Re: NSO 4.1 CLI giving "syntax error: expecting" for all commands
I believe the security defaults for 4.1 have changed.
PAM is the recommended authentication method on this release, so, if you chose to use PAM, the use must be present in the Linux authentication mechanism (the default for most linux distros is to use /etc/passwd and /etc/shadow).
Please, check the deployment documentation, in the setting AAA section.
Setting up AAA
As we saw in the previous section, the REST HTTPS api is enabled. This API is used by a few of the crucial nct commands, thus if we want to use nct, we must enables password based REST login (through PAM)
The default AAA initialization file that gets shipped with NSO resides under /var/opt/ncs/cdb/aaa_init.xml. If we're not happy with that, this is a good point in time to modify the initialization data for AAA.
The NSO daemon is still not running, and we have no existing CDB files. The defaults are restrictive and fine
though, so we'll keep them here though.
Looking at the aaa_init.xml file we see that Two groups are referred to in the NACM rule list, ncsadmin and ncsoper.
The NSO authorization system is group based, thus for the rules to apply for a specific user, the user must
be member of the right group. Authentication is performed by PAM, and authorization is performed by the NSO
NACM rules. Adding myself to ncsadmin group will ensure that I get properly authorized.
$ nct ssh-cmd -c 'sudo addgroup ncsadmin'
$ nct ssh-cmd -c 'sudo adduser klacke ncsadmin'
Henceforth I will log into the different NSO hosts using my own login credentials. There are many advantages to
this scheme, the main one being that all audit logs on the NSO hosts will show who did what and when. The common
scheme of having a shared admin user with a shared password is not recommended.
To test the NSO logins, we must first start NSO.
$ nct ssh-cmd -c 'sudo /etc/init.d/ncs start'
At this point we should be able to curl login over REST, and also directly log in remotely to the NSO cli. On the admin
$ ssh -p 2024 srv-ncs-m
klacke connected from 10.147.40.94 using ssh on srv-ncs-m
Connection to srv-ncs-m closed.
Checking the NSO audit log on the NSO host srv-ncs-m we see: