Selectively Disable SSH for Local LDAP and WAD Users

Local LDAP and WAD servers are used for K8s API and SSH authentication. In some cases, it may be necessary to disallow SSH authentication for selective users or a group of users.

The Linux group denyssh is a system created group which is preconfigured in the SSHD configuration such that any member of this group is denied SSH access.

Deny SSH Access Local LDAP Users

Procedure

  1. Create a local LDAP user with the ldapusersetup command and add the user to Linux group denyssh during the creation of the LDAP user account.

    Example:

    [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup
Enter username to add to LDAP: test1
Successfully added user test1 to LDAP
Successfully set password for user test1
Warning : password is reset, user will be asked to change password at login
Add test1 to sudoer list? (yes/NO): yes
Successfully added sudo access for user test1 to LDAP
Add test1 to secondary user group? (yes/NO): yes
Secondary group to add user to? [sys_protected]: denyssh
Successfully added user test1 to group cn=denyssh,ou=Group,dc=cgcs,dc=local
Enter days after which user password must be changed [90]:
Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 90 days
Enter days before password is to expire that user is warned [2]:
Successfully modified user entry uid=test1,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 2 days

  2. Verify that the new user is a member of the denyssh group.

    Example:

    [sysadmin@controller-0 ~(keystone_admin)]$ id test1
uid=10005(test1) gid=100(users) groups=100(users),10000(denyssh)
[sysadmin@controller-0 ~(keystone_admin)]$ groups test1
test1 : users denyssh
sysadmin@controller-0:~$ getent group|grep denyssh
denyssh:x:10000:test1

  3. Ssh as user test1.

    The ssh should be denied.

  4. Remove the user from denyssh group.

    Example:

    [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapdeleteuserfromgroup test1 denyssh
Password:
Successfully deleted user test1 from group cn=denyssh,ou=Group,dc=cgcs,dc=local
[sysadmin@controller-0 ~(keystone_admin)]$ id test1
uid=10005(test1) gid=100(users) groups=100(users)

  5. Ssh as user test1.

    The ssh should be allowed.

Deny SSH Access for WAD Users

Procedure

  1. Create a WAD group or use an existing WAD group for the users that should not have access to the platform.

    Note

    The WAD group used should have a name other than denyssh.

  2. Add the WAD user to the WAD group.

    Note

    The WAD user you want to deny access to should not be a member of a WAD group that has allowed access. The allowed user groups are configured with the SSSD parameter ldap_access_filter. Giving and denying access to the user at the same time leads to inconsistent authentication results.

  3. Map the WAD group to the existing Linux group denyssh following the PAM group configuration described in Add LDAP Users to Linux Groups Using PAM Configuration.

    Example: Add the following line in /etc/security/group.conf to map the WAD group to the denysssh Linux group.

    *;*;%disallowed_users@wad.mydomain.com;Al0000-2400;denyssh

  4. Attempt to ssh as the WAD user.

    The ssh should be denied.

  5. Remove the user from the WAD group.

    The user should be able to ssh.