stackoom
  简体   繁体   中英

How does Cloud-init impose user settings, defined through cloud init?

 原文  2021-12-13 12:32:25       user-accounts/ cloud-init/ user-account-control

Question

to all the Cloud-init experts:

Recently, I've been trying to play around with cloud-init's capabilities for user account creation and management.

I wanted to forbid root ssh login and to create another sudo user that needs no password for sudo.

I do get the desired result, but I do not know how is it implemented.

Sample config.cfg:

users:
   - name: root
#     lock_passwd: false
   - default
   - name: user_name
     gecos: Non-root User
     primary_group: nr_user
     groups: nr_user,sudo,wheel
     lock_passwd: false
     passwd: $6$rounds=4096$e0Ju.HuWxqWs....JeEzX/XGGave2jhi1
     sudo: ["ALL=(ALL) NOPASSWD:ALL"]

disable_root: true
disable_root_opts: no-port-forwarding,no-agent-forwarding,no-X11-forwarding

I should typically restrict root ssh login through /etc/ssh/sshd_config , changing: PermitRootLogin yes to PermitRootLogin no . I would typically add a line, like this: user_name ALL=(ALL) NOPASSWD:ALL to / etc/sudoers , if I want to have a sudoer that needs not to enter password every time.

But I see no changes like this.

On top of that the very custom message that root ssh is disabled and anther user should be used, makes me wonder how is it achieved? Does cloud-init spin a module that is monitoring for the usage of users and applying the settings on the fly?

1 answers

solution1
 1 ACCPTED  2021-12-13 14:52:56

SSH Custom Message

The SSH custom message is written to /root/.ssh/authorized_keys . On an ubuntu system it should contain something like

no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10;exit 142"

followed by the default user's authorized key.

This is accomplished via the SSH module. See the documentation and source here and here

Sudo

cloud-init automatically creates a sudo: ["ALL=(ALL) NOPASSWD:ALL"] for the default user. Any user sudo definition gets written to /etc/sudoers.d/90-cloud-init-users . For your cloud-config, it should look something like

# Created by cloud-init v. 21.4 on Mon, 13 Dec 2021 14:37:19 +0000

# User rules for user_name
user_name ALL=(ALL) NOPASSWD:ALL

# User rules for ubuntu
ubuntu ALL=(ALL) NOPASSWD:ALL

You can see the (templated) definition for the default user here

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to set the default user of a VM started by a cloud function? Check user account settings in Facebook Permission 'iam.serviceaccounts.actAs' denied on service account when deploying on cloud run WSO2 Identity Server User activation url through email How to “read” a user account with Powershell How To Handle User Login/Registration? How can I get the user's username? How can I route user logins to their account? How to create first database user account? How to get Twitter suspended user details
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM