From 8ed71f6706376a767a4732356d0aeadaf0954851 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Fri, 20 Sep 2024 11:49:56 +0200 Subject: [PATCH] added bastions --- _toc.yml | 1 + admin-guide/authentication/bastion_hosts.md | 15 +++++++++++++++ admin-guide/authentication/system_access.md | 2 +- 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 admin-guide/authentication/bastion_hosts.md diff --git a/_toc.yml b/_toc.yml index e5d26aa8..4f5d27b7 100644 --- a/_toc.yml +++ b/_toc.yml @@ -31,6 +31,7 @@ chapters: - file: admin-guide/authentication sections: - file: admin-guide/authentication/system_access + - file: admin-guide/authentication/bastion_hosts - file: admin-guide/deployment sections: diff --git a/admin-guide/authentication/bastion_hosts.md b/admin-guide/authentication/bastion_hosts.md new file mode 100644 index 00000000..285af056 --- /dev/null +++ b/admin-guide/authentication/bastion_hosts.md @@ -0,0 +1,15 @@ +# Bastions +This parameter determines whether root logins are only possible from the hosts listed in bastions. Normally the value is taken from the network property of the same name, but this parameter allows overriding the network setting through Hiera. + +### Use bastions +Boolean value +``` +aaa::user_bastions: true +``` + +### Bastion host definitions +A list of FQDNs. If use_bastions is true, then root logins are only allowed from the hosts on this list. Note: If the list is empty, login is unrestricted again! +``` + - 'wmgt01.psi.ch' + - 'wmgt02.psi.ch' +``` diff --git a/admin-guide/authentication/system_access.md b/admin-guide/authentication/system_access.md index 98fe3993..b2a9377d 100644 --- a/admin-guide/authentication/system_access.md +++ b/admin-guide/authentication/system_access.md @@ -14,6 +14,6 @@ To give root access for AD user accounts or groups via sudo. ``` aaa::admins: - 'muster_h' - - 'unx-project_group' + - '%unx-project_group' ```