Tuesday, August 30, 2011

Root Access on Linux-based UC appliances


There are many posts on Internet teaching you how to get root access on CUCM.  This is not a secret.  Since CUCM is Linux-based, the method is pretty straight forward - use a Linux boot CD to boot into rescue mode and modify the relevant files.  Here's a simple walk through.

Assuming CUCM was already installed.  Boot the box with a Linux installation CD (e.g. RedHat).  Type "linux rescue" in the boot prompt.


Chose language.  Default is 'English':


Choose keyboard.  Default is 'US':


We don't need to set up network.  Thus choose 'No' here.


Choose "Continue" to mount the CUCM file system.


The following message is telling you that the CUCM file system has been mounted under /mnt/sysimage.  If you want to map the root directory to the CUCM file system (which is recommended), you may use command "chroot /mnt/sysimage".


Below are the commands and explanations.


chroot /mnt/sysimage

This is to map the root directory to CUCM file system.

cd /etc

Change the working directory to /etc, where most of the system configuration files are stored.

rm securetty

Remove file "securetty" to allow remote connections with root.

passwd root

Reset (change) password for the root user.  Type a password that is easy for you to remember.  Retype it to confirm.  If the password was changed successfully, you'll see the prompt "passwd: all authentication token updated successfully".

Notes:
  • If you typed a simple password, you might get a warning like "BAD PASSWORD: it is based on a dictionary word".  Just ignore it and retype to confirm.
  • There's no screen display for the password you're typing.  Type carefully.

The following steps require some basic knowledge of the vi editor.  If you're not familiar with vi, please search Internet for vi commands help.

vi passwd

Change the passwd file so the root user has a shell (command line interpreter) to use.  Use vi commands.  Change the line
 To

Save and exit file.

For those who are not familiar with vi, here are the command sequence (case-sensitive):
  1. Type /s to search for character 's'
  2. Type D to delete to the end of line
  3. Type A to enter append mode
  4. Type bin/bash to set the shell
  5. Press ESC key (it's a key on the upper-left corner of your keyboard) to exit append mode
  6. Type :wq to save and exit file.

vi ssh/sshd_config

Change the sshd_config file so you can SSH as root (it's disabled by default).  Use vi commands.  Change the line
To
Save and exit file.

For those who are not familiar with vi, here are the command sequence (case-sensitive):
  1. Type /Per to search for the word begins with 'Per'
  2. Type X to delete the letter on the left (which is '#' in this case)
  3. Type :wq! to save and exit this read-only file

Back to command prompt and type exit command twice to reboot the system.


Use a SSH client (such as putty) to test.  You should be able to SSH into CUCM with root account.

This method applies to all Linux-based appliances such as Unity Connection, CUPS, CER, UCCX (Linux version), etc.

P.S. If the active partition is /PartB, you might run into an error like this:
Just hit "Enter" key to get to the shell.  Then use the following commands:

mount --bind /dev /mnt/sysimage/dev
chroot /mnt/sysimage


===================================================
Updated 3/13/2015:

I got many comments that "this works on CUCM version xx but didn't work on version yy".

Please understand that CUCM is just an application running on top of the RedHat Linux (which Cisco uses for many of its "appliances").

The rooting process is more OS related than application related.  If it didn't work, there could be only two reasons:

1) Some steps were missed or weren't done right (most likely).
or
2) RedHat changed how the authentication works between versions (very unlikely).

In a nutshell, the rooting is not specific to CUCM.  It's not even specific to Cisco.  You may root any appliance that is based on a common OS (such as Linux).

Last but not the least, this still works on my CUCM 10.5.  :)


25 comments:

  1. Sometimes this might be /mnt/sysimage/partB !

    ReplyDelete
  2. It doesn't work on CUCM 8.6, seems that Cisco guys are developing new security methods :) hahaa

    ReplyDelete
  3. Cool tip Michael. Thanks!

    ReplyDelete
  4. Hi, i tired to do on cucm 8.6.1 and don't work. After i reboot was disabled all account and can't log anymore.
    Can you help , i tired to do http://forum.ru-board.com/postings.cgi?action=edit&forum=35&topic=3849&postno=2607 ,
    but the same, after reboot disable all account.

    ReplyDelete
  5. I just tried this on a 8.6.2 system and it would appear that the moment you change shadow, the system can no longer read it once CUCM attempts to boot. I get a unix_chkpwd error could not get username from shadow (root)

    ReplyDelete
  6. This procedure is not specific to CUCM. This is a generic password recovery procedure for Linux. If you couldn't get it work, just search Internet for "Linux", "root", "password", "recovery".

    ReplyDelete
  7. I am trying to add a new user because customer does't want administrator user name that was giving at installation time (security issue). I have create a new user but I don't know how to map the Platform command line interface developp by Cisco at login time. Any idea ?

    ReplyDelete
    Replies
    1. Take a look at https://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cli_ref/8_6_1/cli_ref_861.html#wp39889

      Delete
    2. I can not create with the set account name a user equivalent as the master administrator one which is created at installation time so I can delete the original master one.

      I thought creating that kind of user with a linux rescue session but when I log into it, the platform command interface (cisco) is not starting and it does appear in the show account displayed. Cisco TAC answer me that we have to reinstall specifying a new admin user and recover from drs backup. I was trying a faster way since we have 20 servers.

      Delete
    3. Not sure what you tried to do. Is this all about cosmetic? What kind of privilege is missing with the "set account" command?

      Anyway, you may reference the existing account settings in the passwd file to clone a new one (groups, shell, etc.)

      Delete
  8. i can't boot with redhat iso file, so i use vmware v.8 and try find a way to boot with redhat

    ReplyDelete
  9. An easier way to get root access for a fresh install is to add an empty file named ENABLE_ROOT_ACCESS in the base_scripts directory. After this, use mkisofs to create a bootable iso.

    ReplyDelete
  10. Hi Michael,

    This worked for me on UCONN 8.6.2.21900-5. took the license and everything was good...until i rebooted the system. Now all my services in cli show STARTING.

    On CUCM the same thing happens and I get a Database communication error.

    Any ideas. I've tried restoring my snapshots and try again but same thing keeps happening. Am i misssing something?
    neshpatel

    ReplyDelete
  11. What about CUCM 9.1 is it the same procedure?

    ReplyDelete
  12. Don't you need to create an account before you to all this ?

    ReplyDelete
  13. For those without access to a RHEL 5 (or similar) ISO. I just did this on CUCM with a CentOS 5 ISO as well.

    ReplyDelete
  14. Hi,
    Just tried to do this on CUCM v10.5 ...didn't work, "unknown login" when using the root ID.
    Tried it on a couple of servers with same results ...although V9 works OK

    Does anybody know how to get root access to Version 10

    ReplyDelete
  15. Tried it on CUCCX 9.0(2)SU1 and it works! I mounted the rhel-server-6.0-x86_64-boot.iso image, which propose the PartB active partition: just click OK and continue and the corrections are made for you.

    Great article!

    David

    ReplyDelete
  16. Sadly this will be my last post. I just installed UCCX 12.5, and they have finally changed over to a cloud based model. Thats the end of an era. Thank you very much for this original post. I've been referring back to it for at least a half dozen years.

    ReplyDelete
  17. I haven't been to this page in a while, i am surprised this has worked for the latest versions, I stopped at V7.1

    ReplyDelete
  18. I dont know the latest post. I tried to deploy it on the uccx but got an error "no such directory /mnt/sysimage exists

    ReplyDelete