From 53fd09234b4fa51f37b0b033108bfd0b287bf1a4 Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Fri, 16 Feb 2024 16:53:15 -0800 Subject: [PATCH 1/5] Update host user creation docs --- .../server-access/guides/host-user-creation.mdx | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/docs/pages/server-access/guides/host-user-creation.mdx b/docs/pages/server-access/guides/host-user-creation.mdx index 40c4fb677d0ee..c5572edf37fb3 100644 --- a/docs/pages/server-access/guides/host-user-creation.mdx +++ b/docs/pages/server-access/guides/host-user-creation.mdx @@ -28,20 +28,17 @@ since it must execute these commands in order to create transient users: ## Step 1/3. Configure a role -First, create a role with `create_host_user_mode` set to `drop`, `insecure-drop`, or `keep`. +First, create a role with `create_host_user_mode` set to `insecure-drop`, or `keep`. + - `keep` will create permanent users on the host at login time. This is the + recommended host user creation mode. - `insecure-drop` will create transient users that are deleted once the session ends. - - `drop` is the same as `insecure-drop` except it also creates a home directory for the user. - It exists only for backwards compatibility; newly configured services should use - `insecure-drop` instead. - - `keep` will create permanent users on the host at login time. - -Note that with the `drop` and `insecure-drop` modes, it is possible for a created -user to get the same UID as a previously deleted user, which would give the new user -access to all of the old user's files if they are not deleted. - `drop` mode will be removed in Teleport 15. + With the `insecure-drop` mode, it is possible for a created user to get the + same UID as a previously deleted user, which would give the new user access + to all of the old user's files if they are not deleted. Prefer `keep` mode + unless you really need users to be removed. The following role specification will allow users to log in as `nginxrestarter` on From a71902fa7e8509b7b153dd6aff1c961dd531b1f8 Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Fri, 16 Feb 2024 16:54:07 -0800 Subject: [PATCH 2/5] Remove comma --- docs/pages/server-access/guides/host-user-creation.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/server-access/guides/host-user-creation.mdx b/docs/pages/server-access/guides/host-user-creation.mdx index c5572edf37fb3..b950dfb828ef7 100644 --- a/docs/pages/server-access/guides/host-user-creation.mdx +++ b/docs/pages/server-access/guides/host-user-creation.mdx @@ -28,7 +28,7 @@ since it must execute these commands in order to create transient users: ## Step 1/3. Configure a role -First, create a role with `create_host_user_mode` set to `insecure-drop`, or `keep`. +First, create a role with `create_host_user_mode` set to `insecure-drop` or `keep`. - `keep` will create permanent users on the host at login time. This is the recommended host user creation mode. From ce52ee7d0d863636d35cdd4c555d447b3d6b5c8b Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Fri, 16 Feb 2024 16:54:51 -0800 Subject: [PATCH 3/5] Reorder modes --- docs/pages/server-access/guides/host-user-creation.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/server-access/guides/host-user-creation.mdx b/docs/pages/server-access/guides/host-user-creation.mdx index b950dfb828ef7..81813009058d7 100644 --- a/docs/pages/server-access/guides/host-user-creation.mdx +++ b/docs/pages/server-access/guides/host-user-creation.mdx @@ -28,7 +28,7 @@ since it must execute these commands in order to create transient users: ## Step 1/3. Configure a role -First, create a role with `create_host_user_mode` set to `insecure-drop` or `keep`. +First, create a role with `create_host_user_mode` set to `keep` or `insecure-drop`. - `keep` will create permanent users on the host at login time. This is the recommended host user creation mode. From c78c389e3dcf783fecc2c05c2450ad2782c4c21f Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Tue, 20 Feb 2024 17:08:49 -0800 Subject: [PATCH 4/5] Remove more references to drop --- docs/pages/server-access/guides/host-user-creation.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/pages/server-access/guides/host-user-creation.mdx b/docs/pages/server-access/guides/host-user-creation.mdx index 81813009058d7..63fe2a6a6db8e 100644 --- a/docs/pages/server-access/guides/host-user-creation.mdx +++ b/docs/pages/server-access/guides/host-user-creation.mdx @@ -56,7 +56,7 @@ metadata: spec: options: # Allow automatic creation of users. - create_host_user_mode: drop + create_host_user_mode: keep allow: logins: [ "nginxrestarter" ] # List of host groups the created user will be added to. Any that don't already exist are created. @@ -86,11 +86,11 @@ of the Linux distribution being used. See [User/Group Name Syntax](https://syste When a Teleport user accesses an SSH Service instance, Teleport checks each of the user's roles that match the instance. If at least one role matches the instance -but does not specify `create_host_user_mode` to be either `keep`, `drop`, or `insecure-drop`, +but does not specify `create_host_user_mode` to be either `keep` or `insecure-drop`, automatic user creation will be disabled. Roles that do not match the server will not be checked. -If multiple roles match where one might specify `keep` and another `drop`, +If multiple roles match where one might specify `keep` and another `insecure-drop`, Teleport will default to `keep`, retaining the user on the server after the session ends. @@ -114,7 +114,7 @@ metadata: name: auto-users spec: options: - create_host_user_mode: drop + create_host_user_mode: keep deny: host_sudoers: [ "*" # ensure that users in this role never have sudoers files created on matching Nodes From 7ff511b73907afd87c38fb170c7df9e72a034350 Mon Sep 17 00:00:00 2001 From: Andrew Burke Date: Thu, 22 Feb 2024 16:33:02 -0800 Subject: [PATCH 5/5] Deprioritize insecure-drop --- .../guides/host-user-creation.mdx | 31 +++++++------------ 1 file changed, 11 insertions(+), 20 deletions(-) diff --git a/docs/pages/server-access/guides/host-user-creation.mdx b/docs/pages/server-access/guides/host-user-creation.mdx index 63fe2a6a6db8e..bf687725eba12 100644 --- a/docs/pages/server-access/guides/host-user-creation.mdx +++ b/docs/pages/server-access/guides/host-user-creation.mdx @@ -28,24 +28,20 @@ since it must execute these commands in order to create transient users: ## Step 1/3. Configure a role -First, create a role with `create_host_user_mode` set to `keep` or `insecure-drop`. - - - `keep` will create permanent users on the host at login time. This is the - recommended host user creation mode. - - `insecure-drop` will create transient users that are deleted once the session ends. - - - With the `insecure-drop` mode, it is possible for a created user to get the - same UID as a previously deleted user, which would give the new user access - to all of the old user's files if they are not deleted. Prefer `keep` mode - unless you really need users to be removed. - - +First, create a role with `create_host_user_mode` set to `keep`. The following role specification will allow users to log in as `nginxrestarter` on any matching Node. The host user will be created and added to the groups listed in `host_groups`. They will also be given permission to restart the Nginx service as root. + + `create_host_user_mode` can also be set to `insecure_drop`, which deletes users + once the session ends. However, in this mode it is possible for a created user + to get the same UID as a previously deleted user, which would give the new user access + to all of the old user's files if they are not deleted. Use `keep` mode + unless you really need users to be removed. + + Save the file below as `auto-users.yaml` ```yaml @@ -86,13 +82,8 @@ of the Linux distribution being used. See [User/Group Name Syntax](https://syste When a Teleport user accesses an SSH Service instance, Teleport checks each of the user's roles that match the instance. If at least one role matches the instance -but does not specify `create_host_user_mode` to be either `keep` or `insecure-drop`, -automatic user creation will be disabled. Roles that do not match the server will -not be checked. - -If multiple roles match where one might specify `keep` and another `insecure-drop`, -Teleport will default to `keep`, retaining the user on the server after the session -ends. +but does not set `create_host_user_mode`, automatic user creation will be disabled. +Roles that do not match the server will not be checked.