Procedure to selectively disable SSH for local OpenLDAP and WAD users

Story: 2010589 Task: 50031 Change-Id: I2631bcff15119afb2d0492d74997f4a04236128c Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>
2024-05-03 04:28:37 +00:00 · 2024-05-03 04:28:37 +00:00 · 571cf5a561
commit 571cf5a561
parent 7d6847d59a
3 changed files with 113 additions and 0 deletions
--- a/doc/source/security/kubernetes/overview-of-system-accounts.rst
+++ b/doc/source/security/kubernetes/overview-of-system-accounts.rst
@ -53,3 +53,4 @@ For more information, refer to the following:
   starlingx-openstack-kubernetes-from-stsadmin-account-login
   kubernetes-cli-from-local-ldap-linux-account-login
   manage-local-ldap-39fe3a85a528
+   selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c
--- a/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst
+++ b/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst
@ -0,0 +1,111 @@
+.. _selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c:
+
+========================================================
+Selectively Disable SSH for Local OpenLDAP and WAD Users
+========================================================
+
+Local OpenLDAP and |WAD| servers are used for K8s API and |SSH| authentication.
+Thus, it is neccessary to disallow |SSH| authentication for selective users.
+
+---------------------------------
+Linux Group denyssh Configuration
+---------------------------------
+
+The Linux group ``denyssh`` is a pre-configured group to which all the |LDAP| users with
+denied |SSH| access will be added. The group is configured in the |SSHD|
+configuration file ``/etc/ssh/sshd_config`` and will be available to use after
+system deployment.
+
+Check the ``denyssh`` Linux group created at platform installation:
+
+.. code-block::
+
+    [sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
+    denyssh:x:10000
+
+----------------------------------
+Deny SSH Access for OpenLDAP Users
+----------------------------------
+
+.. rubric:: |proc|
+
+#. Create an OpenLDAP user with the :command:`ldapusersetup` command and add
+   the user to Linux group ``denyssh`` during the creation of the |LDAP| user
+   account.
+
+   Example:
+
+   .. code-block::
+
+       [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup
+       Enter username to add to LDAP: test1
+       Successfully added user test1 to LDAP
+       Successfully set password for user test1
+       Warning : password is reset, user will be asked to change password at login
+       Add test1 to sudoer list? (yes/NO): yes
+       Successfully added sudo access for user test1 to LDAP
+       Add test1 to secondary user group? (yes/NO): yes
+       Secondary group to add user to? [sys_protected]: denyssh
+       Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local
+       Enter days after which user password must be changed [90]:
+       Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
+       Updating password expiry to 90 days
+       Enter days before password is to expire that user is warned [2]:
+       Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
+       Updating password expiry to 2 days
+
+#. Verify that the new user is a member of the ``denyssh`` group.
+
+   Example:
+
+   .. code-block::
+
+       [sysadmin@controller-0 ~(keystone_admin)]$ id test1
+       uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh)
+       [sysadmin@controller-0 ~(keystone_admin)]$ groups test1
+       test1 : users denyssh
+       sysadmin@controller-0:~$ getent group|grep denyssh
+       denyssh:x:10000:test1
+
+#. Log in as user ``test1``.
+
+   The login should be denied.
+
+#. Remove the user from ``denyssh`` group.
+
+#. Attempt to :command:`ssh` as the user.
+
+   The :command:`ssh` should be successful.
+
+   Example:
+
+   .. code-block::
+
+       [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh
+       Password:
+       Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local
+       [sysadmin@controller-0 ~(keystone_admin)]$ id test1
+       uid=10005(test1) gid=100(users) groups=100(users)
+
+-----------------------------
+Deny SSH Access for WAD Users
+-----------------------------
+
+.. rubric:: |proc|
+
+#. Create a |WAD| group ``denyssh`` with the same GID as the Linux group ``denyssh``.
+
+#. Add the |WAD| user to the ``denyssh`` |WAD| group.
+
+#. Attempt to :command:`ssh` as the |WAD| user.
+
+   The login should be denied.
+
+#. Remove the user from |WAD| group ``denyssh``.
+
+   The user should be able to :command:`ssh`.
+
+
+
+
+
--- a/doc/source/shared/abbrevs.txt
+++ b/doc/source/shared/abbrevs.txt
@ -181,6 +181,7 @@
 .. |SSH| replace:: :abbr:`SSH (Secure Shell)`
 .. |SSL| replace:: :abbr:`SSL (Secure Socket Layer)`
 .. |SSSD| replace:: :abbr:`SSSD (System Security Services Daemon)`
+.. |SSHD| replace:: :abbr:`SSHD (Secure Shell Daemon)`
 .. |STP| replace:: :abbr:`STP (Spanning Tree Protocol)`
 .. |SWACT| replace:: :abbr:`SWACT (SWitch ACTivity)`
 .. |TAI| replace:: :abbr:`TAI (International Atomic Time)`