Configuring Multiple Linux Shell Users

In addition to the built-in root user and default support user accounts, you can create extra sysadmins, who have root user like privileges, and extra support accounts. These additional accounts introduce more flexibility into appliance operations, and allow for the implementation of operational protocols similar to these:

Emergency sysadmin accounts and passwords can be kept in a secure location in case the operational root password is ever lost. For example, this allows for recovery if a trusted employee leaves your organization, or if a password management system breaks or fails and leaves accounts inaccessible.
Corporate security policies can be implemented that forbid shared usernames and require each sysadmin to have a unique username.
Certain users can be provided access to a subset of Linux tools so they can examine appliance log files, but not be able to delete or modify files they are not supposed to.

Linux shell user accounts fall into three groups (in addition to the standard root and default support user) that you can create and configure:

Sysadmin: These are root-like users who can run all commands in the appliance’s shell with root privileges without entering the root password by using sudo. In other words, any appliance configuration procedure in these documents that notes you need root access, or be the root user, to perform can also be performed by a Sysadmin user.
Support: These creatable support users have the same privileges as the default support user. They are allowed to execute a limited set of appliance shell commands and scripts.
Restricted: These users have read access to appliance logs, read/write access to files in their own home directory, and read access to files owned by other users as long as the files’ owners allow it. They can execute shell commands that don’t need root access.

The following table lists the characteristics of each of the three shell user groups. It presents the permissions, limits on associated home directory quota, and allowable shell commands.

Linux Shell User Group Properties

Shell User Group Permissions Home Directory Size Quota Allowable Shell Commands

Sysadmin Same permissions as the root user. Limited by disk size All commands can be sudo without entering the root password

Support

Shell User Group	Permissions	Home Directory Size Quota	Allowable Shell Commands
Sysadmin	Same permissions as the root user.	Limited by disk size	All commands can be `sudo` without entering the root password
Support	Same permissions as the default support user. Allowed to execute all the host commands shown in the `Allowable Shell Commands` column and scripts in `/usr/sw/loads/currentload/supported` directory.	Recommended: 100 MB per support user	> fdisk > fsck > gather-diagnostics > hwclock > ipmitool > mdadm > mkfs > provision-lun-for-ad > reboot > rpm-install > run-adb-post > run-hba-post > run-nab-post > run-platform-post > run-trb-post > show-adb-cap-status > show-hardware > show-hardware-detail > show-hardware-post > show-power-supply-status > show-respawn-history > smartctl > soldebug > soldisktest > vmstat
Restricted	Read access to Solace logs. Read and write access to their home directory. Read access to files owned by other users if allowed by the files' owners. Allowed to execute some standard Linux commands that don't need root access.	Recommended: 100 MB per restricted user	None

Same permissions as the default support user.

Allowed to execute all the host commands shown in the Allowable Shell Commands column and scripts in /usr/sw/loads/currentload/supported directory.

Recommended: 100 MB per support user

> fdisk

> fsck

> gather-diagnostics

> hwclock

> ipmitool

> mdadm

> mkfs

> provision-lun-for-ad

> reboot

> rpm-install

> run-adb-post

> run-hba-post

> run-nab-post

> run-platform-post

> run-trb-post

> show-adb-cap-status

> show-hardware

> show-hardware-detail

> show-hardware-post

> show-power-supply-status

> show-respawn-history

> smartctl

> soldebug

> soldisktest

> vmstat

Restricted

Read access to Solace logs.

Read and write access to their home directory.

Read access to files owned by other users if allowed by the files' owners.

Allowed to execute some standard Linux commands that don't need root access.

Recommended: 100 MB per restricted user

None

There are also some general characteristics that apply to all shell users:

All shell users can change their own passwords.
All shell users survive system upgrades.
All shell users are included in database backups and restores; however, their associated home directories are not backed up or restored,
All shell users and their associated home directories are removed when the reload default-config command is run (note that the built-in root and default support user accounts are unaffected).
All shell users can be individually assigned disk quota.

Creating Linux Shell Users

In this section we'll show you how to create Sysadmin, Support and Restricted user accounts.

As a root or sysadmin user, perform the following steps in the appliance's Linux shell, to create and configure a new shell user:

Create a new user by executing the luseradd command with USER_TYPE set to either sysadmin, support or restricted, depending on the group member you're creating.

$ sudo luseradd -g <USER_TYPE> <username>

Configure an initial password with the passwd command. You'll be prompted to enter a password for <username>.

$ sudo passwd <username>

A recommended security practice is to force the user to change their password upon first login by setting their password expiry information to immediate. This is done with the chage -d 0 command.

$ sudo chage -d 0 <username>

Set the user's disk quota if you're configuring either a support or restricted shell user. In this example, the recommended 100 MB has been set. You don't need to set a quota for a sysadmin user because their quota is limited only by the system's disk size.

$ sudo setquota -u <username> 100000 100000 50000 50000 /usr/sw

Adding SSH Keys to User Accounts

You can provide an additional layer of security by installing an ssh key on the user's account. These steps show you how to do that.

Create a public/private key pair on the client machine that will be used to connect to the appliance. A passphrase can be used, but note that the passphrase must be entered every time the key is used.

$ ssh-keygen -t rsa

Log into the appliance and create a hidden ssh directory in the new user's home directory.

$ mkdir /usr/sw/home/<username>/.ssh

Send the file id_rsa.pub to the appliance. As an example, scp will be used.

$ scp id_rsa.pub <destination>

Install the public key in the authorized_keys list.

$ cat id_rsa.pub >> /usr/sw/home/<username>/.ssh/authorized_keys

For further security, disable password authentication for the new user account once ssh key login has been configured.

Once password authentication is disabled, the only way to login is with ssh keys, and it won't be possible to log in to this user account from the Solace CLI to the Linux shell with the CLI command shell. Therefore, ensure there is at least one sysadmin user that can be logged in directly without an ssh key in case of Solace PubSub+ failure.

Execute the following command to disable password authentication:

$ sudo passwd -l <username>

Creating Enhanced Security Sysadmin Users

For enhanced security, sysadmin users can be configured so that they must use a 2-step login process:

first, they log in as a support user, and
then they can log in to their sysadmin account.

To configure a new sysadmin user that requires this 2-step login process, do the following steps in the appliance's Linux shell as root or a sysadmin user.

Create a new sysadmin user by executing the luseradd command.

$ sudo luseradd -g sysadmin <username>

Create a new support user by executing the luseradd command with the support parameter.

$ sudo luseradd -g support <username>_support

Configure initial passwords for both the sysadmin and support accounts. You'll be prompted to enter passwords for <username> and <username>_support.

$ sudo passwd <username>

$ sudo passwd <username>_support

Force the user to change the passwords upon first login by setting the password expiry information to immediate.

$ sudo chage -d 0 <username>

$ sudo chage -d 0 <username>_support

Allocate a disk quota for the support user. In this example, 100 MB is the desired value.

$ sudo setquota -u <username>_support 100000 100000 50000 50000 /usr/sw

Disable direct shell login for the sysadmin account.

$ sudo chsh -s /sbin/solace-nologin <username>

To login to the newly created sysadmin account, first login as to the associated support user account you just created and then run the following command:

$ su -s /bin/bash <username>

Adding SSH Keys to Support Users' Accounts

Execute the following steps to provide an additional level of security by installing an ssh key on the support account.

Create a public/private key pair on the client machine that will be used to connect to the appliance. A passphrase can be used, but note that the passphrase must be entered every time the key is used.

$ ssh-keygen -t rsa

Log into the appliance and create a hidden ssh directory in the new support user's home directory.

$ mkdir /usr/sw/home/<username>_support/.ssh

Send the file id_rsa.pub to the appliance.
In this example, we'll use scp.
$ scp id_rsa.pub <destination>
Install the public key in the support user's authorized_keys list.

$ cat id_rsa.pub >> /usr/sw/home/<username>_support/.ssh/authorized_keys

Once ssh key login has been setup, you can choose to disable password authentication for the new support user account if additional security is required.

Once password authentication is disabled, the only way to login is with ssh keys, and it won't be possible to log in to this user account from the Solace CLI to the Linux shell with the CLI command shell. Therefore, you should ensure there is at least one sysadmin user that can be logged in directly without an ssh key in case of Solace PubSub+ failure.

Execute the following command to disable password authentication:

$ sudo passwd -l <username>_support

Managing Linux Shell User Accounts

As either root or a sysadmin user, you can change a user's password, delete a user, and change their disk space quotas.

Changing User Passwords

To change a user's password, use the passwd command:

$ sudo passwd <username>

Changing User Disk Space Quotas

To change a user's allocated disk quota, use the setquota command:

$ sudo setquota -u <username> <soft limit in KB> <hard limit in KB> 50000 50000 /usr/sw

Deleting Users

To delete a user and its associated home directory, use the luserdel command:

$ sudo luserdel -rG <username>

Note: The Solace CLI command reload default-config will delete all the shell users you've created (except for the built-in root and support user), and it will also revert everything else to the appliance's default configuration.

Accessing the Linux Shell Through Solace CLI

Shell users can access an appliance's Linux shell through the Solace CLI, as long as password authentication has not been disabled for them.

To access the Linux shell through the Solace CLI, perform the following steps:

In the Solace CLI, enter the following command:

solace# shell <reason>

Where:

reason is a short phrase explaining why you're accessing your Solace PubSub+ shell account. For example:

solace# shell Troubleshooting_in_Linux_shell

When prompted, enter your Linux shell username.

When prompted, enter your password.
Example:
Password: myPWD
Once you're connected, you'll see a prompt similar to the following:
[username@solace24]$

Provide feedback