Since Installation (a year before) i have two posix accounts (beside roots) on my Nethserver. From time to time i used this accounts for logging in with ssh, copying per scp or sftp or login via admin-panel (old and new) Since two or for days this is not possible anymore.
Login via Console is fine, via ssh or admin-panel)s) no more. (for all posix admins)
It seems there are some changes in /etc/ssh/sshd_config compared to other nethserver installations.
is changed here something from an update - in principle?
In the last days there are some changes/events:
some changes via cockpit-admin panel, dns, reverse server entries and letsencrypt i think
uninstalling/removing an old fpbx/asterisks (testing only)
uninstalling/removing ngingx and configs (never mind on that installation)
after that the httpd wouldnt restart, so run /etc/e-smith/events/actions/system-adjust and/or restarted the server (nevermind in which sort). after that the httpd was up again.
until here, the posix ssh should work i think.
the last entry in “shell history” before the last “exit” command was “sudo yum update”.
(i know, you preferred update via admin-panel)
Normally i would something change/correct in config files but nethserver does somthing different here so it is better to ask someone for that.
If i go via the new admin-panel (System > SSH) and give SSH rights for “normal Users” the ssh for posix users (groups: wheel,administrators) runs again but this is no real solution.
thank you, for the links but this funtion is not clear for me. (btw. the „i“ overlay didtn work in safari).
what means „normal users“? directory users without admin-rights or posix users (and posix admins also)?
and what means administrators? members from directory admin-group und/or members from posix-admin group also?
it seems not possible in the „add“ section to give acces to posix-groups (because you cant select such one in the list).
to „trial and error“ with this setting is not the best idea i think. in some cases you could close out the last admin (in my case the directory admins have no rights for sudo normally). and also if this setting (preference) is changed in update process or was this an unplanned behavior?
and what is the default here after nethserver/centos installation? normally the posix admins have rights to ssh after installation without enabling something.
The default is that all users in Nethserver are account provider (LDAP/AD) users except of root and system accounts. Local user creation is not intended.
In this context normal users are account provider users without admin permission.
You change the shell of the users with this setting. You still can login with root in SSH or use the server manager to reset if something goes wrong.
Thank you, for your Explanation, but it declares not why posix admins dont have this access anymore.
Indeed i have no posix “users” but two posix-admins (administrator,wheel). The first of them was created within nethserver/centos installer, the second afterward by myself. Since this, both users has access to server-manager and over ssh - until few days.
(i havent accidentally enabled this).
The server-manger has no option to reverse this - unless ich give ssh access to all users, then the posix-admins have server-manager and ssh access and again.
Which is the suggested (nethserver-like) way to give access back to posix-admins?
Sorry, maybe I wasn’t clear enough.
The enabled shell override
adds a “stricter mode” to sshd_config.
Match Group "root,domain admins@domain.local"
ForceCommand none
AllowTCPForwarding yes
X11Forwarding yes
Match All
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no
Now your posix users can’t login anymore.
Why not? If you want the shell override you need to set the normal users to “SSH+SFTP” to be able to login again.
This just sets the sshd_config back to the settings where your posix users are allowed again but enables account provider users to login by changing their shell.
If you need the shell override, allow normal users to ssh or disable the shell override.
If you want the posix users to login but the account provider users not you need to disable the shelloverride.
If that’s not possible I recommend to change the posix users to account provider users and allow them by group in UI.
If that’s not possible we can think about a custom template…
Thank you again. I searched/expected this setting in system > ssh instead in system > settings but your screen picture was helpful.
So there are now three places for setting ssh access options.
system > settings - for enable/disable new/old ssh/sftp behavior
system > ssh - for managing ssh / sftp users/groups (and other ssh options)
system > users - for enabling/disabling ssh per user
O.k.
What was the intention to create this new option? The possibility to have separate groups for ssh/sftp enabling? Indeed, it seems to be a good idea for this…
But, In my opinion - the new option has also unlucky side effects.
Enabling ssh for (all) normal users to enabling ssh and server-manager for posix-admins (again) is - at least for me - no option. What if the account provider service is bad/offline? Root ssh login should always/better be off (normally) - in my opinion.
And - with the new option you loose also the (previous) possibility to disable ssh access for account provider admins. In my opinion, directory admins should not have (generally) have ssh access.
I assume yes and the new user settings page.
To be able to login to the server manager or the new user settings page login page, users need the shell enabled. To make this possible, you need the shell override.
The shell override enables the shell for all domain users and therefore sshd is used to set permissions by groups but posix groups are not included.
OK, in this case without root and need for system users to login you need a custom template or disable shell override completely but is it a common case? The idea is to not include rarely needed functions. @giacomo@stephdl should we include an option to allow posix groups? Or at least split up the fragments to allow a better custom template?
Edit /etc/e-smith/templates-custom/etc/ssh/sshd_config/70Restricted2Sftp and add your group(s), you have to separate by comma. I already added the posix test group to allow the posix user test.
$OUT .= qq(Match Group "$match_group_exp,test"\n);
Now your sshd_config should include group test to be allowed to SSH/SFTP even if permission for normal users is no access. There are more options like DenyUsers, AllowUsers and DenyGroups:
Thank you very much for the great description!
I am already thinking about an own custom template but your description is so muchbetter than mine.
I hope my description was not to ambiguous and in case my less language knowledge makes my postings sounds unfriendly - let me make it clear - the nethserver project is really great and all supporters and developers make a really great “job”. In deutscher Sprache würde mir das viel leichter fallen, aber der Inhalt dieses Forums soll ja verständlicherweise allen zugänglich sein.
One comment about “The idea is to not include rarely needed functions…should we include an option to allow posix groups?” (where ca i cite here?):
I dont know the current centos/nethserver installation procedere (my last installation was summer 2019) but - as i remember - last summer was the creation of a posix admins a part of the basic installation procedere - with ssh and server-manager access.
Disabling posix-admins within nethserver (in general) increased the distance between the underlying centos system and nethserver (in my opinion).
Hmm, i unterstand. Seems not so easy to unify this different approaches(?).
As i remember, the first (during install) created admin-user has access to server-manager instantly.
Later created posix users must be set to additional groups:
As i know, “wheel” users in centos has anyway the ability to sudo - and thereby the ability to become ssh access if she want - unless she have first a console login.
For reasons of security maybe not the best solution, but i am thinking an after base-installation scenario. In many cases i would work straightaway with ssh after installation. In Nethserver the root has no ability to ssh with password after installation (as i remember) and therefore he cannot prepare a ssh-key login. If wheel and posix admin also has no shh at this time, it end out of here.
In my opinion it is better giving ssh for “wheelers” than loosing the new posibillities with the new ssh scenario and his usefull functions (e.g. user access for server-manager).
I am open minded for changes it is sure but I have the feelings here you want to make NethServer workable with your way and unfortunately we need to make NethServer workable for everybody, so we have sometimes to cut the apple in two pieces, or keep the apple in the kitchen.
Please consider the Anaconda installer: it allows creating a wheel user during installation… I’d say it’s quite common in CentOS world too today!
Can we summarise the typical Nethserver ssh scenario? For what is ssh for users and admins?
In your scenario (as i unterstand this), Domains Admins have access to server-manager, ssh, sftp, ssh tunneling (again the whole maintenance stuff)
Account provider have access to special server-manager functions (new), maybe for sftp, in rare cases for ssh tunneling
In my Cases:
Posix Admins (more knowledge / more privileges): having acess to server-manager, ssh, sftp, ssh tunneling (the whole maintenance stuff)
In my Opinion:
Domain Admins should not have generally access to ssh (an also not for server-manager), because this account is required for AD joining - and ONLY for similar actions.
Account credentials with such a high access level (sudo and ssh) should better never ever leave secure systems under your own control (like your personal devices for maintenance).
But ever if you join a client-device to an AD you have to use credentials of an domain admin on a device thats not fully under your control. If the credential was “fished” at this moment (or somthing later if your cannot avoid to use), you have a big problem - the “fisher” has now full access to ANY active directory joined devices (bad enough) but also on your Nethserver.
Therefore maybe domain admin should not have ssh access generally (or maybe only per ssh-key).
But we need an alternate for that (not only but also for rescue cases)
In my (realy unusual?) usage scenario the POSIX admins are for server-manager and for ssh. So i can control that this credentials never leave my mantenace devices. It is simple not necessary to use this credentials on a “forein” device (because the are useless in most cases).
Maybe a “middle” way would be not to allow ssh for doman admins (or with ssh-key only) and instead using separate (special) user accounts with ssh access and the possibility for sudoing. So external access is possible and also sudoing for maintenance.
But have this user “full” access for server-manager if not in domain-admin group?
And (last and again) what about rescue cases when the account provider is bad?
I fully agreed but meanwhile I think it could be an inconsistency in UI and Nethserver concept because you can’t add a local user to wheel group in UI yet and local users are not mentioned in Nethserver docs.
Maybe we can add a db prop that’s set to disabled by default to allow wheel group to be compatible to CentOS and to not suddenly allow SSH for accidentally created and forgot users at install.
Yeah, anaconda is misleading (see my post) but I found no way to customize it. Maybe point it out more in the documentation.
I think with a custom template everybody could be satisfied (add wheel group, allow posix group/user, disallow domain admins).
This way we have nearly no effort and follow the Nethserver concept of forcing account provider users and provide the possibility to create a custom template for wanted “exceptions” easily.
This could be set more times and tough keeps every setting so it’s already easy to customize.
We could split /etc/e-smith/templates/etc/ssh/sshd_config/70Restricted2Sftp to make it easy to set custom Match Group directives.
It’s not possible at posix level. You only can enable users full access with domain groups by adding them to domain admins or use role delegation.
Domain infos are cached:
You could create a domain user “mysambaadmin” and add this user to administrators group with samba-tool. This way you get a samba admin for clients to join the domain but no domain admin so no login to UI possible.
