547bc79e7d
Run spellcheck job and correct errors. Fix malformed table Change-Id: I15d30123ce246adcbdde5d0c9b05e3ff4a69abc0 Signed-off-by: Ron Stone <ronald.stone@windriver.com>
112 lines
3.6 KiB
ReStructuredText
112 lines
3.6 KiB
ReStructuredText
.. _selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c:
|
||
|
||
========================================================
|
||
Selectively Disable SSH for Local OpenLDAP and WAD Users
|
||
========================================================
|
||
|
||
Local OpenLDAP and |WAD| servers are used for K8s API and |SSH| authentication.
|
||
Thus, it is necessary to disallow |SSH| authentication for selective users.
|
||
|
||
---------------------------------
|
||
Linux Group denyssh Configuration
|
||
---------------------------------
|
||
|
||
The Linux group ``denyssh`` is a pre-configured group to which all the |LDAP| users with
|
||
denied |SSH| access will be added. The group is configured in the |SSHD|
|
||
configuration file ``/etc/ssh/sshd_config`` and will be available to use after
|
||
system deployment.
|
||
|
||
Check the ``denyssh`` Linux group created at platform installation:
|
||
|
||
.. code-block::
|
||
|
||
[sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
|
||
denyssh:x:10000
|
||
|
||
----------------------------------
|
||
Deny SSH Access for OpenLDAP Users
|
||
----------------------------------
|
||
|
||
.. rubric:: |proc|
|
||
|
||
#. Create an OpenLDAP user with the :command:`ldapusersetup` command and add
|
||
the user to Linux group ``denyssh`` during the creation of the |LDAP| user
|
||
account.
|
||
|
||
Example:
|
||
|
||
.. code-block::
|
||
|
||
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup
|
||
Enter username to add to LDAP: test1
|
||
Successfully added user test1 to LDAP
|
||
Successfully set password for user test1
|
||
Warning : password is reset, user will be asked to change password at login
|
||
Add test1 to sudoer list? (yes/NO): yes
|
||
Successfully added sudo access for user test1 to LDAP
|
||
Add test1 to secondary user group? (yes/NO): yes
|
||
Secondary group to add user to? [sys_protected]: denyssh
|
||
Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local
|
||
Enter days after which user password must be changed [90]:
|
||
Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
|
||
Updating password expiry to 90 days
|
||
Enter days before password is to expire that user is warned [2]:
|
||
Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
|
||
Updating password expiry to 2 days
|
||
|
||
#. Verify that the new user is a member of the ``denyssh`` group.
|
||
|
||
Example:
|
||
|
||
.. code-block::
|
||
|
||
[sysadmin@controller-0 ~(keystone_admin)]$ id test1
|
||
uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh)
|
||
[sysadmin@controller-0 ~(keystone_admin)]$ groups test1
|
||
test1 : users denyssh
|
||
sysadmin@controller-0:~$ getent group|grep denyssh
|
||
denyssh:x:10000:test1
|
||
|
||
#. Log in as user ``test1``.
|
||
|
||
The login should be denied.
|
||
|
||
#. Remove the user from ``denyssh`` group.
|
||
|
||
#. Attempt to :command:`ssh` as the user.
|
||
|
||
The :command:`ssh` should be successful.
|
||
|
||
Example:
|
||
|
||
.. code-block::
|
||
|
||
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh
|
||
Password:
|
||
Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local
|
||
[sysadmin@controller-0 ~(keystone_admin)]$ id test1
|
||
uid=10005(test1) gid=100(users) groups=100(users)
|
||
|
||
-----------------------------
|
||
Deny SSH Access for WAD Users
|
||
-----------------------------
|
||
|
||
.. rubric:: |proc|
|
||
|
||
#. Create a |WAD| group ``denyssh`` with the same GID as the Linux group ``denyssh``.
|
||
|
||
#. Add the |WAD| user to the ``denyssh`` |WAD| group.
|
||
|
||
#. Attempt to :command:`ssh` as the |WAD| user.
|
||
|
||
The login should be denied.
|
||
|
||
#. Remove the user from |WAD| group ``denyssh``.
|
||
|
||
The user should be able to :command:`ssh`.
|
||
|
||
|
||
|
||
|
||
|