How to (Extra) Ban Someone: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
(Prevent a CSC user from seeing the light of data at CSC again ;))
 
(Be less destructive)
 
(6 intermediate revisions by one other user not shown)
Line 1: Line 1:
This is a (hopefully comprehensive) '''guide on ensuring their existing account (based on their WatIAM) is put out of action for good, and immediately'''. This guide is mainly intended for ''Syscom'' as it requires root or admin access to many CSC services.
Ahem, so in recent times, we had to *disable/ban* a CSC user's account for their repeated attempts to circumvent their ban in MathSoc/CSC (FR, totally no pun intended)...


=== Step 1: Remove Membership ===
Through CEO's TUI (<code>ceo</code>) :


* Reset their password
This is a (hopefully comprehensive) guide on ensuring their existing account (based on their WATIAM) is put out of action for good, and immediately. This guide is mainly for *Syscom* as it requires root or admin access to many CSC services.


=== Step 2: Screw Up Their Account ===


* Change their Login Shell (through LDAP - [[Ceo#raymo's guide on how to fix things after screwing up|guide here]]) to something like <code>/sbin/nologin</code> or <code>/bin/false</code>
## Step 1: Remove Membership
Through CEO's TUI (`ceo`) or LDAP ([guide from Raymond](https://wiki.csclub.uwaterloo.ca/Ceo#raymo's_guide_on_how_to_fix_things_after_screwing_up)):
- Remove all their `memberTerm`s
- Reset their password (**and don't tell them!**)


'''NOTE''': CEO will not allow this change, so LDAP is the best (and likely only way)
## Step 2: Screw Up Their Account
- Change their Login Shell (through LDAP) to something like `/sbin/nologin` or `/bin/false`
**NOTE**: CEO will not allow this change, so LDAP is best (and likely only way)


## Step 3: Deauth Them Everywhere
=== Step 3: Deauth Them Everywhere ===

- Suspend Kerberos: https://wiki.csclub.uwaterloo.ca/Kerberos#Suspending_an_Account
* Suspend Kerberos: https://wiki.csclub.uwaterloo.ca/Kerberos#Suspending_an_Account
- Remove their SSH keys:
* Remove their SSH keys:
- Go to a Syscom-only machine that could edit the `/users` directory (**be extremely careful**)
** Run <code>sudo -u <user_to_ban> mv ~<user_to_ban>/.ssh/{authorized_keys,banned_keys}</code> from a CSC machine.
- Navigate to the banned users directory, and remove their ssh keys (`.ssh/authorized_keys`)

- Remove their CSC Cloud VMs: https://wiki.csclub.uwaterloo.ca/CloudStack#Administration
=== Step 4: Remove all Their Resources ===
- (optional) Kill all processes they are running in General Use

* '''<u>Remove their CSC Cloud VMs</u>''': https://wiki.csclub.uwaterloo.ca/CloudStack#Administration
* (optional) Kill all processes they are running in General Use
* (optional) Delete their home directory - '''ONLY if necessary'''

Latest revision as of 14:23, 10 October 2023

This is a (hopefully comprehensive) guide on ensuring their existing account (based on their WatIAM) is put out of action for good, and immediately. This guide is mainly intended for Syscom as it requires root or admin access to many CSC services.

Step 1: Remove Membership

Through CEO's TUI (ceo) :

  • Reset their password

Step 2: Screw Up Their Account

  • Change their Login Shell (through LDAP - guide here) to something like /sbin/nologin or /bin/false

NOTE: CEO will not allow this change, so LDAP is the best (and likely only way)

Step 3: Deauth Them Everywhere

Step 4: Remove all Their Resources

Retrieved from "https://wiki.csclub.uwaterloo.ca/index.php?title=How_to_(Extra)_Ban_Someone&oldid=5108"