This is an old revision of the document!
As there is more than one server that will make up the Wormnet universe, in addition to a few xDSL joined NASes and systems, we need to roll out some kind of central user management database. Naturally we opted for LDAP.
The packages required to be installed to do this are:
Adding SSH keys, etc. can be done without root access. Do:-
# Set $EDITOR if vi isn't your thing $ ldapvi --discover -D uid=${USER},ou=Users,dc=wormnet,dc=eu -h ldapi:/// uid=${USER}
… and add/remove sshPublicKey lines to your heart's delight.
root@marmot:~# NEW_USER=fred root@marmot:~# ldapaddgroup $NEW_USER root@marmot:~# ldapadduser $NEW_USER $NEW_USER Successfully added user $NEW_USER to LDAP Successfully set password for user $NEW_USER root@marmot:~# # LDAP admin password for cn=Manager,dc=wormnet,dc=eu lurks in /etc/ldap.secret root@marmot:~# passwd $NEW_USER LDAP administrator password: New password: Retype new password: passwd: password updated successfully root@marmot:~# ldapvi --discover -D cn=Manager,dc=wormnet,dc=eu -h ldapi:/// uid=$NEW_USER objectClass: ldapPublicKey sshPublicKey: ssh-rsa AAAB3...aLOOw== wibble sshPublicKey: ssh-rsa AAAB3...KD0pw== fred@foobar root@marmot:~# lvcreate -L 256M -n home-$NEW_USER lvm-marmot root@marmot:~# mkfs.ext4 -L home-$NEW_USER /dev/lvm-marmot/home-$NEW_USER root@marmot:~# vi /etc/fstab LABEL=home-fred /home/fred auto relatime,nodev,nosuid,noexec 0 2 root@marmot:~# mkdir /home/$NEW_USER root@marmot:~# mount /home/$NEW_USER root@marmot:~# chown $NEW_USER:$NEW_USER /home/$NEW_USER root@marmot:~# tar cC /etc/skel --owner=$NEW_USER --group=$NEW_USER . | tar xC /home/$NEW_USER root@marmot:~# chmod -R og-r-w-x /home/$NEW_USER # so the user gets sensible resource limits and other permissions, add to 'users' (and optionally additionally 'staff' and 'adm') root@marmot:~# usermod -G users $NEW_USER # to enable to user to actually SSH in and get a shell root@marmot:~# ldapvi --discover -D cn=Manager,dc=wormnet,dc=eu -h ldapi:/// cn=wormnet-shell memberUid: $NEW_USER
If you make the users account use the shell /usr/bin/rssh
and edit /etc/rssh.conf
then you can create accounts that can only upload/download files rather than have a full shell - although you will still need to add them to the 'wormnet-shell' group.