docs/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst
Ron Stone 547bc79e7d Spellcheck (r9, dsR9)
Run spellcheck job and correct errors.
Fix malformed table

Change-Id: I15d30123ce246adcbdde5d0c9b05e3ff4a69abc0
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
2024-06-11 17:27:22 +00:00

3.6 KiB

Selectively Disable SSH for Local OpenLDAP and WAD Users

Local OpenLDAP and servers are used for K8s API and authentication. Thus, it is necessary to disallow authentication for selective users.

Linux Group denyssh Configuration

The Linux group denyssh is a pre-configured group to which all the users with denied access will be added. The group is configured in the configuration file /etc/ssh/sshd_config and will be available to use after system deployment.

Check the denyssh Linux group created at platform installation:

[sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
denyssh:x:10000

Deny SSH Access for OpenLDAP Users

  1. Create an OpenLDAP user with the ldapusersetup command and add the user to Linux group denyssh during the creation of the user account.

    Example:

    [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup
    Enter username to add to LDAP: test1
    Successfully added user test1 to LDAP
    Successfully set password for user test1
    Warning : password is reset, user will be asked to change password at login
    Add test1 to sudoer list? (yes/NO): yes
    Successfully added sudo access for user test1 to LDAP
    Add test1 to secondary user group? (yes/NO): yes
    Secondary group to add user to? [sys_protected]: denyssh
    Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local
    Enter days after which user password must be changed [90]:
    Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
    Updating password expiry to 90 days
    Enter days before password is to expire that user is warned [2]:
    Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
    Updating password expiry to 2 days
  2. Verify that the new user is a member of the denyssh group.

    Example:

    [sysadmin@controller-0 ~(keystone_admin)]$ id test1
    uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh)
    [sysadmin@controller-0 ~(keystone_admin)]$ groups test1
    test1 : users denyssh
    sysadmin@controller-0:~$ getent group|grep denyssh
    denyssh:x:10000:test1
  3. Log in as user test1.

    The login should be denied.

  4. Remove the user from denyssh group.

  5. Attempt to ssh as the user.

    The ssh should be successful.

    Example:

    [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh
    Password:
    Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local
    [sysadmin@controller-0 ~(keystone_admin)]$ id test1
    uid=10005(test1) gid=100(users) groups=100(users)

Deny SSH Access for WAD Users

  1. Create a group denyssh with the same GID as the Linux group denyssh.

  2. Add the user to the denyssh group.

  3. Attempt to ssh as the user.

    The login should be denied.

  4. Remove the user from group denyssh.

    The user should be able to ssh.