Selectively Disable SSH for Local OpenLDAP and WAD Users

Local OpenLDAP and WAD servers are used for K8s API and SSH authentication. Thus, it is neccessary to disallow SSH authentication for selective users.

Linux Group denyssh Configuration

The Linux group denyssh is a pre-configured group to which all the LDAP users with denied SSH access will be added. The group is configured in the SSHD configuration file /etc/ssh/sshd_config and will be available to use after system deployment.

Check the denyssh Linux group created at platform installation:

[sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
denyssh:x:10000

Deny SSH Access for OpenLDAP Users

Procedure

1. Create an OpenLDAP user with the ldapusersetup command and add the user to Linux group denyssh during the creation of the LDAP user account.

   Example:

   [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup
   Enter username to add to LDAP: test1
   Successfully added user test1 to LDAP
   Successfully set password for user test1
   Warning : password is reset, user will be asked to change password at login
   Add test1 to sudoer list? (yes/NO): yes
   Successfully added sudo access for user test1 to LDAP
   Add test1 to secondary user group? (yes/NO): yes
   Secondary group to add user to? [sys_protected]: denyssh
   Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local
   Enter days after which user password must be changed [90]:
   Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
   Updating password expiry to 90 days
   Enter days before password is to expire that user is warned [2]:
   Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
   Updating password expiry to 2 days
   

2. Verify that the new user is a member of the denyssh group.

   Example:

   [sysadmin@controller-0 ~(keystone_admin)]$ id test1
   uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh)
   [sysadmin@controller-0 ~(keystone_admin)]$ groups test1
   test1 : users denyssh
   sysadmin@controller-0:~$ getent group|grep denyssh
   denyssh:x:10000:test1
   

3. Log in as user test1.

   The login should be denied.

4. Remove the user from denyssh group.

5. Attempt to ssh as the user.

   The ssh should be successful.

   Example:

   [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh
   Password:
   Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local
   [sysadmin@controller-0 ~(keystone_admin)]$ id test1
   uid=10005(test1) gid=100(users) groups=100(users)
   

Deny SSH Access for WAD Users

Procedure

1. Create a WAD group denyssh with the same GID as the Linux group denyssh.

2. Add the WAD user to the denyssh WAD group.

3. Attempt to ssh as the WAD user.

   The login should be denied.

4. Remove the user from WAD group denyssh.

   The user should be able to ssh.