Overview
With RightLink v10.5.0 and above, Managed Login for Linux based systems has been completely revamped. Users with the server_login role can log into running servers with key-based SSH connections. Users who also have the server_superuser role can run sudo. The two login names available to users are the RightScale generated default login name and a user definable custom login name.
Enabling Managed Login
Enabling the 'Managed Login' feature is done by running the RL10 Linux Enable Managed Login RightScript (Github, MultiCloud Marketplace).
Installed and Configuration files
Managed Login uses these commonly used standard Linux components: PAM, NSS, sudo, and OpenSSH.
Configuration of these components entails the following files:
| Files | Format | Purpose |
|---|---|---|
| /etc/ssh/sshd_config | SSHD config file | Configuration file updated to use /usr/local/bin/rs-ssh-keys.sh to obtain a user's ssh public key for key-based authentication. |
| /usr/local/bin/rs-ssh-keys.sh | bash script | Custom open-source script that obtains a user's public key set in the RightScale Dashboard. This script is used in /etc/ssh/sshd_config. The script can be found in the rightscale/rightlink_scripts repository as rs-ssh-keys.sh. |
| /etc/sudoers.d/90-rightscale-sudo-users | Sudo config | Configuration file enabling users with server_superuser role the ability to run sudo. |
| /etc/pam.d/sshd | PAM config | Configuration file updated to use the pam_mkhomedir PAM module to create user's home directory at successful login. |
| /etc/nsswitch.conf | NSS config | Name Service Switch configuration file updated to use RightScale's custom NSS module providing user and group information to the OS. |
| /usr/local/lib/libnss_rightscale.so.2.0.0 /usr/local/lib/libnss_rightscale.so.2 /usr/local/lib/libnss_rightscale.so |
NSS binary module | RightScale's custom NSS module to provide RightScale user and group information to the OS. This module is used in /etc/nsswitch.conf. The source code is available in the rightscale/libnss-rightscale repository. |
| /var/lib/rightlink/login_policy | Login Policy File | Generated file read by the custom NSS module, rs-ssh-keys.sh, and sshd_config. |
| /var/lib/rightlink_keys | SSH Keys Directory | Ubuntu 12.04 has a version of OpenSSH that does not support the feature to use rs-ssh-keys.sh. In this case, this directory is created and used by sshd_config. A file is created in this directory for every user with the 'server_login' role, containing their public key. |
Login Names
RightScale users with the server_login role can log into an instance using either the RightScale generated default login name or their user definable custom login name. Both of these login names are mapped to the same Linux user ID (UID). Login names are defined under SSH settings, found in the RightScale UI: Settings\User Settings\SSH.
In order to allow users to manage their own SSH key pairs Mandatory Server Login Control must be enabled for the account.
RightScale generated default login name
The default login name is generated for each user using the following pattern: rightscale{RightScale_ID_Num}. For example, your RightScale ID might be 123456 so you would have the login name rightscale123456.
User definable custom login name
Optionally, you can set a custom login name using the edit button with the following requirements:
- must be globally unique to the RightScale platform
- must be made up of only lower case letters, numbers, dashes, and underscores with the first character being a lowercase letter
- must be a minimum length of 3 characters and a maximum length of 32 characters
- must not be in the list of disallowed login names
If any of these restrictions are not met, an error message will present the issue. You can remove the custom login name by removing all characters from the Custom Login Name
field and hitting save.
If a custom login name conflicts with an already existing username on the operating system, this conflict will be logged into Audit Entries and stating that the existing username may take authentication priority. The solution would be to use the default login name or change the custom login name that is in conflict.
Changing of custom login names, updating of public keys, and role updates are not immediatly available to every server in a RightScale account. Please allow 5-10 minutes for updates to propagate across all servers. Audit entries can be reviewed to check for updates on specific servers.
Home Directories
User home directories are created at SSH login if they do not exist. The location of a user's home directory is /home/rightscale{RightScale_ID_Num}, matching the default login name. Regardless of what login name is used, this will always be the user's home directory.
'sudo' permission
RightScale users with both server_login and server_superuser roles are given the ability to run sudo commands on the instance. By default configuration, ALL commands are available via 'sudo' to users with server_superuser role.
Managing User Roles
Managing user roles is done in the RightScale UI. For more information on managing user roles, please see RightScale Account and User Role Management.
Known Limitations
Currently the Managed Login feature is not supported on CoreOS. This is due to an issue with PAM in the stable
releases.