f125a8b892
This change addresses a long-standing issue in rST documentation imported from XML.
That import process added backslash escapes in front of various characters. The three
most common being '(', ')', and '_'.
These instances are removed.
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e
124 lines
4.8 KiB
ReStructuredText
124 lines
4.8 KiB
ReStructuredText
|
|
.. eof1552681926485
|
|
.. _local-ldap-linux-user-accounts:
|
|
|
|
==============================
|
|
Local LDAP Linux User Accounts
|
|
==============================
|
|
|
|
You can create regular Linux user accounts using the |prod| |LDAP| service.
|
|
|
|
Local |LDAP| accounts are centrally managed on the active controller; all
|
|
hosts in the cloud/cluster use the Local |LDAP| server on the active controller
|
|
for |SSH| and Console authentication.
|
|
|
|
The intended use of these accounts is to provide additional admin level user
|
|
accounts (in addition to sysadmin) that can |SSH| to the nodes of the |prod|.
|
|
|
|
.. note::
|
|
For security reasons, it is recommended that ONLY admin level users be
|
|
allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
|
|
strictly use remote |CLIs| or remote web GUIs.
|
|
|
|
Apart from being centrally managed, Local |LDAP| user accounts behave as any
|
|
local user account. They can be added to the sudoers list, and can acquire
|
|
Keystone administration credentials, Kubernetes kubectl, and helm
|
|
administrative commands as the Kubernetes admin user, when executing on the
|
|
active controller.
|
|
|
|
Local |LDAP| user accounts share the following set of attributes:
|
|
|
|
|
|
.. _local-ldap-linux-user-accounts-ul-d4q-g5c-5p:
|
|
|
|
- The initial password is the name of the account.
|
|
|
|
- The initial password must be changed immediately upon first login.
|
|
|
|
- For complete details on password rules, see :ref:`System Account
|
|
Password Rules <starlingx-system-accounts-system-account-password-rules>`.
|
|
|
|
- Login sessions are logged out automatically after about 15 minutes of
|
|
inactivity.
|
|
|
|
- After each unsuccessful login attempt, a 3 second delay is imposed before
|
|
making another attempt. After five consecutive unsuccessful login attempts,
|
|
further attempts are blocked for about five minutes. On further attempts
|
|
within 5 minutes, the system will display a message such as:
|
|
|
|
``Account locked due to 6 failed logins``
|
|
|
|
.. note::
|
|
|
|
This delay is 3 seconds.
|
|
|
|
You are alerted on the 6th and subsequent attempts:
|
|
|
|
``Account locked due to 6 failed logins``
|
|
|
|
and an error message is displayed on subsequent attempts.
|
|
|
|
When you login to the console you are alerted on the 6th, and subsequent
|
|
attempts:
|
|
|
|
``The account is locked due to 5 failed logins (2 minutes left to unlock)``
|
|
|
|
When you login remotely using SSH, you have 3 attempts to try and login
|
|
before an error ``Permission denied (publickey,password)`` is displayed,
|
|
during an SSH login session. You can continue to login by starting a new
|
|
login session, until the user is locked out after 5 consecutive failed
|
|
attempts. For security reasons, there is no reason or error displayed to
|
|
the user.
|
|
|
|
5 mins after the account is locked, the failed attempts will be reset
|
|
and failed attempts re-counted.
|
|
|
|
- All authentication attempts are recorded on the file /var/log/auth.log
|
|
of the target host.
|
|
|
|
- Home directories and passwords are backed up and restored by the system
|
|
backup utilities. Note that only passwords are synced across hosts (both
|
|
|LDAP| users and **sysadmin**). Home directories are not automatically
|
|
synced and are local to that host.
|
|
|
|
|
|
.. _local-ldap-linux-user-accounts-section-kts-bvh-ynb:
|
|
|
|
--------------------------
|
|
Default LDAP User Accounts
|
|
--------------------------
|
|
|
|
The following Local |LDAP| user accounts are available by default on newly
|
|
deployed hosts, regardless of their personality:
|
|
|
|
**operator**
|
|
A cloud administrative account, comparable to the default **admin**
|
|
account used in the web management interface.
|
|
|
|
This user account has access to all native Linux commands not requiring
|
|
root or sudo privileges, and it's shell is preconfigured to have
|
|
administrative access to StarlingX commands.
|
|
|
|
**admin**
|
|
A host administrative account. It has access to all native Linux
|
|
commands and is included in the sudoers list.
|
|
|
|
For increased security, the **admin** and **operator** accounts must be used
|
|
from the console ports of the hosts; no |SSH| access is allowed.
|
|
|
|
|
|
.. _local-ldap-linux-user-accounts-ul-h22-ql4-tz:
|
|
|
|
- These accounts serve as system access redundancies in the event that |SSH|
|
|
access is unavailable. In the event of any issues with connectivity, user
|
|
lockout, or **sysadmin** passwords being forgotten or not getting propagated
|
|
properly, the presence of these accounts can be essential in gaining access
|
|
to the deployment and rectifying things. This is why these accounts are
|
|
restricted to the console port only, as a form of “manual over-ride.” The
|
|
**operator** account enables access to the cloud deployment only, without
|
|
giving unabated sudo access to the entire system.
|
|
|
|
.. seealso::
|
|
|
|
:ref:`Create LDAP Linux Accounts <create-ldap-linux-accounts>`
|