 571cf5a561
			
		
	
	571cf5a561
	
	
	
		
			
			Story: 2010589 Task: 50031 Change-Id: I2631bcff15119afb2d0492d74997f4a04236128c Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>
		
			
				
	
	
	
		
			3.6 KiB
		
	
	
	
	
	
	
	
			
		
		
	
	Selectively Disable SSH for Local OpenLDAP and WAD Users
Local OpenLDAP and servers are used for K8s API and authentication. Thus, it is neccessary to disallow authentication for selective users.
Linux Group denyssh Configuration
The Linux group denyssh is a pre-configured group to
which all the users with denied access will be added. The group is
configured in the configuration file /etc/ssh/sshd_config
and will be available to use after system deployment.
Check the denyssh Linux group created at platform
installation:
[sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
denyssh:x:10000Deny SSH Access for OpenLDAP Users
- Create an OpenLDAP user with the - ldapusersetupcommand and add the user to Linux group- denysshduring the creation of the user account.- Example: - [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup Enter username to add to LDAP: test1 Successfully added user test1 to LDAP Successfully set password for user test1 Warning : password is reset, user will be asked to change password at login Add test1 to sudoer list? (yes/NO): yes Successfully added sudo access for user test1 to LDAP Add test1 to secondary user group? (yes/NO): yes Secondary group to add user to? [sys_protected]: denyssh Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local Enter days after which user password must be changed [90]: Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP Updating password expiry to 90 days Enter days before password is to expire that user is warned [2]: Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP Updating password expiry to 2 days
- Verify that the new user is a member of the - denysshgroup.- Example: - [sysadmin@controller-0 ~(keystone_admin)]$ id test1 uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh) [sysadmin@controller-0 ~(keystone_admin)]$ groups test1 test1 : users denyssh sysadmin@controller-0:~$ getent group|grep denyssh denyssh:x:10000:test1
- Log in as user - test1.- The login should be denied. 
- Remove the user from - denysshgroup.
- Attempt to - sshas the user.- The - sshshould be successful.- Example: - [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh Password: Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local [sysadmin@controller-0 ~(keystone_admin)]$ id test1 uid=10005(test1) gid=100(users) groups=100(users)
Deny SSH Access for WAD Users
- Create a group - denysshwith the same GID as the Linux group- denyssh.
- Add the user to the - denysshgroup.
- Attempt to - sshas the user.- The login should be denied. 
- Remove the user from group - denyssh.- The user should be able to - ssh.