This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
account [2012/06/10 08:59] alex |
account [2016/10/30 09:01] (current) alex [Creating an Account] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== User Account Handling ====== | ====== User Account Handling ====== | ||
- | As there is more than one server that will make up the Wormnet universe, in addition to a few xDSL joined NASes and systems, we need to roll out some kind of central user management database. Naturally we opted for LDAP. | ||
- | The packages required to be installed to do this are: | + | ===== Creating an Account ===== |
- | * [[http://packages.debian.org/slapd|slapd]] | + | |
- | * [[http://packages.debian.org/nslcd|nslcd]] | + | |
- | * [[http://packages.debian.org/libnss-ldapd|libnss-ldapd]] | + | |
- | * [[http://packages.debian.org/libpam-ldapd|libpam-ldapd]] | + | |
- | * [[http://packages.debian.org/unscd|unscd]] | + | |
- | ===== User Management ===== | ||
- | ==== Modifying an Account ==== | ||
- | Adding SSH keys, etc. can be done without root access. Do:- | ||
- | |||
- | # Set $EDITOR if vi isn't your thing | ||
- | $ ldapvi --discover -D uid=${USER},ou=Users,dc=wormnet,dc=eu -h ldapi:/// uid=${USER} | ||
- | |||
- | ... and add/remove sshPublicKey lines to your heart's delight. | ||
- | |||
- | ==== Creating an Account ==== | ||
- | root@marmot:~# NEW_USER=fred | ||
- | root@marmot:~# ldapaddgroup $NEW_USER | ||
- | root@marmot:~# ldapadduser $NEW_USER $NEW_USER | ||
- | Successfully added user $NEW_USER to LDAP | ||
- | Successfully set password for user $NEW_USER | ||
- | | ||
- | root@marmot:~# # LDAP admin password for cn=Manager,dc=wormnet,dc=eu lurks in /etc/ldap.secret | ||
- | root@marmot:~# passwd $NEW_USER | ||
- | LDAP administrator password: | ||
- | New password: | ||
- | Retype new password: | ||
- | passwd: password updated successfully | ||
- | | ||
- | root@marmot:~# ldapvi --discover -D cn=Manager,dc=wormnet,dc=eu -h ldapi:/// uid=$NEW_USER | ||
- | objectClass: ldapPublicKey | ||
- | sshPublicKey: ssh-rsa AAAB3...aLOOw== wibble | ||
- | sshPublicKey: ssh-rsa AAAB3...KD0pw== fred@foobar | ||
- | | ||
root@marmot:~# lvcreate -L 256M -n home-$NEW_USER lvm-marmot | root@marmot:~# lvcreate -L 256M -n home-$NEW_USER lvm-marmot | ||
root@marmot:~# mkfs.ext4 -L home-$NEW_USER /dev/lvm-marmot/home-$NEW_USER | root@marmot:~# mkfs.ext4 -L home-$NEW_USER /dev/lvm-marmot/home-$NEW_USER | ||
- | root@marmot:~# vi /etc/fstab | ||
- | LABEL=home-fred /home/fred auto relatime,nodev,nosuid,noexec 0 2 | ||
root@marmot:~# mkdir /home/$NEW_USER | root@marmot:~# mkdir /home/$NEW_USER | ||
+ | root@marmot:~# [edit /etc/fstab to mount new user space] | ||
root@marmot:~# mount /home/$NEW_USER | root@marmot:~# mount /home/$NEW_USER | ||
- | root@marmot:~# chown $NEW_USER:$NEW_USER /home/$NEW_USER | + | root@marmot:~# useradd -G users,wormnet-shell -s /bin/bash $NEW_USER |
- | root@marmot:~# tar cC /etc/skel --owner=$NEW_USER --group=$NEW_USER . | tar xC /home/$NEW_USER | + | root@marmot:~# passwd $NEW_USER |
+ | root@marmot:~# mkdir /home/$NEW_USER/.ssh | ||
+ | root@marmot:~# echo "ssh-rsa AAAB3...KD0pw== fred@foobar" > /home/$NEW_USER/.ssh/authorized_keys | ||
+ | root@marmot:~# tar cC /etc/skel . | tar xC /home/$NEW_USER | ||
+ | root@marmot:~# chown -R $NEW_USER:$NEW_USER /home/$NEW_USER | ||
root@marmot:~# chmod -R og-r-w-x /home/$NEW_USER | root@marmot:~# chmod -R og-r-w-x /home/$NEW_USER | ||
- | | + | ==== Restricting to Just sftp/scp ==== |
- | # so the user gets sensible resource limits and other permissions, add to 'users' (and optionally additionally 'staff' and 'adm') | + | If you make the users account use the shell ''/usr/bin/rssh'' and edit ''/etc/rssh.conf'' then you can create accounts that can only upload/download files rather than have a full shell - although you will still need to add them to the 'wormnet-shell' group. |
- | root@marmot:~# usermod -G users $NEW_USER | + | |
- | + | ||
- | # to enable to user to actually SSH in and get a shell | + | |
- | root@marmot:~# ldapvi --discover -D cn=Manager,dc=wormnet,dc=eu -h ldapi:/// cn=wormnet-shell | + | |
- | memberUid: $NEW_USER | + |