starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c.rst
Ngairangbam Mili fa0f9ba6be Update deny access procedure for WAD users to use pam configuration 
Change-Id: Ic89d72757099f39f2072fd652ebb5ed0e2d2b4ca
Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>
2024-10-30 13:29:59 +00:00

119 lines
4.0 KiB
ReStructuredText
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.. _selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c:
====================================================
Selectively Disable SSH for Local LDAP and WAD Users
====================================================
Local LDAP and |WAD| servers are used for K8s API and |SSH| authentication.
In some cases, it may be necessary to disallow |SSH| authentication for selective users or a
group of users.
The Linux group ``denyssh`` is a system created group which is preconfigured in
the |SSHD| configuration such that any member of this group is denied |SSH| access.
--------------------------------
Deny SSH Access Local LDAP Users
--------------------------------
.. rubric:: |proc|
#. Create a local |LDAP| user with the :command:`ldapusersetup` command and add
the user to Linux group ``denyssh`` during the creation of the |LDAP| user
account.
Example:
.. code-block::
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup
Enter username to add to LDAP: test1
Successfully added user test1 to LDAP
Successfully set password for user test1
Warning : password is reset, user will be asked to change password at login
Add test1 to sudoer list? (yes/NO): yes
Successfully added sudo access for user test1 to LDAP
Add test1 to secondary user group? (yes/NO): yes
Secondary group to add user to? [sys_protected]: denyssh
Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local
Enter days after which user password must be changed [90]:
Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 90 days
Enter days before password is to expire that user is warned [2]:
Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 2 days
#. Verify that the new user is a member of the ``denyssh`` group.
Example:
.. code-block::
[sysadmin@controller-0 ~(keystone_admin)]$ id test1
uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh)
[sysadmin@controller-0 ~(keystone_admin)]$ groups test1
test1 : users denyssh
sysadmin@controller-0:~$ getent group|grep denyssh
denyssh:x:10000:test1
#. Ssh as user ``test1``.
The ssh should be denied.
#. Remove the user from ``denyssh`` group.
Example:
.. code-block::
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh
Password:
Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local
[sysadmin@controller-0 ~(keystone_admin)]$ id test1
uid=10005(test1) gid=100(users) groups=100(users)
#. Ssh as user ``test1``.
The ssh should be allowed.
-----------------------------
Deny SSH Access for WAD Users
-----------------------------
.. rubric:: |proc|
#. Create a |WAD| group or use an existing |WAD| group for the users that
should not have access to the platform.
.. note::
The |WAD| group used should have a name other than ``denyssh``.
#. Add the |WAD| user to the |WAD| group.
.. note::
The |WAD| user you want to deny access to should not be a member of a
|WAD| group that has allowed access. The allowed user groups are
configured with the |SSSD| parameter ``ldap_access_filter``. Giving and
denying access to the user at the same time leads to inconsistent
authentication results.
#. Map the |WAD| group to the existing Linux group ``denyssh`` following the |PAM|
group configuration described in :ref:`add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1`.
Example: Add the following line in ``/etc/security/group.conf`` to map the
|WAD| group to the ``denysssh`` Linux group.
``*;*;%disallowed_users@wad.mydomain.com;Al0000-2400;denyssh``
#. Attempt to ssh as the |WAD| user.
The ssh should be denied.
#. Remove the user from the |WAD| group.
The user should be able to ssh.
View Git Blame Copy Permalink