- Once a SysAdmin has been granted Web access, Web access cannot be removed for this user.
- A new user may be generated with *only* CLI access, and other SysAdmin users may generate and download keys for this new user.
- Enabling Web access for a SysAdmin user will reset any existing authentication keys
This example requires some free tools from putty.org (putty.exe, puttygen.exe, plink.exe, pscp.exe). They can be dowloaded from http://www.putty.org under the 'putty' section:
To create CLI SysAdmin user in 2.5:
At this point the id_dsa file can be downloaded and used via native SSH. The CLI account can be tested with a command such as GetStatus:
ssh -i id_dsa firstname.lastname@example.org GetStatus -u
NOTE: The case of the user should match the UserID in TPAM.
To use the key in Putty / Plink
Sending CLI commands to the appliance:
The plink or pscp commands (also from putty.org) may now be used with the newly created PPK to access the CLI commands.
The first time plink or pscp are run, they will return a warning that the host key will be imported into the registry, this is expected -- just press 'y' to 'store key in cache'.
The syntax of plink is:
plink -i [keyfile] [userid]@[PAR-address] [command] [filename]
A good test that the user is created correctly the PPK is valid would be to get the uptime of the appliance:
plink -i cliadmin.ppk email@example.com GetStatus -u
How to create a CLI-only user (without Web access to the appliance):
The above example creates a Web and CLI enabled SysAdmin - to create a 'CLI only' user, ensure 'Allow Web Access' is not checked when creating the user(step 3), and then generate and download the keys (steps 4-5 above) as the user currently signed in to '/admin' interaface.