Linux Login Security Options

Administrators can determine how Linux® authorization gets implemented for the IBM® Wave installation. To change the default Linux login security options, from the IBM Wave main menu, select Administrative > Manage Parameters > Security and go to the Linux Login Security Options pane.
In general, IBM Wave takes Linux actions for guest-specific operations. Some of the following actions drive Linux flows:
  • Init Users for IBM Wave
    Note: The IBM Wave Internal User, WAVEuser, is installed on each Linux guest that is managed by Wave during the Init Users for IBM Wave action. The Wave Internal User can be used by the WAVESRV server to connect to the Linux Guest only by using the public/private key pair. The password for WAVEuser is locked, which means the user cannot log in by using a password.
  • Manage Storage Actions
  • Connect to VNS or Disconnect from VNS.
The Linux flows establish a Secure Shell (SSH) connection to the managed guest, and then run the Linux commands on the guest. When the flows are run, some of the necessary Linux commands require the use of the su or sudo command for authorization. For example, during an Init Users for IBM Wave action, you must use sudo to add a user to your managed guest.
As an administrator, you can use the Linux Login Security Options pane to control the flows and determine how Linux authentication and authorization are implemented for your installation.
Figure 1. Linux Login Security Options
Linux Login Security Options pane
Linux SSH Authentication Method
The Linux SSH Authentication Method options determine what user security options are used when IBM Wave runs commands on the Linux guest. The user can also be configured with the sudo command. When the configuration uses sudo, the user must be listed in the /etc/sudoers file (which you access by using the visudo command).
  • IBM Wave Internal User (WAVEuser): Select IBM Wave Internal User when everyone on the designated Wave server is running commands on all of the managed guests by using the WAVEuser Linux ID that is installed on each Linux guest during the Init Users for IBM Wave process.
  • SSH Login User: Select the SSH Login User when everyone on the designated Wave Server is running commands on all managed guests by using a user-designated (not site-wide) login ID. The ID must have a default value assigned. To assign the default value, on the IBM Wave main menu, click User Tasks > Change User Preferences > SSH login user name. The SSH user must be manually created on each managed Linux guest and configured with a home directory. When sudo is selected, you must add the user to the /etc/sudoers file.
  • IBM Wave Login User: Select IBM Wave Login User when everyone on the designated Wave server is running commands on all the managed guests by using their IBM Wave user interface (UI) ID. The user must be manually created on each managed Linux guest such that the new Linux user name matches the IBM Wave UI login name. The user must be configured with a home directory. When sudo is selected, you must add the users to the/etc/sudoers file. This configuration is common when the Lightweight Directory Access Protocol (LDAP) is used on IBM Wave and the Linux guests.
Authorized Commands Program
The Authorized Commands Program determines the authorized commands that are run on Linux.
  • su: The su option uses su to run commands on Linux. You must select Root password in the Authenticated Access Using pane for your Linux Authentication Method user to automatically switch to root when they run commands that need authorization.
  • sudo: The sudo commands run authorized on Linux, but it does not switch the user. Commands can be run by the specified Linux Authentication Method by using the sudo command.
  • Other: The Other option is for customers who use Enterprise Security Managers on Linux to allow them to enter an alternative su or sudo commands.
    • Syntax Type: The Syntax Type field indicates whether the command syntax specified matches su or sudo.
Authorized Command Credentials
Authorized Command Credentials determines how the Authorized Commands you select (su, sudo, Other) are configured.
No Password
Use when no password is needed when issuing an authorized command.
SSH Login User's Password
Use when the SSH user's password is needed when issuing an authorized command.
Root password
Use when your sudoers file requires the root password when issuing an authorized command.

Typically you use Root password with su and SSH Login User's Password with sudo".

Sometimes, sudo is configured not to prompt for passwords at all. With this sudo configuration, you can use the No Password option to instruct IBM Wave not to prompt the user for an authorized command password.

Other times, sudo is configured to use the Root password to authorize the commands. When you SSH into your system as a regular non-root user and issue a command (for example, sudo cat /etc/passwd), Linux can either request your user password or the root password. Make your selection according to the command output.

Notes:
  1. To manually configure sudo to use the root password, enter the Defaults rootpw line into the sudoers file (visudo).
  2. To manually configure sudo to use the user password, remove the line from the sudoers file that either says Defaults rootpw, Defaults runaspw, or Defaults targetpw.

For more information about the IBM Wave Security parameters, see IBM Wave parameters.