Selectively Disable SSH for Local OpenLDAP and WAD Users¶
Local OpenLDAP and WAD servers are used for K8s API and SSH authentication. Thus, it is neccessary to disallow SSH authentication for selective users.
Linux Group denyssh Configuration¶
The Linux group denyssh
is a pre-configured group to which all the LDAP users with
denied SSH access will be added. The group is configured in the SSHD
configuration file /etc/ssh/sshd_config
and will be available to use after
system deployment.
Check the denyssh
Linux group created at platform installation:
[sysadmin@controller-0 ~(keystone_admin)]$ getent group denyssh
denyssh:x:10000
Deny SSH Access for OpenLDAP Users¶
Procedure
Create an OpenLDAP user with the ldapusersetup command and add the user to Linux group
denyssh
during the creation of the LDAP user account.Example:
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup Enter username to add to LDAP: test1 Successfully added user test1 to LDAP Successfully set password for user test1 Warning : password is reset, user will be asked to change password at login Add test1 to sudoer list? (yes/NO): yes Successfully added sudo access for user test1 to LDAP Add test1 to secondary user group? (yes/NO): yes Secondary group to add user to? [sys_protected]: denyssh Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local Enter days after which user password must be changed [90]: Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP Updating password expiry to 90 days Enter days before password is to expire that user is warned [2]: Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP Updating password expiry to 2 days
Verify that the new user is a member of the
denyssh
group.Example:
[sysadmin@controller-0 ~(keystone_admin)]$ id test1 uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh) [sysadmin@controller-0 ~(keystone_admin)]$ groups test1 test1 : users denyssh sysadmin@controller-0:~$ getent group|grep denyssh denyssh:x:10000:test1
Log in as user
test1
.The login should be denied.
Remove the user from
denyssh
group.Attempt to ssh as the user.
The ssh should be successful.
Example:
[sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh Password: Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local [sysadmin@controller-0 ~(keystone_admin)]$ id test1 uid=10005(test1) gid=100(users) groups=100(users)
Deny SSH Access for WAD Users¶
Procedure
Create a WAD group
denyssh
with the same GID as the Linux groupdenyssh
.Add the WAD user to the
denyssh
WAD group.Attempt to ssh as the WAD user.
The login should be denied.
Remove the user from WAD group
denyssh
.The user should be able to ssh.