You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cohesity v6.8.1 removes sudo access and enforces restricted shell. This change seems very short sighted. This was a completely supported feature in every version previously, previous versions even offered a button in the GUI so that customers could supply the support user with sudo quickly and easily. Now, without warning, that access has been ripped away. This change feels half-baked and under communicated to me.
I wanted to share an automation I wrote that restores this unrestricted shell and sudo access. I chose to write this in ansible format so it can be quickly and easily applied to a users entire fleet of cohesity clusters at once.
Feel free to include or reject this contribution.
#!/bin/ansible-playbook# Cohesity 6.8+ is required! #
---
- name: "##### Allows Linux Shell access and sudo for 6.8+ Cohesity clusters #####"hosts: '{{target|default("cohesity")}}'gather_facts: False#become: yestasks:
# Login to the Target Cluster by API
- name: Get Token for target Cohesity clusterdelegate_to: localhostansible.builtin.uri:
url: https://{{ inventory_hostname }}/irisservices/api/v1/public/accessTokensheaders:
Content-Type: application/jsonbody:
username: "{{ var_cohesity_user }}"password: "{{ var_cohesity_passwd }}"domain: "LOCAL"method: POSTstatus_code: 201body_format: jsonreturn_content: yesvalidate_certs: falseregister: target_token
- name: Register target's tokenansible.builtin.set_fact:
target_cohesity_token: "{{ (target_token.content | from_json).accessToken }}"delegate_to: localhost# Grab Target Cluster IP information
- name: Get list of the Cohesity clusters IP addresses from nslookupansible.builtin.shell: "nslookup {{ inventory_hostname_short }} | grep ^Address | sed 's|Address: ||' | tail -n +2"register: nslookupdelegate_to: localhost
- name: set fact IP addressset_fact:
target_ips: "{{ nslookup.stdout_lines }}"
- debug:
var: target_ips
- name: Remove old SSH keys by hostname.local_action:
module: ansible.builtin.shellcmd: ssh-keygen -R "{{ inventory_hostname | lower }}"
- name: Remove old SSH keys by IPv4 address.local_action:
module: ansible.builtin.shellcmd: ssh-keygen -R "{{ item }}"with_items: "{{ target_ips }}"
- name: Update local known_hosts file with new ssh_keysdelegate_to: localhostlineinfile:
dest: ~/.ssh/known_hostscreate: 'yes'state: presentmode: "0600"line: "{{ lookup('pipe', 'ssh-keyscan -t rsa -p {{ ansible_port }} {{ inventory_hostname | lower }},{{ item }}') }}"with_items: "{{ target_ips }}"
- name: Process known_hosts file with new keys.local_action:
module: shellcmd: sort ~/.ssh/known_hosts | tee /tmp/known_hosts_new; uniq -u /tmp/known_hosts_new ~/.ssh/known_hosts# Enable & Set password of "support" user if ran for the first time
- name: Enable the support user and set password (Will fail gracefully if already enabled)delegate_to: localhostansible.builtin.uri:
url: https://{{ inventory_hostname }}/irisservices/api/v1/public/users/linuxPasswordmethod: PUTheaders:
Content-Type: application/jsonAccept: application/jsonAuthorization: "Bearer {{ target_cohesity_token }}"validate_certs: noreturn_content: yesstatus_code: [200, 201, 202]body: >- {{ ( {"linuxUsername": "support", "linuxPassword": ansible_password} ) | to_json }}body_format: jsonignore_errors: yes# Set local sec policy on Cohesity clusters - restricted timeout over 10 years
- name: Set Gflag for Linux "Restricted" Shellansible.builtin.command: /home/support/bin/iris_cli -username "{{ var_cohesity_user }}" -password "{{ var_cohesity_passwd }}" -skip_password_prompt cluster update-gflag gflag-name=secure_shell_disabled_duration_hours gflag-value=100000 service-name=nexus reason="disable secure-shell timeout"ignore_errors: yes
- name: Disable Linux "Restricted" Shellansible.builtin.command: /home/support/bin/iris_cli -username "{{ var_cohesity_user }}" -password "{{ var_cohesity_passwd }}" -skip_password_prompt cluster secure-shell enable=falseignore_errors: yes
- name: Pauseansible.builtin.pause:
seconds: 90
- name: Update local known_hosts file with new ssh_keys (again)delegate_to: localhostlineinfile:
dest: ~/.ssh/known_hostscreate: 'yes'state: presentmode: "0600"line: "{{ lookup('pipe', 'ssh-keyscan -t rsa -p {{ ansible_port }} {{ inventory_hostname | lower }},{{ item }}') }}"with_items: "{{ target_ips }}"
- name: Process known_hosts file with new keys.local_action:
module: shellcmd: sort ~/.ssh/known_hosts | tee /tmp/known_hosts_new; uniq -u /tmp/known_hosts_new ~/.ssh/known_hosts
- name: restart Nexus services for "Restricted" shell timeout to take effectshell: /home/cohesity/software/crux/bin/allssh.sh /home/cohesity/software/crux/bin/nexus.sh stop && /home/cohesity/software/crux/bin/allssh.sh /home/cohesity/software/crux/bin/nexus.sh start
- name: Pause (again)ansible.builtin.pause:
seconds: 120
- name: Disable Linux "Restricted" Shell (again)ansible.builtin.command: /home/cohesity/software/crux/bin/iris_cli -username "{{ var_cohesity_user }}" -password "{{ var_cohesity_passwd }}" -skip_password_prompt cluster secure-shell enable=falseignore_errors: yes# Set local sec policy on Cohesity clusters (max passwd lifetime is 365 days in 6.8+. Its a real drag.)
- name: Set Policiesansible.builtin.shell: /home/cohesity/software/crux/bin/iris_cli -username "{{ var_cohesity_user }}" -password "{{ var_cohesity_passwd }}" -skip_password_prompt security-config edit min-length=8 min-lifetime-days=0 max-lifetime-days=365 num-diff-chars=0 num-disallowed-old-pwd=0 failed-login-lock-duration-mins=15 max-failed-login-attempts=6 inactivity-time-days=1 session-inactivity-timeout=3600 is-data-classified=true classified-data-msg="{{ classification_level }}"
- name: Enable Linux "support" user sudo accessansible.builtin.shell: /home/cohesity/software/crux/bin/iris_cli -username "{{ var_cohesity_user }}" -password "{{ var_cohesity_passwd }}" -skip_password_prompt user linux-sudo-access enable=true
(Write your answer here)
The text was updated successfully, but these errors were encountered:
馃殌 Feature Request
cohesity v6.8.1 removes sudo access and enforces restricted shell. This change seems very short sighted. This was a completely supported feature in every version previously, previous versions even offered a button in the GUI so that customers could supply the support user with sudo quickly and easily. Now, without warning, that access has been ripped away. This change feels half-baked and under communicated to me.
I wanted to share an automation I wrote that restores this unrestricted shell and sudo access. I chose to write this in ansible format so it can be quickly and easily applied to a users entire fleet of cohesity clusters at once.
Feel free to include or reject this contribution.
(Write your answer here)
The text was updated successfully, but these errors were encountered: