.. _selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c:

========================================================
Selectively Disable SSH for Local OpenLDAP and WAD Users
========================================================

Local OpenLDAP and |WAD| servers are used for K8s API and |SSH| authentication.
Thus, it is necessary to disallow |SSH| authentication for selective users.

---------------------------------
Linux Group denyssh Configuration
---------------------------------

The Linux group ``denyssh`` is a pre-configured group to which all the |LDAP| users with
denied |SSH| access will be added. The group is configured in the |SSHD|
configuration file ``/etc/ssh/sshd_config`` and will be available to use after
system deployment.

Check the ``denyssh`` Linux group created at platform installation:

.. code-block::

    [sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
    denyssh:x:10000

----------------------------------
Deny SSH Access for OpenLDAP Users
----------------------------------

.. rubric:: |proc|

#. Create an OpenLDAP user with the :command:`ldapusersetup` command and add
   the user to Linux group ``denyssh`` during the creation of the |LDAP| user
   account.

   Example:

   .. code-block::

       [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup
       Enter username to add to LDAP: test1
       Successfully added user test1 to LDAP
       Successfully set password for user test1
       Warning : password is reset, user will be asked to change password at login
       Add test1 to sudoer list? (yes/NO): yes
       Successfully added sudo access for user test1 to LDAP
       Add test1 to secondary user group? (yes/NO): yes
       Secondary group to add user to? [sys_protected]: denyssh
       Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local
       Enter days after which user password must be changed [90]:
       Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
       Updating password expiry to 90 days
       Enter days before password is to expire that user is warned [2]:
       Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
       Updating password expiry to 2 days

#. Verify that the new user is a member of the ``denyssh`` group.

   Example:

   .. code-block::

       [sysadmin@controller-0 ~(keystone_admin)]$ id test1
       uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh)
       [sysadmin@controller-0 ~(keystone_admin)]$ groups test1
       test1 : users denyssh
       sysadmin@controller-0:~$ getent group|grep denyssh
       denyssh:x:10000:test1

#. Log in as user ``test1``.

   The login should be denied.

#. Remove the user from ``denyssh`` group.

#. Attempt to :command:`ssh` as the user.

   The :command:`ssh` should be successful.

   Example:

   .. code-block::

       [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh
       Password:
       Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local
       [sysadmin@controller-0 ~(keystone_admin)]$ id test1
       uid=10005(test1) gid=100(users) groups=100(users)

-----------------------------
Deny SSH Access for WAD Users
-----------------------------

.. rubric:: |proc|

#. Create a |WAD| group ``denyssh`` with the same GID as the Linux group ``denyssh``.

#. Add the |WAD| user to the ``denyssh`` |WAD| group.

#. Attempt to :command:`ssh` as the |WAD| user.

   The login should be denied.

#. Remove the user from |WAD| group ``denyssh``.

   The user should be able to :command:`ssh`.