Overview

With RightLink v10.5.0 and above, Managed Login for Linux based systems has been completely revamped. Users with the server_login role can log into running servers with key-based SSH connections. Users who also have the server_superuser role can run sudo. The two login names available to users are the RightScale generated default login name and a user definable custom login name.

Enabling Managed Login

Enabling the 'Managed Login' feature is done by running the RL10 Linux Enable Managed Login RightScript (Github, MultiCloud Marketplace).

Installed and Configuration files

Managed Login uses these commonly used standard Linux components: PAM, NSS, sudo, and OpenSSH.

Configuration of these components entails the following files:

Files Format Purpose
/etc/ssh/sshd_config SSHD config file Configuration file updated to use /usr/local/bin/rs-ssh-keys.sh to obtain a user's ssh public key for key-based authentication.
/usr/local/bin/rs-ssh-keys.sh bash script Custom open-source script that obtains a user's public key set in the RightScale Dashboard. This script is used in /etc/ssh/sshd_config. The script can be found in the rightscale/rightlink_scripts repository as rs-ssh-keys.sh.
/etc/sudoers.d/90-rightscale-sudo-users Sudo config Configuration file enabling users with server_superuser role the ability to run sudo.
/etc/pam.d/sshd PAM config Configuration file updated to use the pam_mkhomedir PAM module to create user's home directory at successful login.
/etc/nsswitch.conf NSS config Name Service Switch configuration file updated to use RightScale's custom NSS module providing user and group information to the OS.
/usr/local/lib/libnss_rightscale.so.2.0.0
/usr/local/lib/libnss_rightscale.so.2
/usr/local/lib/libnss_rightscale.so
NSS binary module RightScale's custom NSS module to provide RightScale user and group information to the OS. This module is used in /etc/nsswitch.conf. The source code is available in the rightscale/libnss-rightscale repository.
/var/lib/rightlink/login_policy Login Policy File Generated file read by the custom NSS module, rs-ssh-keys.sh, and sshd_config.
/var/lib/rightlink_keys SSH Keys Directory Ubuntu 12.04 has a version of OpenSSH that does not support the feature to use rs-ssh-keys.sh. In this case, this directory is created and used by sshd_config. A file is created in this directory for every user with the 'server_login' role, containing their public key.

Login Names

RightScale users with the server_login role can log into an instance using either the RightScale generated default login name or their user definable custom login name. Both of these login names are mapped to the same Linux user ID (UID). Login names are defined under SSH settings, found in the RightScale UI: Settings\User Settings\SSH.

RightScale generated default login name

The default login name is generated for each user using the following pattern: rightscale{RightScale_ID_Num}. For example, your RightScale ID might be 123456 so you would have the login name rightscale123456.

User definable custom login name

Optionally, you can set a custom login name using the edit button with the following requirements:

  • must be globally unique to the RightScale platform
  • must be made up of only lower case letters, numbers, dashes, and underscores with the first character being a lowercase letter
  • must be a minimum length of 3 characters and a maximum length of 32 characters
  • must not be in the list of disallowed login names

If any of these restrictions are not met, an error message will present the issue. You can remove the custom login name by removing all characters from the Custom Login Name field and hitting save.

Home Directories

User home directories are created at SSH login if they do not exist. The location of a user's home directory is /home/rightscale{RightScale_ID_Num}, matching the default login name. Regardless of what login name is used, this will always be the user's home directory.

'sudo' permission

RightScale users with both server_login and server_superuser roles are given the ability to run sudo commands on the instance. By default configuration, ALL commands are available via 'sudo' to users with server_superuser role.

Managing User Roles

Managing user roles is done in the RightScale UI. For more information on managing user roles, please see RightScale Account and User Role Management.

Known Limitations

Currently the Managed Login feature is not supported on CoreOS. This is due to an issue with PAM in the stable releases.