You are here

How to create read-only users for console and SSH

Affects version(s): 
5.x and newer

This article shows how to create read-only SSH and console users to access logs and backup configuration files. Use the procedure described below if you need a user to backup logs and the configuration file.

# USERNAME=log_user

# useradd -d /home/log/ -s /bin/bash -c "read-only console user" -K MAIL_DIR=/dev/null -M -G log $USERNAME

# passwd $USERNAME

If you want to grant access with a ssh key, the user "root" must add the public key of the login user to "/home/log/.ssh/authorized_keys". Do not change the permissions of this file!

Do not use the username "log", since this username is already used for internal purpose.​​​​

Access to configuration

With following command the actual configuration can be copied for backup reason from any host having access to the airlock management interface:

# scp log_user@airlockhost:/home/log/configuration/ .​​​​​

If you have installed the authorized key from the backup system on Airlock WAF in the file /home/log_user/.ssh/authorized_keys, the trust between Airlock and the backup host is established and there is no need to enter a password to access the console or for copying files.

Knowledge Base Categories: