User's Remote shell (SSH) access


(Stéphane de Labrusse) #1

**NethServer Version:7.3
Module: nethserver-dc

I’m playing with the sudo delegation for users, then I’m interested by the ssh shell access to users. I saw that you can give the Remote shell (SSH) access during the creation of the user, but NOT after it is created (grey checkbox)

Then the available solution is to remove the user and recreate it, but all data will be lost…I suppose

Not tested yet with nethserver-directory.

@davidep is it a bug or a feature not completely developed ?


AD users not able to login in centos 7
(Davide Principi) #2

IIRC the problem was the underlying samba-tool: it does not provide an option to change the corresponding LDAP attribute, after user creation.

IMO that checkbox should be removed from that page, because “User U has a shell access to Machine M” depends on both U and M. As we support remote account providers we should also implement a method (GPOs?) to deploy permissions on individual machines, to enforce rules like:

  • User1 can ssh to Machine1 (file server)
  • User1 can’t ssh to Machine2 (firewall)

Nethserver-delegation needs testers
(Stéphane de Labrusse) #3

With the coming of nethserver-delegation, If we cannot add a shell access to a user without deleting it, is now an issue.


(Markus Neuberger) #4

Hi, I think I managed changing the LDAP attribute, so we don’t need to delete user and create new, but maybe it’s a just a workaround for now because we have to allow ldap weak auth.
Add this line to NSDC smb.conf global section: ldap server require strong auth = no and restart samba4 in container.
Detailed solution with templating can be found here:


Create an ldif file, like test.ldif with following content according to your Samba AD
dn: cn=markus,cn=Users,dc=ad,dc=local changetype: modify replace: loginShell loginShell: /bin/bash
Then use ldapmodify from Nethserver et voilà!
[root@server ~]# ldapmodify -h NSDC-SERVER -D admin@ad.local -w SECRET -f test.ldif modifying entry "cn=markus,cn=Users,dc=ad,dc=local"
You may set loginShell to /usr/libexec/openssh/sftp-server or /bin/false for deactivating shell access.
Hope this helps!


(Stéphane de Labrusse) #5

thank :slight_smile:

ldap server require strong auth = no encrypts the ldap traffic, well it is a pity if we deactivate it :frowning:

https://access.redhat.com/articles/2243351
https://access.redhat.com/security/cve/CVE-2016-2112

ldapmodify cannot be used with encryption ???


(Markus Neuberger) #6

We’ll find a way as there is TLS, SSL, SASL… I can even imagine poor mans LDAPS over SSH…
EDIT: Found this one, was the solution for FreeNAS, maybe helps us here too: FreeNAS and TLS not enabled in samba RE-SOLVED!
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ch-ldap-tls.html

That’s the challenge.

Me too.


(Markus Neuberger) #7

Just too easy, use “-Z” parameter and it’s done, certs were ready all the time!
Before:
[root@server ~]# ldapmodify -h 192.168.1.12 -D admin@cmb.local -w SECRET -f test.ldif ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required.
After:
[root@server ~]# ldapmodify -Z -h 192.168.1.12 -D admin@cmb.local -w SECRET -f test.ldif modifying entry "cn=markus,cn=Users,dc=cmb,dc=local"


(Stéphane de Labrusse) #8

just for the records you can use a default administrator to script your needs

[root@ns7dev9 ~]# account-provider-test dump
{
   "BindDN" : "NETHSERVERTEST\\NS7DEV9$",
   "LdapURI" : "ldaps://ad.nethservertest.org",
   "StartTls" : "",
   "port" : 636,
   "host" : "ad.nethservertest.org",
   "isAD" : "1",
   "isLdap" : "",
   "UserDN" : "dc=ad,dc=nethservertest,dc=org",
   "GroupDN" : "dc=ad,dc=nethservertest,dc=org",
   "BindPassword" : "!%@1h@Q:?eNXdz",
   "BaseDN" : "dc=ad,dc=nethservertest,dc=org",
   "LdapUriDn" : "ldap:///dc%3Dad%2Cdc%3Dnethservertest%2Cdc%3Dorg"
}

you need the

   "BindDN" : "NETHSERVERTEST\\NS7DEV9$",
   "BindPassword" : "!%@1h@Q:?eNXdz",

in short it gives here

[root@ns7dev9 ~]# ldapmodify -Z -h 192.168.12.86 -D  NETHSERVERTEST\\NS7DEV9$ -w '!%@1h@Q:?eNXdz' -f spower.ldif
modifying entry "cn=stephane,cn=Users,dc=ad,dc=nethservertest,dc=org"

I did an update yesterday for nethserver-delegation-ns6, to set the shell to /bin/bash if the sudo is delegated, reasonably it should be easy for ns7, once we determine which user account we use and write the good relevant template


(Stéphane de Labrusse) #9

Indeed, once you allow the shell access to a user, it is on all machines with the remote account provider. For me it is not a bad thing because it is simple.

The use of ldapmodify like @mrmarkuz found could be implemented directly in nethserver-sssd to remove the shell access


(Davide Principi) #10

I’d rather call “ldbmodify” inside nsdc, like we do with other “samba-tool” invocations. I don’t like the “Accounts operator” group membership of the machine account. It is required during upgrade/migration, but could be replaced by “ldbmodify” calls…

An upstream patch to samba-tool is welcome though…


(Héctor Pérez) #11

Hi there, I’m trying to configure SSH access for my boss at the office, you know several things like to probe backups mount and unmount drives, I got ssh access but can’t have the bash [sistemas@nethserver ~]#, to do the same things I have done in the SMEserver.

Thanks in advance.


(Markus Neuberger) #12

Hi Hector,

did you enable it in the Users panel?


(Héctor Pérez) #13

That was all, Thanks @mrmarkuz, I was trying to do it through

->nethserver-sssd ->user-modify, ->shell: default to /usr/libexec/openssh/sftp-server, if set to /bin/bash the user will be able to access the server using SSH.

That was an easy solution, now is to setup sudo And GUALA!!! a server is fullfitnest.


(Stéphane de Labrusse) #14

install my module nethserver-delegation, it will ease some sudo tricks and you will be able to allow your boss in the server-manager.

One tip, do not allow him too much :smiley: