Restricted CLI

Any one venture into the Restricted CLI options in 9.5 yet? We are in need of logging cli activity on the clusters and I thought this would be perfect.

I am starting to toy with it, but having some issues. From the documentation it only shows local accounts modification when setting the restricted shell. We do not utilize local accounts but AD authenticated accounts to access the CLI. When setting up the restricted shell via the following command, it fails.

isi auth users modify \ --shell=/user/local/restricted_shell/bin.......

Failed to modify user : The authentication request could not be handled.

I can find where you can change this entire authentication provided shell for all users, but I don't really want to do that, I would rather just change the shell of each of my admins.

Responses(1)

PL

Phil.Lam

3 Apprentice

•

581 Posts

0

August 28th, 2023 15:48

@tchstnut ,

Try

isi auth status
isi auth users modify <DOMAIN>\\<user> --provider=<provider> --shell=/usr/local/restricted_shell/bin/restricted_shell.py

EXAMPLE
philler-2# isi auth status
ID Active Server Status
----------------------------------------------------------------------
lsa-activedirectory-provider:ICSLAB.LOCAL W2012R2.ICSLAB.local online
lsa-local-provider:System - active
lsa-local-provider:test11 - active
lsa-file-provider:System - active
lsa-ldap-provider:centos7-ldap-server - offline
----------------------------------------------------------------------
Total: 5
philler-2# isi auth users modify ICSLAB\\alvinc --provider=lsa-activedirectory-provider:ICSLAB.LOCAL --shell=/usr/local/restricted_shell/bin/restricted_shell.py

View All

No Events found!

Isilon

Restricted CLI