If user is set to bash shell, SGM connection defau...

George_Ellis · ‎2025-05-14

This is strange and I meant to ask it awhile back.

If you log into the Maestro Orchestrator using an account set to "set user xxxxxx shell /bin/bash", when you go to a SGM with the "member" command, it automatically starts the log in as "admin".
On Maestro, the accounts are RBA users (15) using TACACS+ authentication (to a Cisco ISE connected with PingID auth).

If my shell is /etc/.cli, log in, switch to expert, then "m 1 1" and user is "myuserid". If my shell is /bin/bash, log in, "m 1 1" and the user id is "admin"

Has anyone seen a workaround? Mentioned it to our team (sales and diamond), but have not put any emphasis on resolving it. But using "admin" is not the best choice security wise (audits).

I have tried multiple search attempts with every silly keyword I can think of, but don't seem to find a combination that matches the issue. I think I will open a case finally, but I am thinking this may end up as a RFE.

Dario_Perez · ‎2025-05-14

@Anatoly is this a know issue?

Dario_Perez · ‎2025-05-14

Hi

MHO uses the same user where you are loged in

************

login as: admin
Pre-authentication banner message from server:
| This system is for authorized use only.
End of banner message from server

[Expert@MHO-01:0]# m 1 1
Moving to member 1 in security group 1 (198.51.101.1)
Warning: Permanently added '198.51.101.1' (ECDSA) to the list of known hosts.
This system is for authorized use only.
admin@198.51.101.1's password:

**************************

if you log using "dario"

login as: dario
Pre-authentication banner message from server:
| This system is for authorized use only.
End of banner message from server

MHO-01> expert
Enter expert password:

Warning! All configurations should be done through clish
You are in expert mode now.

[Expert@MHO-01:0]# m 1 1

Moving to member 1 in security group 1 (198.51.101.1)
This system is for authorized use only.
dario@198.51.101.1's password:

Dario_Perez · ‎2025-05-14

admin guide will be updated with this info.

George_Ellis · ‎2025-05-14

Unless you log in as dario with shell /bin/bash, then do m 1 1. Then it uses admin.

Lesley · ‎2025-05-14

Hi,

Not sure TACACS+ will work:

PMTR-111391,
MBS-7069 Maestro Remote authentication for the Expert mode using RADIUS / TACACS+ servers with the Gaia gClish command "set expert-authentication-method {shared-password | user-password}" is not supported.

Anyway did you set the account UID to 0?

uid <User ID>

Optional. Configures unique User ID to identify permissions of the user:

0 for administrator users and RADIUS user account (this is the default option)
An integer between 103 and 65533 for non-administrator user

Note - If a value is not specified, Gaia

OS automatically assigns the next free sequential number.

-------
If you like this post please give a thumbs up(kudo)! 🙂

Dario_Perez · ‎2025-05-14

if you need specific user you can user user@198.51.101.1

George_Ellis · ‎2025-05-14

As documented, the "member" or "m" command is:

Usage:
member <security_group_id> <member_id>

appending userid@198.51.101.1 is the same as doing "member --help" 😉

George_Ellis · ‎2025-05-14

UID 0 GID 0 /home/admin /bin/bash Admin-like Shell

If user is set to bash shell, SGM connection defaults to 'admin'