This video demonstrates:
- Creating a CLI user within the /tpam interface
- How to give the CLI user permissions to perform a password retrieve
- Testing the CLI user via SSH
- Testing the CLI user via Plink
To create a CLI user:
1. Sign into the '/tpam' GUI of the applicance using an existing Admin (eg; 'paradmin')
2. Select Users & Groups | UserIDs | Add UserID.
3. Enter a "User Name" (note, it is case sensitive), enter a first and last name
4. Clear the "Allow Web Access" check box
5. Click on the "Key Based" tab, tick CLI.
6. Click "Save Changes"
7. Click "Download Key" to download the CLI key.
At this point the id_dsa file can be downloaded and used via native SSH. The CLI account can be tested with a command such as help, which will return the list of valid commands.
ssh -i id_dsa cliuser@IPADDRESS Help
NOTE: The case of the user should match the UserID in TPAM.
To use the key in Putty / Plink
This example requires some free tools from putty.org (putty.exe, puttygen.exe, plink.exe, pscp.exe). They can be dowloaded from http://www.putty.org under the 'putty' section
1. In order to use the key with Plink it must be converted to a PPK file.
2. Run puttygen, click the 'Load' button and select the key just downloaded (note: select 'All Files' at bottom right of puttygen to view all extensions).
3. In puttygen, click 'Save Private Key'. This will generate a warning about saving without a passphrase - click 'Yes' to save the PPK file without a passphrase.
Sending CLI commands to the appliance:
The plink or pscp commands (also from putty.org) may now be used with the newly created PPK to access the CLI commands.
The first time plink or pscp are run, they will return a warning that the host key will be imported into the registry, this is expected -- just press 'y' to 'store key in cache'.
The syntax of plink is:
plink -i [keyfile] [userid]@[PAR-address] [command] [filename]
plink -i cliuser.ppk email@example.com ListUsers