You are here
How to create read-only users for console and SSH
Last update on 12. January 2018 - 17:57.
This article shows how to create read-only SSH and console users to access logs and backup configuration files. Use the procedure described below if you need a user to backup logs and the configuration file.
# USERNAME=log_user
# useradd -d /home/log/ -s /bin/bash -c "read-only console user" -K MAIL_DIR=/dev/null -M -G log $USERNAME
# passwd $USERNAME
If you want to grant access with a ssh key, the user "root" must add the public key of the login user to "/home/log/.ssh/authorized_keys". Do not change the permissions of this file!
Do not use the username "log", since this username is already used for internal purpose.
Access to configuration
With following command the actual configuration can be copied for backup reason from any host having access to the airlock management interface:
# scp log_user@airlockhost:/home/log/configuration/airlock-conf_without-keys.zip .
If you have installed the authorized key from the backup system on Airlock WAF in the file /home/log_user/.ssh/authorized_keys, the trust between Airlock and the backup host is established and there is no need to enter a password to access the console or for copying files.