docs/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst
Ron Stone 547bc79e7d Spellcheck (r9, dsR9)
Run spellcheck job and correct errors.
Fix malformed table

Change-Id: I15d30123ce246adcbdde5d0c9b05e3ff4a69abc0
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
2024-06-11 17:27:22 +00:00

112 lines
3.6 KiB
ReStructuredText
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.. _selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c:
========================================================
Selectively Disable SSH for Local OpenLDAP and WAD Users
========================================================
Local OpenLDAP and |WAD| servers are used for K8s API and |SSH| authentication.
Thus, it is necessary to disallow |SSH| authentication for selective users.
---------------------------------
Linux Group denyssh Configuration
---------------------------------
The Linux group ``denyssh`` is a pre-configured group to which all the |LDAP| users with
denied |SSH| access will be added. The group is configured in the |SSHD|
configuration file ``/etc/ssh/sshd_config`` and will be available to use after
system deployment.
Check the ``denyssh`` Linux group created at platform installation:
.. code-block::
[sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
denyssh:x:10000
----------------------------------
Deny SSH Access for OpenLDAP Users
----------------------------------
.. rubric:: |proc|
#. Create an OpenLDAP user with the :command:`ldapusersetup` command and add
the user to Linux group ``denyssh`` during the creation of the |LDAP| user
account.
Example:
.. code-block::
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup
Enter username to add to LDAP: test1
Successfully added user test1 to LDAP
Successfully set password for user test1
Warning : password is reset, user will be asked to change password at login
Add test1 to sudoer list? (yes/NO): yes
Successfully added sudo access for user test1 to LDAP
Add test1 to secondary user group? (yes/NO): yes
Secondary group to add user to? [sys_protected]: denyssh
Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local
Enter days after which user password must be changed [90]:
Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 90 days
Enter days before password is to expire that user is warned [2]:
Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 2 days
#. Verify that the new user is a member of the ``denyssh`` group.
Example:
.. code-block::
[sysadmin@controller-0 ~(keystone_admin)]$ id test1
uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh)
[sysadmin@controller-0 ~(keystone_admin)]$ groups test1
test1 : users denyssh
sysadmin@controller-0:~$ getent group|grep denyssh
denyssh:x:10000:test1
#. Log in as user ``test1``.
The login should be denied.
#. Remove the user from ``denyssh`` group.
#. Attempt to :command:`ssh` as the user.
The :command:`ssh` should be successful.
Example:
.. code-block::
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh
Password:
Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local
[sysadmin@controller-0 ~(keystone_admin)]$ id test1
uid=10005(test1) gid=100(users) groups=100(users)
-----------------------------
Deny SSH Access for WAD Users
-----------------------------
.. rubric:: |proc|
#. Create a |WAD| group ``denyssh`` with the same GID as the Linux group ``denyssh``.
#. Add the |WAD| user to the ``denyssh`` |WAD| group.
#. Attempt to :command:`ssh` as the |WAD| user.
The login should be denied.
#. Remove the user from |WAD| group ``denyssh``.
The user should be able to :command:`ssh`.