starlingx/docs
Code Issues Proposed changes
Files
6430c50b51cf8be9cba73abbc32e61c8a0ac4b5e
docs/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst
Ngairangbam Mili 571cf5a561 Procedure to selectively disable SSH for local OpenLDAP and WAD users 
Story: 2010589
Task: 50031

Change-Id: I2631bcff15119afb2d0492d74997f4a04236128c
Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>
2024-05-07 06:09:26 +00:00

112 lines
3.6 KiB
ReStructuredText
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.. _selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c:
========================================================
Selectively Disable SSH for Local OpenLDAP and WAD Users
========================================================
Local OpenLDAP and |WAD| servers are used for K8s API and |SSH| authentication.
Thus, it is neccessary to disallow |SSH| authentication for selective users.
---------------------------------
Linux Group denyssh Configuration
---------------------------------
The Linux group ``denyssh`` is a pre-configured group to which all the |LDAP| users with
denied |SSH| access will be added. The group is configured in the |SSHD|
configuration file ``/etc/ssh/sshd_config`` and will be available to use after
system deployment.
Check the ``denyssh`` Linux group created at platform installation:
.. code-block::
[sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
denyssh:x:10000
----------------------------------
Deny SSH Access for OpenLDAP Users
----------------------------------
.. rubric:: |proc|
#. Create an OpenLDAP user with the :command:`ldapusersetup` command and add
the user to Linux group ``denyssh`` during the creation of the |LDAP| user
account.
Example:
.. code-block::
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup
Enter username to add to LDAP: test1
Successfully added user test1 to LDAP
Successfully set password for user test1
Warning : password is reset, user will be asked to change password at login
Add test1 to sudoer list? (yes/NO): yes
Successfully added sudo access for user test1 to LDAP
Add test1 to secondary user group? (yes/NO): yes
Secondary group to add user to? [sys_protected]: denyssh
Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local
Enter days after which user password must be changed [90]:
Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 90 days
Enter days before password is to expire that user is warned [2]:
Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 2 days
#. Verify that the new user is a member of the ``denyssh`` group.
Example:
.. code-block::
[sysadmin@controller-0 ~(keystone_admin)]$ id test1
uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh)
[sysadmin@controller-0 ~(keystone_admin)]$ groups test1
test1 : users denyssh
sysadmin@controller-0:~$ getent group|grep denyssh
denyssh:x:10000:test1
#. Log in as user ``test1``.
The login should be denied.
#. Remove the user from ``denyssh`` group.
#. Attempt to :command:`ssh` as the user.
The :command:`ssh` should be successful.
Example:
.. code-block::
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh
Password:
Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local
[sysadmin@controller-0 ~(keystone_admin)]$ id test1
uid=10005(test1) gid=100(users) groups=100(users)
-----------------------------
Deny SSH Access for WAD Users
-----------------------------
.. rubric:: |proc|
#. Create a |WAD| group ``denyssh`` with the same GID as the Linux group ``denyssh``.
#. Add the |WAD| user to the ``denyssh`` |WAD| group.
#. Attempt to :command:`ssh` as the |WAD| user.
The login should be denied.
#. Remove the user from |WAD| group ``denyssh``.
The user should be able to :command:`ssh`.
View Git Blame Copy Permalink