID, as you shall soon see.

To create the HSCPE user, do the following:
  • In the Navigation area, expand the HMC Management folder.
  • Click the HMC users icon.
  • In the Contents area, click Manage HMC Users and Access. The User Profiles window opens.
  • Click User > Add. Fill in the appropriate fields and click OK.
2. Enable Remote Command Execution with ssh

To enable ssh, do the following:
  • In the Navigation area, click the HMC Management icon.
  • In the Contents area, double-click the HMC Configuration icon.
  • In the Contents area, click Enable/Disable Remote Command Execution.
  • Select the appropriate check box.
  • Click OK.
3. Logon the HMC with ssh as the user hscpe and run the following
command to get the serialnumber of the HMC:

[hscpe@hmc hscpe]$ lshmc -v | grep ^*SE

4. Contact IBM and request the PE password. You will need to supply them with the serial number of your HMC as determined above.

5. Login to the PE Shell (pesh)

[hscpe@hmc1 hscpe]$ SE=`lshmc -v | grep ^*SE | cut -c 5-`
[hscpe@hmc1 hscpe]$ pesh $SE
Password:

Use the password you got from IBM.

6. Switch shell to root

[hscpe@hmc1 hscpe]$ su - # Become root
Password:

Use the default password which is "passw0rd" if you haven't changed it.

NOTE: The PE password that IBM supplies to you is time based. It is only valid until midnight of the day that IBM generates it. If you are performing some type of action close to midnight, you might want to have them generate the passowrd for the next day as well. Despite what they tell you, they can do that if you press them.
Tutorial Tools
Show Printable Version Show Printable Version
Email this Page Email this Page

Featured Tutorials
Read more
Virtualization and Power
Starting with Virtualization
  #1  
By loot on June 21st, 2006
Re: HMC Unrestricted Root Access
I don't like the idea that you have to call IBM support to get the PE password. IBM should have a website that let user generate the password as least
Reply With Quote
  #2  
By FASherman on June 21st, 2006
Re: HMC Unrestricted Root Access
Thats not such a bad idea. You provide the serial number of the server, the customer support ID and then it generates the password. I think their goal isn't to enable access, its to control it as tightly as possible.

Seems a bit draconian since it really isn't their property once the HMC is shipped.
Reply With Quote
  #3  
By rzs0502 on August 8th, 2006
Re: HMC Unrestricted Root Access
This must be an error, but after our last HMC upgrade, hscroot no longer has a restricted shell.
And we can su to root as well!

"version= Version: 5
Release: 2.1
HMC Build level 20060502.1
MH00688: CVE-2006-0225, CVE-2006-0058 Security updates for HMC V5R2.1 (05-31-2006)
","base_version=V5.2.1
Reply With Quote
  #4  
By jakubgaj on September 3rd, 2007
Re: HMC Unrestricted Root Access
Hey,

There's easier method by using simple 'man', it works on 4.x and 5.x, but seems to not work on 6.x and 7.x versions, maybe someone can play around:

$ man -P /bin/more chhwres // get 'more' as module instead of restricted 'less'
!/bin/bash // run root shell from man (HMC v4)
!ksh // run root shell from man (HMC v5)
$ export PATH=$PATH:/bin:/usr/bin
$ su -
Reply With Quote
  #5  
By Mark Taylor on September 18th, 2007
Re: HMC Unrestricted Root Access
I think they have plugged those "man" page security holes now. you can get an rpm from IBM support that gives you root access permanently but you have to accept the terms and conditions. i.e. you wont be supported.

there are a few other ways, scp off the bash binary, then scp it back on into /hmcrbin then just type bash to get a bash shell, then you can set your PATH and su -

or, when the HMC boots, you can catch it at the grub menu and set the grub boot line to <grub boot line> 1 # to go into single user mode as root.

of course, you will be in single user mode so not a lot will be running, but you can use this method to copy logs and other stuff around for when you reboot etc ..


Rgds
Mark Taylor
Reply With Quote
  #6  
By Jorke on October 4th, 2007
Re: HMC Unrestricted Root Access
We have had quite some problems with our HMC and RSCT deamon. (100% load HMC all day long etc) .

And in my experience IBM is very willing to give you the pesh passwords as long as you have a valid reason.
And why would you want it anyhow unless you have a problem with your HMC. there is nothing interesting to see anyhow, just regard it as a black box that usually works..

Regards,

JK
AIX system expert
Reply With Quote
  #7  
By ThomasMockridge on November 7th, 2007
Re: HMC Unrestricted Root Access
Hi

Brute force method:
-boot your hmc off a PCLinuxOS "live" CD, (or other distribution this was what I had and it mounts the HMC7 discs fine)
-mount /dev/sda2 on /tmp/mnt, (/etc/may be another disk but fairly easy to find)
-edit /tmp/mnt/etc/inittab to put a getty on tty5 (there should be a commented out getty for tty1 but rather put it on an unused tty)
-umount /tmp/mnt
-reboot the HMC normally

Hey presto ctrl-alt and F5 to get a console Linux login. user hscroot/abc123 and su -, root password default was passw0rd. No rsh, and an unrestricted root, WooHoo, but as someone said don't tell IBM...And make sure you know what you are doing or you'll be looking for your HMC restore discs. This method can be used to "fix" various gotchas. I found it out when I broke networking completely and had to recover without restoring the HMC. IBM suggested rebuild HMC, so I had nothing to lose, network setup is in /etc/sysconfig. Pretty standard Linux stuff.

Thomas
Last edited by ThomasMockridge; November 7th, 2007 at 15:27. Reason: typo
Reply With Quote
Comment

Bookmarks

These are the 100 most searched terms
Search Cloud
0042-001 0042-001 nim 0042-008 nimsh: request denied 0513-001 the system resource controller daemon is not active 0513-001 the system resource controller daemon is not active. 0514-061 0514-061 cannot find a child device 0514-061 cannot find a child device. 0516-787 0516-787 extendlv 0516-787 extendlv: maximum allocation for logical volume 110000ac 3074feb7 aa00e1f3 aio aix aix aio aix freeware aix memory usage aix rsync aixif_arp_dup_addr b150f22a b181f22a b181fb53 ba010004 c1001020 d133c002 dacnone dcb47997 fcp_array_err6 fget_config gnu tar aix gtar aix hmc root password hmc vmware ibm p6 520 libpopt.a libpopt.a(libpopt.so.0) is needed by rsync-2.6.2-1 migratelv mksysb navisphere agent nim server pseriestech ptype and account type do not match rshd: 0826-813 permission is denied. rsync aix sc_disk_err4 scan_error_chrp vio server vmware hmc websm ... powered by Simple Search Cloud

« How to write a bootable mksysb CD/DVD on your PC | NIM server and client operations »

LinkBacks (?)
LinkBack to this Thread: http://www.pseriestech.org/forum/tutorials/hmc-unrestricted-root-access-6.html
Posted By For Type Date
HMC Setup for P series This thread Refback January 6th, 2009 09:16
How to open HMC linux shell? This thread Refback June 13th, 2008 11:58

Currently Active Users Viewing This Tutorial: 1 (0 members and 1 guests)
 
Tutorial Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Tutorial Tutorial Starter Category Comments Last Post
HMC Root access FASherman Hardware Management Console 4 September 14th, 2007 04:49
Dual HMC connection to P570 eraserhead Hardware Management Console 4 November 3rd, 2006 10:39
Backing UP Your Hardware Management Console FASherman Tutorials 9 October 23rd, 2006 14:01
HMC losing connectivity to managed system dthacker Hardware Management Console 3 September 19th, 2006 08:26
HMC Problem Herzt Hardware Management Console 2 August 18th, 2006 06:42



Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.2.0
Powered by vbWiki Pro 1.3 RC5. Copyright ©2006-2007, NuHit, LLC

vBulletin Skin developed by: vBStyles.com

Tutorial powered by GARS 2.1.8m ©2005-2006

pSeries Tech Talk - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73