Configuring Multiple Linux Shell Users

Prior to version 8.2.0, the Solace PubSub+ appliance only supported a single root user and single default support user. Both were built-in, but additional accounts couldn’t be added. This imposed limitations on some operational management and maintenance tasks.

Starting with Solace PubSub+ appliance version 8.2.0, you can create and configure additional administrative and support shell users. The built-in root and default support users are still there, but in addition to those accounts you can create extra sysadmins, who have root user like privileges, and support accounts. These additional accounts introduce more flexibility into appliance operations, and allow for the implementation of operational protocols similar to these:

  • Emergency sysadmin accounts and passwords can be kept in a secure location in case the operational root password is ever lost. For example, this allows for recovery if a trusted employee leaves your organization, or if a password management system breaks or fails and leaves accounts inaccessible.
  • Corporate security policies can be implemented that forbid shared usernames and require each sysadmin to have a unique username.
  • Certain users can be provided access to a subset of Linux tools so they can examine appliance log files, but not be able to delete or modify files they are not supposed to.

Linux shell user accounts fall into three groups (in addition to the standard root and default support user) that you can create and configure:

  • Sysadmin: These are root-like users who can run all commands in the appliance’s shell with root privileges without entering the root password by using sudo. In other words, any appliance configuration procedure in these documents that notes you need root access, or be the root user, to perform can also be performed by a Sysadmin user.
  • Support: These creatable support users have the same privileges as the default support user. They are allowed to execute a limited set of appliance shell commands and scripts.
  • Restricted: These users have read access to appliance logs, read/write access to files in their own home directory, and read access to files owned by other users as long as the files’ owners allow it. They can execute shell commands that don’t need root access.

The following table lists the characteristics of each of the three shell user groups. It presents the permissions, limits on associated home directory quota, and allowable shell commands.

Linux Shell User Group Properties

Shell User Group Permissions Home Directory Size Quota

Allowable Shell Commands

 

Sysadmin Same permissions as the root user. Limited by disk size All commands can be sudo without entering the root password
Support

Same permissions as the default support user.

Allowed to execute all the host commands shown in the Allowable Shell Commands column and scripts in /usr/sw/loads/currentload/supported directory.

Recommended: 100 MB per support user

> fdisk

> fsck

> gather-diagnostics

> hwclock

> ipmitool

> mdadm

> mkfs

> provision-lun-for-ad

> reboot

> rpm-install

> run-adb-post

> run-hba-post

> run-nab-post

> run-platform-post

> run-trb-post

> show-adb-cap-status

> show-hardware

> show-hardware-detail

> show-hardware-post

> show-power-supply-status

> show-respawn-history

> smartctl

> soldebug

> soldisktest

> vmstat

Restricted

Read access to Solace logs.

Read and write access to their home directory.

Read access to files owned by other users if allowed by the filesʼ owners.

Allowed to execute some standard Linux commands that donʼt need root access.

Recommended: 100 MB per restricted user None

There are also some general characteristics that apply to all shell users:

  • All shell users can change their own passwords.
  • All shell users survive system upgrades.
  • All shell users are included in database backups and restores; however, their associated home directories are not backed up or restored,
  • All shell users and their associated home directories are removed when the reload default config command is run (note that the built-in root and default support user accounts are unaffected).
  • All shell users can be individually assigned disk quota.

Creating Linux Shell Users

In this section weʼll show you how to create Sysadmin, Support and Restricted user accounts.

As a root or sysadmin user, perform the following stepin the applianceʼs Linux shell, to create and configure a new shell user:

  1. Create a new user by executing the luseradd command with USER_TYPE set to either sysadmin, support or restricted, depending on the group member youʼre creating.
  2. $ sudo luseradd -g <USER_TYPE> <username>

  3. Configure an initial password with the passwd command. Youʼll be prompted to enter a password for <username>.
  4. $ sudo passwd <username>

  5. A recommended security practice is to force the user to change their password upon first login by setting their password expiry information to immediate. This is done with the chage -d 0 command.
  6. $ sudo chage -d 0 <username>

  7. Set the userʼs disk quota if youʼre configuring either a support or restricted shell user. In this example, the recommended 100 MB has been set. You donʼt need to set a quota for a sysadmin user because their quota is limited only by the system's disk size.
  8. $ sudo setquota -u <username> 100000 100000 50000 50000 /usr/sw

Adding SSH Keys to User Accounts

You can provide an additional layer of security by installing an ssh key on the userʼs account. These steps show you how to do that.

  1. Create a public/private key pair on the client machine that will be used to connect to the appliance. A passphrase can be used, but note that the passphrase must be entered every time the key is used.
  2. $ ssh-keygen -t rsa

  3. Log into the appliance and create a hidden ssh directory in the new userʼs home directory.
  4. $ mkdir /usr/sw/home/<username>/.ssh

  5. Send the file id_rsa.pub to the appliance. As an example, scp will be used.
  6. $ scp id_rsa.pub <destination>

  7. Install the public key in the authorized_keys list.
  8. $ cat id_rsa.pub >> /usr/sw/home/<username>/.ssh/authorized_keys

  9. For further security, disable password authentication for the new user account once ssh key login has been configured.
  10. Once password authentication is disabled, the only way to login is with ssh keys, and it wonʼt be possible to log into this user account from the Solace CLI to the Linux shell with the CLI command shell. Therefore, ensure there is at least one sysadmin user that can be logged in directly without an ssh key in case of Solace PubSub+ failure.

    Execute the following command to disable password authentication:

    $ sudo passwd -l <username>

Creating Enhanced Security Sysadmin Users

For enhanced security, sysadmin users can be configured so that they must use a 2-step login process:

  • first, they log in as a support user, and
  • then they can log into their sysadmin account.

To configure a new sysadmin user that requires this 2-step login process, do the following steps in the applianceʼs Linux shell as root or a sysadmin user.

  1. Create a new sysadmin user by executing the luseradd command.
  2. $ sudo luseradd -g sysadmin <username>

  3. Create a new support user by executing the luseradd command with the support parameter.
  4. $ sudo luseradd -g support <username>_support

  5. Configure initial passwords for both the sysadmin and support accounts. You'll be prompted to enter passwords for <username> and <username>_support.
  6. $ sudo passwd <username>

    $ sudo passwd <username>_support

  7. Force the user to change the passwords upon first login by setting the password expiry information to immediate.
  8. $ sudo chage -d 0 <username>

    $ sudo chage -d 0 <username>_support

  9. Allocate a disk quota for the support user. In this example, 100 MB is the desired value.
  10. $ sudo setquota -u username_support 100000 100000 50000 50000 /usr/sw

  11. Disable direct shell login for the sysadmin account.
  12. $ sudo chsh -s /sbin/nologin <username>

  13. To login to the newly created sysadmin account, first login as to the associated support user account you just created and then run the following command:
  14. $ su -s /bin/bash <username>

Adding SSH Keys to Support Usersʼ Accounts

Execute the following steps to provide an additional level of security by installing an ssh key on the support account.

  1. Create a public/private key pair on the client machine that will be used to connect to the appliance. A passphrase can be used, but note that the passphrase must be entered every time the key is used.
  2. $ ssh-keygen -t rsa

  3. Log into the appliance and create a hidden ssh directory in the new support userʼs home directory.
  4. $ mkdir /usr/sw/home/<username>_support/.ssh

  5. Send the file id_rsa.pub to the appliance.

    In this example, weʼll use scp.

    $ scp id_rsa.pub <destination>

  6. Install the public key in the support userʼs authorized_keys list.
  7. $ cat id_rsa.pub >> /usr/sw/home/<username>_support/.ssh/authorized_keys

  8. Once ssh key login has been setup, you can choose to disable password authentication for the new support user account if additional security is required.
  9. Once password authentication is disabled, the only way to login is with ssh keys, and it wonʼt be possible to log into this user account from the Solace CLI to the Linux shell with the CLI command shell. Therefore, you should ensure there is at least one sysadmin user that can be logged in directly without an ssh key in case of Solace PubSub+ failure.

    Execute the following command to disable password authentication:

    $ sudo passwd -l <username>_support

Managing Linux Shell User Accounts

As either root or a sysadmin user, you can change usersʼ passwords, delete them, and change their disk space quotas.

Changing User Passwords

To change a userʼs password, use the passwd command:

$ sudo passwd <username>

Changing Usersʼ Disk Space Quota

To change a userʼs allocated disk quota, use the setquota command:

$ sudo setquota -u <username> <soft limit in KB> <hard limit in KB> 50000 50000 /usr/sw

Deleting Users

To delete a user and its associated home directory, use the luserdel command:

$ sudo luserdel -rG <username>

Note: The Solace CLI command reload default-config will delete all the shell users youʼve created (except for the built-in root and support user), and it will also revert everything else to the applianceʼs default configuration.

Accessing the Linux Shell Through Solace CLI

Shell users can access an applianceʼs Linux shell through the Solace CLI, as long as password authentication has not be disabled for them.

To access the Linux sheel through the Solace CLI, perform the following steps:

  1. In the Solace CLI, enter the following command:
  2. solace# shell <reason>

    Where:

    reason is a short phrase explaining why youʼre accessing your Solace PubSub+ shell account. For example:

    solace# shell Troubleshooting_in_Linux_shell

  3. When prompted, enter your Linux shell username.
  4. login as: <username>

  5. When prompted, enter your password.

    For example:

    Password: myPWD

    Once youʼre connected, youʼll see a prompt similar to the following:

    [username@solace24]$