Skip to content

Latest commit

 

History

History
68 lines (55 loc) · 3.09 KB

add-user.md

File metadata and controls

68 lines (55 loc) · 3.09 KB
Raw

Granting ssh access to a server

  • Create a user locally using adduser
  • Add the ssh public key of the server onto the account
  • Set a password and store it temporarily in a text file. Make sure to chown/chmod the file so that no one else can read it.
  • Document the permission in the section below.

It's important to use ssh keys, because at some point, two-step authentication (ex: Yubikey) might be added to servers for when using a password login.

Ssh access

Who Server Since Expiration Why
Mathieu all Long time ago
Tim all Long time ago
Mikey www-prod 2018-11-22 docs upgrades/maintenance
Seamus test-xx 2018-12-01 continuous integration improvements and maintenance

How to Add a New User (LDAP)

Update: 2019-02-20 LDAP is being discontinued on new servers, because very few people need access to servers and it's not worth the overhead.

To add a new shell user with SSH or administration privileges, one must add the user to LDAP. First, connect to the LDAP administrative interface:

ssh -L 7000:localhost:7000 manage.civicrm.osuosl.org
sudo cat /root/ldap-notes.txt

The text file provides additional instructions. Once the LDAP web interface is open:

  • In the left navbar, expand "dc=civicrm,dc=org"
  • Expand "ou=people"
  • Choose "Create new entry here" under "ou=people"
  • Choose "Generic: User account"
  • Complete the form. Some notes on specific fields:
    • Common name: Should be the full name
    • GID: choose "domainuser"
    • Shell: choose /bin/bash
    • User ID and Home: Make sure these match (e.g. user ID "dave" corresponds to home directory "/home/dave")
    • Password: Leave the default "md5" in the drop down list and type the password as plain text. (It will be automatically hashed before saving.)

After creating the user in phpldapadmin, the user ID will become valid on all VMs within 10 minutes. (Each VM maintains a cached list of users and groups -- this improves performance and improves robustness against LDAP failures but delays propagation of new usernames.)

The new user does not have permission to login or administer any systems. Do one of the following (as appropriate):

  • To grant SSH+sudo access on all VMs:
    • In the left navbar, expand "dc=civicrm,dc=org"
    • Expand "ou=groups"
    • Choose "cn=domainadmin"
    • Under the memberUid, choose "modify group members"
    • Add the new user and save
  • To grant SSH+sudo access to one specific VM:
    • Login to the target VM via SSH
    • Run "sudo nss_updatedb ldap" (Note: This step is run automatically every ~10min. Manual invocation is only necessary if you're impatient.)
    • Run "sudo adduser {NEWUSER} sudo"
  • To grant SSH access (but NOT sudo access) to one specific VM:
    • Login to the target VM via SSH
    • Run "sudo nss_updatedb ldap" (Note: This step is run automatically every ~10min. Manual invocation is only necessary if you're impatient.)
    • Run "sudo adduser {NEWUSER} ssh-user"