How to: Manage SSH Shell Users ============================== The InterWorx Control Panel allows server administrators the ability to easily manage SSH shell users from within NodeWorx. From the Shell Users page, it is possible to enable and disable shell users, change both the default and a user's shell, change shell users' passwords, and set jailed users. It is recommended to exercise discretion when giving out shell access, even jailed shell access, to end users in shared hosting environments. .. contents:: To Change the Default Shell --------------------------- .. note:: This will change the default shell for all newly enabled accounts. It will not affect existing enabled shell users. #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users**  #. At the bottom of the page, under More Options, click **Default Shell**. This opens the Shell Account Options form #. Select the **desired shell** from the Default Shell dropdown .. image:: /images/nw-shell-default.png :alt: default ssh shell #. Click **Update** To Enable a Shell User ---------------------- When enabling a user's shell, three distinct operations are performed: - The shell user's password is set to the SiteWorx account password - The user's shell is updated to the default shell setting - The account is enabled #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users**  #. Click the **checkmarked person** next to the shell user. This opens the Confirmation form .. image:: /images/nw-shell-enable.png :alt: enable shell user #. Click **Enable** to confirm It is also possible to enable more than one shell user at the same time: #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users**  #. Select the **checkbox** next to the user(s) - Selecting the **checkbox** next to the With Selected dropdown will automatically select all #. Select **Enable** from the With Selected dropdown #. Click **Go**. This opens the Confirmation form #. Click **Enable** to confirm To Change a Shell User's Shell ----------------------------------- #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users**  #. If the shell user is not already enabled, see `To Enable a Shell User`_ #. Click **...**. This opens an options form #. Select **Change Shell**. This opens the Change Shell form #. Select the **desired shell** from the Shell dropdown .. image:: /images/nw-shell-change.png :alt: change user ssh shell #. Click **Update** It is also possible to change the shell of more than one user at the same time: #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users**  #. Select the **checkbox** next to the user(s) - Selecting the **checkbox** next to the With Selected dropdown will automatically select all #. Select **Change Shell** from the With Selected dropdown #. Click **Go**. This opens the Change Shell form #. Select the **desired shell** from the Shell dropdown #. Click **Update** To Set a Jailed User -------------------- A jailed user has a very limited view of the file system and available Linux commands when logged in. #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users**  #. If the shell user is not already enabled, see `To Enable a Shell User`_ #. Click **...**. This opens an options form #. Select **Change Shell**. This opens the Change Shell form #. Select **/usr/sbin/jk_chrootsh** from the Shell dropdown #. Click **Update** To Change a Shell User's Password --------------------------------- #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users**  #. If the shell user is not already enabled, see `To Enable a Shell User`_ #. Click **...**. This opens an options form #. Select **Change Password**. This opens the Change Shell Password form - Alternately, click the **Magic Wand** to automatically generate a new password #. Update the `Password` and `Confirm Password` fields with the new password #. Click **Update**  To View a Shell User's History ----------------------------------- #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users** #. Click **View** next to the shell user. This opens a new window with the complete shell history of the shell user To Disable a Shell User ----------------------- #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users**  #. Click the **crossed out person** next to the shell user. This opens the confirmation form .. image:: /images/nw-shell-disable.png :alt: disable shell user #. Click **Disable** to confirm It is also possible to disable more than one shell user at the same time: #. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx) #. From NodeWorx, navigate to **SiteWorx > Shell Users**  #. Select the **checkbox** next to the user(s) - Selecting the **checkbox** next to the With Selected dropdown will automatically select all #. Select **Disable** from the With Selected dropdown #. Click **Go**. This opens the Confirmation form #. Click **Disable** to confirm To Configure Multiple SSH Users per SiteWorx Account ---------------------------------------------------- InterWorx allows for the ability to have more than one SSH user per SiteWorx account. The SiteWorx account must have shell access in order to use this feature. Enabling Multiple SSH Users ^^^^^^^^^^^^^^^^^^^^^^^^^^^ On AlmaLinux 8 '''''''''''''' #. Log in to the server at the CLI as root, either via SSH or from the terminal #. Run the following commands to install libnss-mysql and set the config options to allow multiple SSH users per SiteWorx account: .. code-block:: yum install libnss-mysql ~iworx/bin/config.pex --global --set --name SITEWORX_SSH_FEATURE --value 1 ~iworx/bin/sshd.pex --init-libnss-mysql #. Using a text editor, open ``/etc/nsswitch.conf``. The following example uses the vim text editor: .. code-block:: vim /etc/nsswitch.conf #. Append ``mysql`` to the ``passwd``, ``shadow``, and ``group`` lines. The edited section should be similar to the following: .. code-block:: # In order of likelihood of use to accelerate lookup. passwd: files sss systemd mysql shadow: files sss mysql group: files sss systemd mysql hosts: files dns myhostname services: files sss netgroup: sss automount: files sss aliases: files ethers: files gshadow: files #. Save and exit the text editor On Rocky Linux 8 '''''''''''''''' #. Log in to the server at the CLI as root, either via SSH or from the terminal #. Run the following commands to install libnss-mysql, set the config options to allow multiple SSH users per SiteWorx account, and create a custom autoselect profile: .. code-block:: yum install libnss-mysql ~iworx/bin/config.pex --global --set --name SITEWORX_SSH_FEATURE --value 1 ~iworx/bin/sshd.pex --init-libnss-mysql authselect create-profile libnss-mysql -b minimal #. Using a text editor, open ``/etc/authselect/custom/libnss-mysql/nsswitch.conf``. The following example uses the vim text editor: .. code-block:: vim /etc/authselect/custom/libnss-mysql/nsswitch.conf #. Append ``mysql`` after the word ``files`` on the ``passwd``, ``shadow``, and ``group`` lines. The edited section should be similar to the following example: .. code-block:: aliases: files {exclude if "with-custom-aliases"} automount: files {exclude if "with-custom-automount"} ethers: files {exclude if "with-custom-ethers"} group: files mysql {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"} hosts: files dns myhostname {exclude if "with-custom-hosts"} initgroups: files {exclude if "with-custom-initgroups"} netgroup: files {exclude if "with-custom-netgroup"} networks: files {exclude if "with-custom-networks"} passwd: files mysql {if "with-altfiles":altfiles }systemd {exclude if "with-custom-passwd"} protocols: files {exclude if "with-custom-protocols"} publickey: files {exclude if "with-custom-publickey"} rpc: files {exclude if "with-custom-rpc"} services: files {exclude if "with-custom-services"} shadow: files mysql {exclude if "with-custom-shadow"} #. Save and exit the text editor #. Run the following to enable the profile: .. code-block:: authselect select custom/libnss-mysql Configuring the SSH Users ^^^^^^^^^^^^^^^^^^^^^^^^^ Once enabled, the secondary SiteWorx user will be able to use their SiteWorx password to access the server over SSH. .. note:: Information on how to create secondary SiteWorx users can be found :doc:`here`. #. Log into SiteWorx from the browser (https://ip.ad.dr.ess:2443/siteworx) #. In SiteWorx, navigate to Adminstration > User Accounts #. Click the **Pencil** next to the SiteWorx user that should have secondary SSH access. This opens the Edit SiteWorx User form #. Select **Yes** next to SSH Enabled #. If desired, update the SSH Public Key field with the **User's Public Key** (Optional) .. image:: /images/sw-multiple-ssh-user.png :alt: multiple ssh user enable options #. Click **Save**