Novell OPEN ENTERPRISE SERVER - PLANNING AND IMPLEMENTATION GUIDE 12-2010 Implementation Manual page 92


"How SSH Access for eDirectory Users Works" on page 92

"SSH Security Considerations" on page 93
When Is SSH Access Required?
SSH access is required for the following:

SSH administration access for eDirectory users: For eDirectory users to manage the server
through an SSH connection, they must have SSH access as
users configured for access to Linux services).
NOTE: The standard Linux
always has SSH access as long as the firewall allows it.

Access to NSS Volume Management in NetStorage: When an OES 2 server has NSS
volumes, eDirectory contains an object named nssvolumes that provides management access to
the volumes through the File Access (NetStorage) iManager plug-in. Using the plug-in to
manage NSS volumes, assign trustee rights, salvage and purge files, etc. requires SSH access to
the server.
Although eDirectory administrators can create Storage Location Objects to the NSS volumes
without SSH access, providing that they know the path to the volume on the POSIX file system
and other volume information, having SSH access makes administering NSS volumes in
NetStorage much easier.

Access to any NetStorage Storage Location Objects based on SSH: The NetStorage server
provides Web access to directories and files on other servers (or on itself).
Typically, either an NCP or a CIFS connection is used for connecting the NetStorage server
with storage targets. However, an SSH connection can also be used, and if it is, the users
accessing data through the connection must have SSH access to the data on the target servers.
How SSH Access for eDirectory Users Works
For eDirectory users, the following work together to control SSH access:

Firewall: As mentioned, the default firewall configuration on an OES 2 server doesn't allow
SSH connections with the server. This restricts the
requirement for SSH access is configuring the firewall to allow SSH services.

Linux User Management (LUM) must allow SSH as a service: In OES 2, access to SSH
and other Linux services is controlled through Linux User Management (LUM), and each
service must be explicitly included in the LUM configuration on each server.

LUM-enabling: After SSH is included as a LUM-enabled service on a server, at least one
group and its users must be enabled for LUM. Only LUM-enabled eDirectory users can have
SSH access.

All eDirectory Groups must allow access: SSH access is inherited from the LUM-enabled
groups that a user belongs to, and access is only granted when all of the groups to which a user
belongs allow it.

The Samba connection: Users who are enabled for Samba (CIFS) file services are added by
default to an OES-created Samba group that:

Is LUM-enabled.

Doesn't specify SSH as an allowed service.
92 OES 2 SP3: Planning and Implementation Guide
user is a local user, not an eDirectory user. The
root
root
LUM-enabled users (eDirectory
user as well. Therefore, the first
user
root