Disable user epmp by snmp

Good morning, I want to disable home user and installer user in epmp 1000 by snmp or tamplate cnmaestro. Is this possible?

Hi,

Please use next template:

"cambiumSysAccountsTable": [
		
		  {
			"cambiumSysAccountsName":	"home",
			"cambiumSysAccountsHash":	"!1$\/Bv9wvkq$5lBZqqsoAJj4uYOhb7pOS0",
			"cambiumSysAccountsUID":	"3000",
			"cambiumSysAccountsGID":	"100",
			"cambiumSysAccountsDir":	"\/tmp",
			"cambiumSysAccountsShell":	"\/bin\/false"
		  }
		

"!" symbol in  "cambiumSysAccountsHash" indicates account is disabled for current user.


Thank you.

3 Likes

Thank you Fedor.

Great!

Matias,

You are welcome!

Do you have similar templates for the "installer" and "readonly" accounts?

Even (dare I ask?) a single JSON template to disable all 3?


@dshea wrote:

Do you have similar templates for the "installer" and "readonly" accounts?

Even (dare I ask?) a single JSON template to disable all 3?


Haven't done it, but my suspicion would be that this would work  (edited: correction - I'm betting the UID at least, probably GID, will differ too):

"cambiumSysAccountsTable": [
      {
        "cambiumSysAccountsName":   "home",
        "cambiumSysAccountsHash":   "!1$\/Bv9wvkq$5lBZqqsoAJj4uYOhb7pOS0",
        "cambiumSysAccountsUID":    "3000",
        "cambiumSysAccountsGID":    "100",
        "cambiumSysAccountsDir":    "\/tmp",
        "cambiumSysAccountsShell":  "\/bin\/false"
      },
      {
        "cambiumSysAccountsName":   "installer",
        "cambiumSysAccountsHash":   "!1$\/Bv9wvkq$5lBZqqsoAJj4uYOhb7pOS0",
        "cambiumSysAccountsUID":    "3000",
        "cambiumSysAccountsGID":    "100",
        "cambiumSysAccountsDir":    "\/tmp",
        "cambiumSysAccountsShell":  "\/bin\/false"
      },
      {
        "cambiumSysAccountsName":   "readonly",
        "cambiumSysAccountsHash":   "!1$\/Bv9wvkq$5lBZqqsoAJj4uYOhb7pOS0",
        "cambiumSysAccountsUID":    "3000",
        "cambiumSysAccountsGID":    "100",
        "cambiumSysAccountsDir":    "\/tmp",
        "cambiumSysAccountsShell":  "\/bin\/false"
      }</pre><p>j</p>

I actually did try that, but it doesn't work (even after I re-configure the JSON so it does validate). My thought was that maybe the UID or GID for those accounts is different.

Yeah, that's what I realized right after I submitted the post, and edited to note...  I'm thinking that Cambium will need to tell us the UID and GID for all four accounts.

j

Hi all,

You can just download JSON configuration file from any ePMP device with the latest firmware and take a look on UID and GID.

Thank you.

1 Like

I'm looking at the whole .json file I downoaded from one of my APs, and no, not one single line referring to cambiumSysAccounts at all. No listing in cnMaestro templates, either.

C'mon, spoil the suspense... Can you just tell us what the UID and GID values are for installer and readonly accounts? I can do the rest of it myself...

Hello,

Try using UID=2000, GID=100 for installer and UID=4000, GID=100 for readonly.

Regards

2 Likes

Tried an omnibus reconfigure using Luis's UID suggestions - job said it succeeded, but the accounts weren't disabled.

Tried to make a template just for installer disabling - job said it succeeded, but the account wasn't disabled.

Tried to use the same template I had used successfully yesterday to disable home user on a different AP - job said it succeeded, but the account wasn't disabled.

This has become a mess. Just to verify that my browser wasn't caching the Config->System screen, I opened one in another browser entirely. Nope, none of the templates are working to disable any of the accounts today.


@dshea wrote:

Tried an omnibus reconfigure using Luis's UID suggestions - job said it succeeded, but the accounts weren't disabled.

Tried to make a template just for installer disabling - job said it succeeded, but the account wasn't disabled.

Tried to use the same template I had used successfully yesterday to disable home user on a different AP - job said it succeeded, but the account wasn't disabled.

This has become a mess. Just to verify that my browser wasn't caching the Config->System screen, I opened one in another browser entirely. Nope, none of the templates are working to disable any of the accounts today.


Hi,

Please use template:

		"cambiumSysAccountsTable": [
		  {
			"cambiumSysAccountsName":	"admin",
			"cambiumSysAccountsHash":	"$1$Q4yAUtfC$E0acJjgS3LxPdxVTghsYh.",
			"cambiumSysAccountsUID":	"1000",
			"cambiumSysAccountsGID":	"4",
			"cambiumSysAccountsDir":	"\/tmp",
			"cambiumSysAccountsShell":	"\/usr\/bin\/clish"
		  },
		  {
			"cambiumSysAccountsName":	"installer",
			"cambiumSysAccountsHash":	"!$1$ILm\/RwMm$tRf4ElYVdEJpLb\/YIOl9N1",
			"cambiumSysAccountsUID":	"2000",
			"cambiumSysAccountsGID":	"100",
			"cambiumSysAccountsDir":	"\/tmp",
			"cambiumSysAccountsShell":	"\/bin\/false"
		  },
		  {
			"cambiumSysAccountsName":	"home",
			"cambiumSysAccountsHash":	"$1$\/Bv9wvkq$5lBZqqsoAJj4uYOhb7pOS0",
			"cambiumSysAccountsUID":	"3000",
			"cambiumSysAccountsGID":	"100",
			"cambiumSysAccountsDir":	"\/tmp",
			"cambiumSysAccountsShell":	"\/bin\/false"
		  },
		  {
			"cambiumSysAccountsName":	"readonly",
			"cambiumSysAccountsHash":	"!$1$zn4\/PlCl$1qP9PGmPChDwkDAgp5Qgw0",
			"cambiumSysAccountsUID":	"4000",
			"cambiumSysAccountsGID":	"100",
			"cambiumSysAccountsDir":	"\/tmp",
			"cambiumSysAccountsShell":	"\/bin\/false"
		  },
		
		]

Add "!" to cambiumSysAccountsHash for users you want to disable.

Thank you.

Invalid JSON when I try to build that.  I've built a .json file with the code, it looks good but cnMaestro won't accept it.

Try this:

{
        "template_props": {
                "templateName": "",
                "templateDescription":  "",
                "device_type":  "",
                "version":      "3.3"
        },
        "device_props": {
                "cambiumSysAccountsTable": [
                   {
                        "cambiumSysAccountsName":"installer",
                        "cambiumSysAccountsHash":"!$1$ILm\/RwMm$tRf4ElYVdEJpLb\/YIOl9N1",
                        "cambiumSysAccountsUID":"2000",
                        "cambiumSysAccountsGID":"100",
                        "cambiumSysAccountsDir":"\/tmp",
                        "cambiumSysAccountsShell":"\/bin\/false"
                  },
                  {
                        "cambiumSysAccountsName":"home",
                        "cambiumSysAccountsHash":"!$1$\/Bv9wvkq$5lBZqqsoAJj4uYOhb7pOS0",
                        "cambiumSysAccountsUID":"3000",
                        "cambiumSysAccountsGID":"100",
                        "cambiumSysAccountsDir":"\/tmp",
                        "cambiumSysAccountsShell":"\/bin\/false"
                  },
                  {
                        "cambiumSysAccountsName":"readonly",
                        "cambiumSysAccountsHash":"!$1$zn4\/PlCl$1qP9PGmPChDwkDAgp5Qgw0",
                        "cambiumSysAccountsUID":"4000",
                        "cambiumSysAccountsGID":"100",
                        "cambiumSysAccountsDir":"\/tmp",
                        "cambiumSysAccountsShell":"\/bin\/false"
                  }
                ]
        }
}
1 Like

@Au Wireless wrote:

Invalid JSON when I try to build that.  I've built a .json file with the code, it looks good but cnMaestro won't accept it.


Please copy it to cnMaestro one more time, it was redundant symbol before account section.

Thank you.

Other than the initial success with the template to disable the home account the first time I tried it, none of these templates actually do anything to the accounts they are supposed to disable. Of course, not a single one of the templates offered by Cambium employees in this thread actually work as they are configured - each one has to be "fixed" because the .json is invalid, and for all I know, my efforts in doing that are the reason why the scripts don't work.

Putting aside the question of "why should this be so complicated?", is there a method for generating the hash in the first place? Is there a list of the UID and GID info? Some sort of documentation? And if not, is it unfair to ask Cambium to provide a "works perfectly as-is", ready to copy-and-paste template to drop right into cnMaestro?

It looks like a shadow file password.

Try to read man 3 crypt

1 Like

Hi Gents I have confirmed this works now on v3.4 however you need to reboot the device for it to take effect on the gui. Can anyone confirm this? Is there a way to set the script to reboot the CPE once applied?