How To: Manage SSH Shell Users ============================== The InterWorx Control Panel allows server administrators the ability to easily manage SSH shell users from within NodeWorx. From the Shell Users page, it is possible to enable and disable shell users, change both the default and a user's shell, change shell users' passwords, and set jailed users. It is recommended to exercise discretion when giving out shell access, even jailed shell access, to end users in shared hosting environments. .. contents:: To Change the Default Shell --------------------------- .. note:: This will change the default shell for all newly enabled accounts. It will not affect existing enabled shell users. #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users** .. image:: /images/nw-shell-users.png :alt: shell users list #. At the bottom of the page, under More Options, click **Default Shell**. This opens the Shell Account Options form #. Select the **desired shell** from the Default Shell dropdown .. image:: /images/nw-shell-default.png :alt: default ssh shell #. Click **Update** To Enable a Shell User ---------------------- From the User List ^^^^^^^^^^^^^^^^^^ When enabling a user's shell, three distinct operations are performed: - The shell user's password is set to the SiteWorx account password - The user's shell is updated to the default shell setting - The account is enabled #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users** .. image:: /images/nw-shell-users.png :alt: shell users list #. Click the **checkmarked person** next to the shell user. This opens the Confirmation form .. image:: /images/nw-shell-enable.png :alt: enable shell user .. image:: /images/nw-shell-user-enable-confirm.png :alt: enable confirmation form #. Click **Enable** to confirm From the With Selected Dropdown ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users** .. image:: /images/nw-shell-users.png :alt: shell users list #. Select the **checkbox** next to the user(s) - Selecting the **checkbox** next to the With Selected dropdown will automatically select all accounts #. Select **Enable** from the With Selected dropdown .. image:: /images/nw-enable-dropdown.png :alt: enable dropdown #. Click **Go**. This opens the Confirmation form .. image:: /images/nw-shell-user-enable-confirm.png :alt: enable confirmation form #. Click **Enable** to confirm To Change a Shell User's Shell ----------------------------------- From the User List ^^^^^^^^^^^^^^^^^^ #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users** .. image:: /images/nw-shell-users.png :alt: shell users list #. If the shell user is not already enabled, see `To Enable a Shell User`_ #. Click the **three vertical dots** next to the account. This opens an options form .. image:: /images/nw-shell-user-change.png :alt: shell change options dropdown #. Select **Change Shell**. This opens the Change Shell form .. image:: /images/nw-shell-change.png :alt: change user ssh shell #. Select the **desired shell** from the Shell dropdown #. Click **Update** From the With Selected Dropdown ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users** .. image:: /images/nw-shell-users.png :alt: shell users list #. If the shell user is not already enabled, see `To Enable a Shell User`_ #. Select the **checkbox** next to the user(s) - Selecting the **checkbox** next to the With Selected dropdown will automatically select all users .. image:: /images/nw-shell-change-dropdown.png :alt: change shell dropdown #. Select **Change Shell** from the With Selected dropdown #. Click **Go**. This opens the Change Shell form .. image:: /images/nw-shell-change.png :alt: change user ssh shell #. Select the **desired shell** from the Shell dropdown #. Click **Update** To Set a Jailed User -------------------- A jailed user has a very limited view of the file system and available Linux commands when logged in. From the User List ^^^^^^^^^^^^^^^^^^ #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users** .. image:: /images/nw-shell-users.png :alt: shell users list #. If the shell user is not already enabled, see `To Enable a Shell User`_ #. Click the **three vertical dots** next to the account. This opens an options form .. image:: /images/nw-shell-user-change.png :alt: shell change options dropdown #. Select **Change Shell**. This opens the Change Shell form .. image:: /images/nw-shell-jail.png :alt: change user ssh shell #. Select **/usr/sbin/jk_chrootsh** from the Shell dropdown #. Click **Update** From the With Selected Dropdown ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users** .. image:: /images/nw-shell-users.png :alt: shell users list #. If the shell user is not already enabled, see `To Enable a Shell User`_ #. Select the **checkbox** next to the user(s) - Selecting the **checkbox** next to the With Selected dropdown will automatically select all users .. image:: /images/nw-shell-change-dropdown.png :alt: change shell dropdown #. Select **Change Shell** from the With Selected dropdown #. Click **Go**. This opens the Change Shell form .. image:: /images/nw-shell-jail.png :alt: change user ssh shell #. Select **/usr/sbin/jk_chrootsh** from the Shell dropdown #. Click **Update** To Change a Shell User's Password --------------------------------- #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users** .. image:: /images/nw-shell-users.png :alt: shell users list #. If the shell user is not already enabled, see `To Enable a Shell User`_ #. Click the **three vertical dots** next to the account. This opens an options form .. image:: /images/nw-shell-user-change.png :alt: shell change options dropdown #. Select **Change Password**. This opens the Change Shell Password form .. image:: /images/nw-shell-user-password.png :alt: change password form #. Update the `Password` and `Confirm Password` fields with the new password - Alternately, click the **Magic Wand** to automatically generate a new password #. Click **Update** To View a Shell User's History ----------------------------------- #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users** .. image:: /images/nw-shell-users.png :alt: shell users list #. Click **View** next to the shell user. This opens a new window with the complete shell history of the shell user To Disable a Shell User ----------------------- From the User List ^^^^^^^^^^^^^^^^^^ #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users** .. image:: /images/nw-shell-users.png :alt: shell users list #. Click the **crossed out person** next to the shell user. This opens the confirmation form .. image:: /images/nw-shell-disable.png :alt: disable shell user .. image:: /images/nw-shell-disable-confirm.png :alt: disable confirmation form #. Click **Disable** to confirm From the With Selected Dropdown ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users** .. image:: /images/nw-shell-users.png :alt: shell users list #. Select the **checkbox** next to the user(s) - Selecting the **checkbox** next to the With Selected dropdown will automatically select all .. image:: /images/nw-shell-disable-dropdown.png :alt: disable dropdown #. Select **Disable** from the With Selected dropdown #. Click **Go**. This opens the Confirmation form .. image:: /images/nw-shell-disable-confirm.png :alt: disable confirmation form #. Click **Disable** to confirm To Configure Multiple SSH Users per SiteWorx Account ---------------------------------------------------- InterWorx allows for the ability to have more than one SSH user per SiteWorx account. The SiteWorx account must have shell access in order to use this feature. Enabling Multiple SSH Users ^^^^^^^^^^^^^^^^^^^^^^^^^^^ On AlmaLinux 8 '''''''''''''' #. Log in to the server at the CLI as root, either via SSH or from the terminal #. Run the following commands to install libnss-mysql and set the config options to allow multiple SSH users per SiteWorx account: .. code-block:: yum install libnss-mysql ~iworx/bin/config.pex --global --set --name SITEWORX_SSH_FEATURE --value 1 ~iworx/bin/sshd.pex --init-libnss-mysql #. Using a text editor, open ``/etc/nsswitch.conf``. The following example uses the vim text editor: .. code-block:: vim /etc/nsswitch.conf #. Append ``mysql`` to the ``passwd``, ``shadow``, and ``group`` lines. The edited section should be similar to the following: .. code-block:: # In order of likelihood of use to accelerate lookup. passwd: files sss systemd mysql shadow: files sss mysql group: files sss systemd mysql hosts: files dns myhostname services: files sss netgroup: sss automount: files sss aliases: files ethers: files gshadow: files #. Save and exit the text editor On Rocky Linux 8 '''''''''''''''' #. Log in to the server at the CLI as root, either via SSH or from the terminal #. Run the following commands to install libnss-mysql, set the config options to allow multiple SSH users per SiteWorx account, and create a custom autoselect profile: .. code-block:: yum install libnss-mysql ~iworx/bin/config.pex --global --set --name SITEWORX_SSH_FEATURE --value 1 ~iworx/bin/sshd.pex --init-libnss-mysql authselect create-profile libnss-mysql -b minimal #. Using a text editor, open ``/etc/authselect/custom/libnss-mysql/nsswitch.conf``. The following example uses the vim text editor: .. code-block:: vim /etc/authselect/custom/libnss-mysql/nsswitch.conf #. Append ``mysql`` after the word ``files`` on the ``passwd``, ``shadow``, and ``group`` lines. The edited section should be similar to the following example: .. code-block:: aliases: files {exclude if "with-custom-aliases"} automount: files {exclude if "with-custom-automount"} ethers: files {exclude if "with-custom-ethers"} group: files mysql {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"} hosts: files dns myhostname {exclude if "with-custom-hosts"} initgroups: files {exclude if "with-custom-initgroups"} netgroup: files {exclude if "with-custom-netgroup"} networks: files {exclude if "with-custom-networks"} passwd: files mysql {if "with-altfiles":altfiles }systemd {exclude if "with-custom-passwd"} protocols: files {exclude if "with-custom-protocols"} publickey: files {exclude if "with-custom-publickey"} rpc: files {exclude if "with-custom-rpc"} services: files {exclude if "with-custom-services"} shadow: files mysql {exclude if "with-custom-shadow"} #. Save and exit the text editor #. Run the following to enable the profile: .. code-block:: authselect select custom/libnss-mysql On EL9 Servers '''''''''''''' .. note:: The following commands will update all files in ``/etc/pam.d/``, as well as ``/etc/nsswitch.conf``. It is recommended to back up any customizations that may have been made to those files before running the commands, below. #. Log in to the server at the CLI as root, either via SSH or from the terminal #. Run the following commands to install libnss-mysql and set the config options to allow multiple SSH users per SiteWorx account: .. code-block:: yum install libnss-mysql ~iworx/bin/config.pex --global --set --name SITEWORX_SSH_FEATURE --value 1 ~iworx/bin/sshd.pex --init-libnss-mysql authselect select libnss-mysql --force Configuring the SSH Users ^^^^^^^^^^^^^^^^^^^^^^^^^ Once enabled, the secondary SiteWorx user will be able to use their SiteWorx password to access the server over SSH. .. note:: Information on how to create secondary SiteWorx users can be found :doc:`here`. #. Log into SiteWorx from the browser (https://ip.ad.dr.ess:2443/siteworx) #. In SiteWorx, navigate to **Adminstration > User Accounts** .. image:: /images/sw-secondary.png :alt: secondary user list #. Click the **Pencil** next to the SiteWorx user that should have secondary SSH access. This opens the Edit SiteWorx User form .. image:: /images/sw-multiple-ssh-user.png :alt: multiple ssh user enable options #. Select **Yes** next to SSH Enabled #. If desired, update the SSH Public Key field with the **User's Public Key** (Optional) #. Click **Save**