Skip to content

Tag <access> - Osirium PAM Device Access

Definition

The <access> tag is used to define how Osirium PAM connects to devices.

This tag has the following attributes:

Parameters

  • type (shell, rdp) : This defines the type of the access to the device.

  • default (yes, no) : This defines if this access method is the default one to be used when running Osirium PAM tasks at the device.

  • protocol (ssh, sshtelnet, rdp, https, http) : This defines the protocol to be used when establishing the connection through Osirium PAM to the device.

  • driver (str): This defines the name of the web driver class that will be used for http/https single sign-on.

  • write_size : The number of characters sent at a time to the device (a block).

  • write_delay: A delay (in ms) added in between blocks sent to the device.

A device can have multiple <access> tags, but only one default. The default access method is what Osirium PAM will use to run tasks, unless the task specifies another method.

An access tag then contains other tags that make up the full access definition, namely:

Each of these tags defines important information about the connection.

Example: Command line access over SSH

A typical setup for SSH access to a device looks like this:

1
2
3
4
   <access default='yes' protocol='ssh' type='shell'>
      <shellprompt ... />
      <preamble_task ... />
      <postamble_task ... />

This is defining SSH as the default access method to a device. The shell prompt and any pre/post-amble tasks will be defined in the child tasks.

Example: Command line access over Telnet

A typical setup for Telnet access to a device looks like this:

1
2
3
4
5
6
7
8
   <access default='yes' protocol='sshtelnet' type='shell'>
      <telnet_preamble ... />
      <username_prompt ... />
      <password_prompt ... />
      <telnet_postamble ... />
      <shellprompt ... />
      <preamble_task ... />
      <postamble_task ... />

This is defining Telnet as the default access method to the device.

Because Telnet does not authenticate in the protocol like SSH does, the device will send down a prompt when it wants the username entered. Likewise for the password.

Devices can also have a usage disclaimer or motd (Message Of The Day) that often appear before the username prompt. Banners can also appear after logon.

The four tags shown above before the <shellprompt> tag allow for these steps to be defined in the template.

The protocol is named sshtelnet because the connection is SSH from the client to Osirium PAM, and Telnet from Osirium PAM to the device. This is to enhance the security of the connection.

Example: Windows device

A typical setup for a Windows device like this:

1
2
3
4
<access default='yes' protocol='winrm' type='shell'>
  <shellprompt ... />
  <preamble_task ... />
  <postamble_task ... />

This is defining winrm as the default access method to the device.

As well as winrm access, a Windows device will typically need RDP access using a second <access> tag like this:

1
<access protocol='rdp' type='rdp'/>

Example: Browser access to a device

Web browser access to a device is also added using an <access> tag. This should only be set to default in a template that only contains web single sign-on.

1
<access default='no' driver='f5.tmos' protocol='https'/>
For more information on web sso drivers, please contact Osirium Technical Support.

Example: Controlling character transmission

Some more primitive devices, often firmware based rather than full operating systems, cannot handle the rate at which Osirium PAM sends characters. To slow this down you can use the write_size and write_delay attributes.

1
   <access type='shell' default='yes' protocol='ssh' write_size='15' write_delay='0.010'>
Attribute Meaning
write_size The number of characters Osirium PAM sends at a time, like a buffer size.
write_delay The time in seconds Osirium PAM waits between each write.

Parent Tags

Child Tags