docs/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst

Selectively Disable SSH for Local LDAP and WAD Users

Local LDAP and servers are used for K8s API and authentication. In some cases, it may be necessary to disallow authentication for selective users or a group of users.

The Linux group denyssh is a system created group which is preconfigured in the configuration such that any member of this group is denied access.

Deny SSH Access Local LDAP Users

1. Create a local user with the ldapusersetup command and add the user to Linux group denyssh during the creation of the user account.

   Example:

   [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup
   Enter username to add to LDAP: test1
   Successfully added user test1 to LDAP
   Successfully set password for user test1
   Warning : password is reset, user will be asked to change password at login
   Add test1 to sudoer list? (yes/NO): yes
   Successfully added sudo access for user test1 to LDAP
   Add test1 to secondary user group? (yes/NO): yes
   Secondary group to add user to? [sys_protected]: denyssh
   Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local
   Enter days after which user password must be changed [90]:
   Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
   Updating password expiry to 90 days
   Enter days before password is to expire that user is warned [2]:
   Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
   Updating password expiry to 2 days

2. Verify that the new user is a member of the denyssh group.

   Example:

   [sysadmin@controller-0 ~(keystone_admin)]$ id test1
   uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh)
   [sysadmin@controller-0 ~(keystone_admin)]$ groups test1
   test1 : users denyssh
   sysadmin@controller-0:~$ getent group|grep denyssh
   denyssh:x:10000:test1

3. Ssh as user test1.

   The ssh should be denied.

4. Remove the user from denyssh group.

   Example:

   [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh
   Password:
   Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local
   [sysadmin@controller-0 ~(keystone_admin)]$ id test1
   uid=10005(test1) gid=100(users) groups=100(users)

5. Ssh as user test1.

   The ssh should be allowed.

Deny SSH Access for WAD Users

1. Create a  group or use an existing group for the users that should not have access to the platform.

   Note

   The group used should have a name other than denyssh.

2. Add the  user to the  group.

   Note

   The user you want to deny access to should not be a member of a group that has allowed access. The allowed user groups are configured with the parameter ldap_access_filter. Giving and denying access to the user at the same time leads to inconsistent authentication results.

3. Map the group to the existing Linux group denyssh following the group configuration described in add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1.

   Example: Add the following line in /etc/security/group.conf to map the group to the denysssh Linux group.

   *;*;%disallowed_users@wad.mydomain.com;Al0000-2400;denyssh

4. Attempt to ssh as the  user.

   The ssh should be denied.

5. Remove the user from the  group.

   The user should be able to ssh.