Administrative access and authentication

7.2. Administrative access and authentication#

This page describes how administrators access a Nubus for UCS system. It also describes how to control authentication for selected services. It covers the local root account, SSH access, and PAM authentication restrictions.

7.2.1. Administrative access with the root account#

Every Nubus for UCS system has a root account for complete administrative access. The installer sets the password during installation. Nubus for UCS doesn’t store the root user in the LDAP directory, but in the local account database.

To change the password for the root user, run the passwd command. The command doesn’t check the password length or compare the new password with previously set passwords.

See also

Define the root password

for information about setting the root password during installation.

7.2.2. SSH sign-in to systems#

Nubus for UCS installs an SSH server by default. SSH provides encrypted connections to remote hosts. It verifies host identities with cryptographic host keys. You can configure SSH root sign-in, X11 forwarding, and the SSH port in the Univention Configuration Registry.

By default, SSH permits the privileged root user to sign in. For example, you can configure a newly installed system from a remote location when no users exist yet.

  • To allow only SSH key-based sign-in for the root user, place the public key on the remote system and run the command in Listing 7.19.

    Listing 7.19 Allow only public-key SSH sign-in for root#
    $ ucr set sshd/permitroot=without-password

  • To prohibit SSH sign-in for the root user, run the command in Listing 7.20.

    Listing 7.20 Prohibit SSH sign-in for root#
    $ ucr set auth/sshd/user/root=no

To apply the SSH configuration changes, restart the SSH service as shown in Listing 7.21.

Listing 7.21 Restart the SSH service after configuration changes#
$ systemctl restart ssh

7.2.2.1. X11 forwarding#

With X11 forwarding enabled, users can run graphical programs on a remote computer. They connect with the ssh -X TARGETHOST command. Replace TARGETHOST with the hostname of the remote system.

  • To enable X11 forwarding over SSH, run the command in Listing 7.22.

    Listing 7.22 Enable X11 forwarding over SSH#
    $ ucr set sshd/xforwarding=yes

  • To turn off X11 forwarding over SSH, run the command in Listing 7.23.

    Listing 7.23 Turn off X11 forwarding over SSH#
    $ ucr set sshd/xforwarding=no

To apply the SSH configuration changes, restart the SSH service as shown in Listing 7.21.

7.2.2.2. Change the standard SSH port#

The standard SSH port is 22 over TCP. Before you change the port, make sure that the firewall allows connections to the new port. Keep the current SSH session open until you verify access through the new port.

To use a different port, run the command in Listing 7.24. Replace PORT with the TCP port number that the SSH server uses for incoming connections.

Listing 7.24 Change the SSH port#
$ ucr set sshd/port=PORT

To apply the SSH configuration changes, restart the SSH service as shown in Listing 7.21.

To verify access through the new port, open a new SSH session with the command in Listing 7.25. Replace USERNAME with your username and HOSTNAME with the hostname of the remote system.

Listing 7.25 Verify SSH access through a custom port#
$ ssh -p PORT USERNAME@HOSTNAME

7.2.3. Authentication with PAM#

Nubus for UCS uses Pluggable Authentication Modules (PAM) for authentication services. PAM provides a common interface for sign-in methods. Applications don’t need changes for each method.

By default, only the root user and members of the Domain Admins group can sign in remotely through SSH and locally on a tty.

To restrict access to a PAM service, choose a service identifier from the list. Replace the following placeholders:

  • SERVICE with the service identifier.

  • USERNAME with the username.

  • GROUPNAME with the group name.

You can restrict access to these services:

  • SSH with sshd

  • Sign-in on a tty with login

  • Remote sign-in with rlogin

  • PPP with ppp

  • Other services with other

To restrict access to a service, run the command in Listing 7.26.

Listing 7.26 Restrict access to a PAM service#
$ ucr set auth/SERVICE/restrict=yes

To grant access to a user, run the command in Listing 7.27.

Listing 7.27 Grant user access to a PAM service#
$ ucr set auth/SERVICE/user/USERNAME=yes

To grant access to a group, run the command in Listing 7.28.

Listing 7.28 Grant group access to a PAM service#
$ ucr set auth/SERVICE/group/GROUPNAME=yes

The commands in Listing 7.29 restrict SSH access to selected groups.

Listing 7.29 Restrict SSH access to selected groups#
$ ucr set "auth/sshd/group/Administrators=yes"
$ ucr set "auth/sshd/group/Computers=yes"
$ ucr set "auth/sshd/group/DC Backup Hosts=yes"
$ ucr set "auth/sshd/group/DC Slave Hosts=yes"
$ ucr set "auth/sshd/group/Domain Admins=yes"
$ ucr set "auth/sshd/restrict=yes"
On this page