Browse Source

docs: rm old doc

master
QuentinN42 6 months ago
parent
commit
2db67aa371
Signed by: number42 GPG Key ID: 2CD7D563712B3A50
  1. 54
      README.md

54
README.md

@ -47,57 +47,3 @@ Then you can try to ssh :
lxc-attach -n serv1 ip a
ssh root@<ip>
## Setup keycloak
### Add all clients & users
First connect to the keycloak server with admin/admin and add a new realm :
servers
Then create the following users and set their passwords by clicking on Credentials on the user tab :
- `user1`: pass=`user1`
- `user2`: pass=`user2`
- `user3`: pass=`user3`
And create the following clients :
- `serv1`: root_url=`https://serv1/`
- `serv2`: root_url=`https://serv2/`
### Roots role
To allow an user to access both serv1 and serv2, we need to give him the `Roots` role.
We need to first create the role in the `Role` page.
On this page create a new role named `SSH everywhere`.
Then return to the user page, select `user3`, go to `Role Mappings` and add the `SSH everywhere` role to the user.
### Enforce security
Now we need to configure the clients to allow certains users to connect :
First create on the `Role` page a new role (you can name it as you want) and add `user1` to this role.
On the keycloak server, go to the clients page.
Select the client `serv1` then set `Access Type` to `confidential` and `Authorization Enable` to `Yes`.
Then validate the configuration by clicking on `Save`.
Some new tabs will pop up, notably `Authorization` that we will configure now.
Go to the pages `Policies` and `Policy` and delete all the curent values.
Go to the `Resources` page and create new permission for the default ressource.
Name it `User can ssh` and in the `Apply Policy` create two new polices :
- `User as local role`: check if role == the role you created at the start of this section.
- `User as global role`: check if role == `SSH everywhere`.
Then validate the configuration by clicking on `Save`.
You can now go to the `Evaluate` page to check if the users can connect :
- user1 : should be able to connect (local)
- user2 : should not be able to connect
- user3 : should be able to connect (global)

Loading…
Cancel
Save