9.4 SSH Services on OES

9.4.1 Overview

SSH services on SLES are provided by OpenSSH, a free version of SSH connectivity tools developed by the OpenBSD Project.

Linux administrators often use SSH to remotely access a server for management purposes, such as executing shell commands, transferring files and so on. Because many OES services can be managed at a command prompt via an SSH session, it is important to understand how SSH access is controlled in OES.

This section discusses the following topics:

When Is SSH Access Required?

SSH access is required for the following:

  • SSH administration access for eDirectory users: For eDirectory users to manage the server through an SSH connection, they must have SSH access as LUM-enabled users (eDirectory users configured for access to Linux services).

    NOTE:The standard Linux root user is a local user, not an eDirectory user. The root user always has SSH access as long as the firewall allows it.

  • Access to NSS Volume Management in NetStorage: When an OES server has NSS volumes, eDirectory contains an object named nssvolumes that provides management access to the volumes through the File Access (NetStorage) iManager plug-in. Using the plug-in to manage NSS volumes, assign trustee rights, salvage and purge files, etc. requires SSH access to the server.

    Although eDirectory administrators can create Storage Location Objects to the NSS volumes without SSH access if they know the path to the volume on the POSIX file system and other volume information, having SSH access makes administering NSS volumes in NetStorage much easier.

  • Access to any NetStorage Storage Location Objects based on SSH: The NetStorage server provides Web access to directories and files on other servers (or on itself).

    Typically, either an NCP or a CIFS connection is used for connecting the NetStorage server with storage targets. However, an SSH connection can also be used, and if it is, the users accessing data through the connection must have SSH access to the data on the target servers.

How SSH Access for eDirectory Users Works

For eDirectory users, the following work together to control SSH access:

  • Firewall: As mentioned, the default firewall configuration on an OES server does not allow SSH connections with the server. This restricts the root user as well. Therefore, the first requirement for SSH access is configuring the firewall to allow SSH services.

  • Linux User Management (LUM) must allow SSH as a PAM-enabled service: Access to SSH and other Linux services is controlled through Linux User Management (LUM), and each service must be explicitly included in the LUM configuration as a PAM-enabled service on each server.

  • PAM-enabling: After SSH is included as a PAM-enabled service on a server, at least one group and its users must be enabled for LUM. Only LUM-enabled eDirectory users can have SSH access.

  • All eDirectory Groups must allow access: SSH access is inherited from the LUM-enabled groups that a user belongs to, and access is only granted when all of the groups to which a user belongs allow it.

SSH Security Considerations

Remember that SSH access lets users browse and view most directories and files on a Linux server. Even though users might be prevented from modifying settings or effecting other changes, there are serious security and confidentiality issues to consider before granting SSH access to a group of users.

9.4.2 Setting Up SSH Access for LUM-enabled eDirectory Users

If you need to grant SSH access to an eDirectory user, complete the instructions in the following sections in order, as they apply to your situation.

Allowing SSH Access Through the Firewall

NOTE:This section assumes you are allowing SSH access on an installed server.

SSH can also be enabled during an OES installation by clicking the SSH Port Is Blocked button on the Firewall screen.

  1. On the OES server you are granting access to, open the YaST Control Center and click Security and Users > Firewall.

  2. In the left navigation frame, click Allowed Services.

  3. In the Allowed Services drop-down list, select SSH.

  4. Click Add > Next > Accept.

    The firewall is now configured to allow SSH connections with the server.

Adding SSH as an Allowed Service in LUM

  1. If SSH is already an allowed (PAM-enabled) service for Linux User Management on the server, skip to Enabling Users for LUM.

    or

    If SSH is not an allowed (PAM-enabled) service for Linux User Management on the server, continue with Step 2.

  2. On the OES server, open the YaST Control Center; then in the Open Enterprise Server group, click OES Install and Configuration.

  3. Click Accept.

  4. When the Micro Focus Open Enterprise Server Configuration screen has finished loading, click the Disabled link under Linux User Management.

    The option changes to Enabled and the configuration settings appear.

  5. Click Linux User Management.

  6. Type the eDirectory Admin password in the appropriate field, then click OK > Next.

  7. In the list of allowed services, click sshd.

  8. Click Next > Next > Finish.

    Each LUM-enabled group in eDirectory now shows SSH as an allowed service.

Enabling Users for LUM

There are numerous ways to enable users for LUM.

For example, in iManager > Linux User Management there are options for enabling users (and choosing a Group in the process) or enabling groups (and enabling users in the process). And finally, there are also command line options.

For specific instructions, refer to Managing User and Group Objects in eDirectory in the OES 2018 SP2: Linux User Management Administration Guide.

After you configure the server’s firewall to allow SSH, add SSH as an allowed service, and LUM-enable the eDirectory users you want to have SSH access.

Of course, many network administrators limit SSH access to only those who have administrative responsibilities. They don’t want every LUM-enabled user to have SSH access to the server.

If you need to limit SSH access to only certain LUM-enabled users, continue with Restricting SSH Access to Only Certain LUM-Enabled Users.

Restricting SSH Access to Only Certain LUM-Enabled Users

SSH Access is easily restricted for one or more users by making them members of a LUM-enabled group and then disabling SSH access for that group. All other groups assignments that enable SSH access are then overridden.

  1. Open iManager in a browser using its access URL:

    http://IP_Address/iManager.html

    where IP_Address is the IP address of an OES server with iManager installed.

  2. In the Roles and Tasks list, click Groups > Create Group.

  3. Type a group name, for example NoSSHGroup, and select a context, such as the container where your other Group and User objects are located. Then click OK.

  4. In the Roles and Tasks list, click Directory Administration > Modify Object.

  5. Browse to the group you just created and click OK.

  6. Click the Linux Profile tab.

  7. Select the Enable Linux Profile option.

  8. In the Add UNIX Workstation dialog box, browse to and select the UNIX Workstation objects for the servers you are restricting SSH access to, then click OK > OK.

  9. Click Apply > OK.

  10. In the Roles and Tasks list, click Modify Object, browse to the group again, then click OK.

  11. Click the Other sub-tab.

  12. In the Unvalued Attributes list, select uamPosixPAMServiceExcludeList, then click the left‑arrow to move the attribute to the Valued Attributes list.

  13. In the Add Attribute dialog box, click the plus sign (+) next to the empty drop-down list.

  14. In the Add item field, type sshd, then click OK > OK.

  15. Click the Members tab.

  16. Browse to and select the User objects that shouldn’t have SSH access, then click OK.

  17. Click Apply > OK.