NI Linux Real-Time Discussions

cancel
Showing results for 
Search instead for 
Did you mean: 

How to interact with NI-Auth from shell

Solved!
Go to solution

A couple of questions about using NI-Auth. I don't fully get how it's integrated with the native user/group management tools.

When I open WebMAX on my cRIO, I see the only user listed is "admin". What about "lvuser" and "webserv"? Why aren't they listed in WebMAX?

Is there a CLI that I can use to add users to NI-Auth or change their permissions? I want to create a user for remote clients of the Variable Web Service and only allow it the permissions needed by that API.

0 Kudos
Message 1 of 5
(5,758 Views)
Solution
Accepted by topic author Staab_Engineering

NIAuth users (like admin) exist in a separare database from system users (like lvuser, webserv, openvpn, sshd, etc) on NI Linux RT, so there are some differences in how you would manage the two sets of accounts:

  • NIAuth users can only be managed from the WIF, on the Security Configuration page. There is unfortunately no programmatic API (C, LV, shell, etc) to interface with the database (except for password changes, see below).
  • System users are stored in the Linux shadow database and can be managed from the shell via "shadow" utils like useradd, groupadd, usermod, groupmod.

Both the niauth and shadow databases provide a PAM interferce, which implement authentication and password change functions though a standard open API:

Staab_Engineering wrote:

I want to create a user for remote clients of the Variable Web Service and only allow it the permissions needed by that API.

You might consider using LabVIEW's system imaging VIs to deploy images with pre-configured NIAuth database to your systems.

Alternately, you could also write a script to copy the contents of /etc/natinst/share/niauth/ (niauth's database files) from one hand-configured system to your other targets over SSH. Just be sure to shut down niauth daemon (run `/etc/init.d/niauth stop`) before you do that. The database files are architecture-specific, so don't share them between ARM and x64 systems.

Message 2 of 5
(5,526 Views)

Thanks for all the details! Since there's no public API to the niauth db, I'll take your recommendation to use a preconfigured image/directory as the Correct Answer. I'd sure like to see a CLI created from the PAM interface one day, though!

0 Kudos
Message 3 of 5
(5,526 Views)

Staab_Engineering wrote:

I'd sure like to see a CLI created from the PAM interface one day, though!

Those already exist today to the extent that's possible: The `login` and `passwd` programs in NI Linux RT are already configured to use PAM, so they would work with niauth user accounts to check a user's password and change a password, respectively. PAM doesn't provide APIs to create/manage accounts (aside from password changes), so unfortunately other common programs like `useradd` and `groupadd` can't leverage PAM today.

0 Kudos
Message 4 of 5
(5,526 Views)

Fair enough; I guess I shouldn't have invoked "PAM" without really understanding it well. What I mean to ask for is a CLI that allows addition/removal of permissions.

0 Kudos
Message 5 of 5
(5,526 Views)