Merge "Procedure to selectively disable SSH for local OpenLDAP and WAD users"
This commit is contained in:
Zuul
@@ -53,3 +53,4 @@ For more information, refer to the following:
|
|||||||
starlingx-openstack-kubernetes-from-stsadmin-account-login
|
starlingx-openstack-kubernetes-from-stsadmin-account-login
|
||||||
kubernetes-cli-from-local-ldap-linux-account-login
|
kubernetes-cli-from-local-ldap-linux-account-login
|
||||||
manage-local-ldap-39fe3a85a528
|
manage-local-ldap-39fe3a85a528
|
||||||
|
selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c
|
||||||
|
|||||||
@@ -0,0 +1,111 @@
|
|||||||
|
.. _selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c:
|
||||||
|
|
||||||
|
========================================================
|
||||||
|
Selectively Disable SSH for Local OpenLDAP and WAD Users
|
||||||
|
========================================================
|
||||||
|
|
||||||
|
Local OpenLDAP and |WAD| servers are used for K8s API and |SSH| authentication.
|
||||||
|
Thus, it is neccessary to disallow |SSH| authentication for selective users.
|
||||||
|
|
||||||
|
---------------------------------
|
||||||
|
Linux Group denyssh Configuration
|
||||||
|
---------------------------------
|
||||||
|
|
||||||
|
The Linux group ``denyssh`` is a pre-configured group to which all the |LDAP| users with
|
||||||
|
denied |SSH| access will be added. The group is configured in the |SSHD|
|
||||||
|
configuration file ``/etc/ssh/sshd_config`` and will be available to use after
|
||||||
|
system deployment.
|
||||||
|
|
||||||
|
Check the ``denyssh`` Linux group created at platform installation:
|
||||||
|
|
||||||
|
.. code-block::
|
||||||
|
|
||||||
|
[sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
|
||||||
|
denyssh:x:10000
|
||||||
|
|
||||||
|
----------------------------------
|
||||||
|
Deny SSH Access for OpenLDAP Users
|
||||||
|
----------------------------------
|
||||||
|
|
||||||
|
.. rubric:: |proc|
|
||||||
|
|
||||||
|
#. Create an OpenLDAP user with the :command:`ldapusersetup` command and add
|
||||||
|
the user to Linux group ``denyssh`` during the creation of the |LDAP| user
|
||||||
|
account.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
.. code-block::
|
||||||
|
|
||||||
|
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup
|
||||||
|
Enter username to add to LDAP: test1
|
||||||
|
Successfully added user test1 to LDAP
|
||||||
|
Successfully set password for user test1
|
||||||
|
Warning : password is reset, user will be asked to change password at login
|
||||||
|
Add test1 to sudoer list? (yes/NO): yes
|
||||||
|
Successfully added sudo access for user test1 to LDAP
|
||||||
|
Add test1 to secondary user group? (yes/NO): yes
|
||||||
|
Secondary group to add user to? [sys_protected]: denyssh
|
||||||
|
Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local
|
||||||
|
Enter days after which user password must be changed [90]:
|
||||||
|
Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
|
||||||
|
Updating password expiry to 90 days
|
||||||
|
Enter days before password is to expire that user is warned [2]:
|
||||||
|
Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
|
||||||
|
Updating password expiry to 2 days
|
||||||
|
|
||||||
|
#. Verify that the new user is a member of the ``denyssh`` group.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
.. code-block::
|
||||||
|
|
||||||
|
[sysadmin@controller-0 ~(keystone_admin)]$ id test1
|
||||||
|
uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh)
|
||||||
|
[sysadmin@controller-0 ~(keystone_admin)]$ groups test1
|
||||||
|
test1 : users denyssh
|
||||||
|
sysadmin@controller-0:~$ getent group|grep denyssh
|
||||||
|
denyssh:x:10000:test1
|
||||||
|
|
||||||
|
#. Log in as user ``test1``.
|
||||||
|
|
||||||
|
The login should be denied.
|
||||||
|
|
||||||
|
#. Remove the user from ``denyssh`` group.
|
||||||
|
|
||||||
|
#. Attempt to :command:`ssh` as the user.
|
||||||
|
|
||||||
|
The :command:`ssh` should be successful.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
.. code-block::
|
||||||
|
|
||||||
|
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh
|
||||||
|
Password:
|
||||||
|
Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local
|
||||||
|
[sysadmin@controller-0 ~(keystone_admin)]$ id test1
|
||||||
|
uid=10005(test1) gid=100(users) groups=100(users)
|
||||||
|
|
||||||
|
-----------------------------
|
||||||
|
Deny SSH Access for WAD Users
|
||||||
|
-----------------------------
|
||||||
|
|
||||||
|
.. rubric:: |proc|
|
||||||
|
|
||||||
|
#. Create a |WAD| group ``denyssh`` with the same GID as the Linux group ``denyssh``.
|
||||||
|
|
||||||
|
#. Add the |WAD| user to the ``denyssh`` |WAD| group.
|
||||||
|
|
||||||
|
#. Attempt to :command:`ssh` as the |WAD| user.
|
||||||
|
|
||||||
|
The login should be denied.
|
||||||
|
|
||||||
|
#. Remove the user from |WAD| group ``denyssh``.
|
||||||
|
|
||||||
|
The user should be able to :command:`ssh`.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@@ -183,6 +183,7 @@
|
|||||||
.. |SSH| replace:: :abbr:`SSH (Secure Shell)`
|
.. |SSH| replace:: :abbr:`SSH (Secure Shell)`
|
||||||
.. |SSL| replace:: :abbr:`SSL (Secure Socket Layer)`
|
.. |SSL| replace:: :abbr:`SSL (Secure Socket Layer)`
|
||||||
.. |SSSD| replace:: :abbr:`SSSD (System Security Services Daemon)`
|
.. |SSSD| replace:: :abbr:`SSSD (System Security Services Daemon)`
|
||||||
|
.. |SSHD| replace:: :abbr:`SSHD (Secure Shell Daemon)`
|
||||||
.. |STP| replace:: :abbr:`STP (Spanning Tree Protocol)`
|
.. |STP| replace:: :abbr:`STP (Spanning Tree Protocol)`
|
||||||
.. |SWACT| replace:: :abbr:`SWACT (SWitch ACTivity)`
|
.. |SWACT| replace:: :abbr:`SWACT (SWitch ACTivity)`
|
||||||
.. |TAI| replace:: :abbr:`TAI (International Atomic Time)`
|
.. |TAI| replace:: :abbr:`TAI (International Atomic Time)`
|
||||||
|
|||||||
Reference in New Issue
Block a user