Run spellcheck job and correct errors. Fix malformed table Change-Id: I15d30123ce246adcbdde5d0c9b05e3ff4a69abc0 Signed-off-by: Ron Stone <ronald.stone@windriver.com>
3.6 KiB
Selectively Disable SSH for Local OpenLDAP and WAD Users
Local OpenLDAP and servers are used for K8s API and authentication. Thus, it is necessary to disallow authentication for selective users.
Linux Group denyssh Configuration
The Linux group denyssh
is a pre-configured group to
which all the users with denied access will be added. The group is
configured in the configuration file /etc/ssh/sshd_config
and will be available to use after system deployment.
Check the denyssh
Linux group created at platform
installation:
[sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
denyssh:x:10000
Deny SSH Access for OpenLDAP Users
Create an OpenLDAP user with the
ldapusersetup
command and add the user to Linux groupdenyssh
during the creation of the user account.Example:
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup Enter username to add to LDAP: test1 Successfully added user test1 to LDAP Successfully set password for user test1 Warning : password is reset, user will be asked to change password at login Add test1 to sudoer list? (yes/NO): yes Successfully added sudo access for user test1 to LDAP Add test1 to secondary user group? (yes/NO): yes Secondary group to add user to? [sys_protected]: denyssh Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local Enter days after which user password must be changed [90]: Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP Updating password expiry to 90 days Enter days before password is to expire that user is warned [2]: Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP Updating password expiry to 2 days
Verify that the new user is a member of the
denyssh
group.Example:
[sysadmin@controller-0 ~(keystone_admin)]$ id test1 uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh) [sysadmin@controller-0 ~(keystone_admin)]$ groups test1 test1 : users denyssh sysadmin@controller-0:~$ getent group|grep denyssh denyssh:x:10000:test1
Log in as user
test1
.The login should be denied.
Remove the user from
denyssh
group.Attempt to
ssh
as the user.The
ssh
should be successful.Example:
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh Password: Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local [sysadmin@controller-0 ~(keystone_admin)]$ id test1 uid=10005(test1) gid=100(users) groups=100(users)
Deny SSH Access for WAD Users
Create a group
denyssh
with the same GID as the Linux groupdenyssh
.Add the user to the
denyssh
group.Attempt to
ssh
as the user.The login should be denied.
Remove the user from group
denyssh
.The user should be able to
ssh
.