How to (Extra) Ban Someone: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(Be less destructive) |
||
| Line 1: | Line 1: | ||
This is a (hopefully comprehensive) '''guide on ensuring their existing account (based on their |
This is a (hopefully comprehensive) '''guide on ensuring their existing account (based on their WatIAM) is put out of action for good, and immediately'''. This guide is mainly intended for ''Syscom'' as it requires root or admin access to many CSC services. |
||
=== Step 1: Remove Membership === |
=== Step 1: Remove Membership === |
||
Through CEO's TUI (<code>ceo</code>) : |
|||
Through CEO's TUI (`ceo`) and LDAP ([[Ceo#raymo's guide on how to fix things after screwing up|guide from Raymond]]): |
|||
* Reset their password |
|||
* '''<u>Remove All Membership Terms</u>''': look for `memberTerm` in `ldapvi` |
|||
* '''<u>Reset their password</u>''' (**and don't tell them!**) |
|||
=== Step 2: Screw Up Their Account === |
=== Step 2: Screw Up Their Account === |
||
* |
* Change their Login Shell (through LDAP - [[Ceo#raymo's guide on how to fix things after screwing up|guide here]]) to something like <code>/sbin/nologin</code> or <code>/bin/false</code> |
||
'''NOTE''': CEO will not allow this change, so LDAP is best (and likely only way) |
'''NOTE''': CEO will not allow this change, so LDAP is the best (and likely only way) |
||
=== Step 3: Deauth Them Everywhere === |
=== Step 3: Deauth Them Everywhere === |
||
* |
* Suspend Kerberos: https://wiki.csclub.uwaterloo.ca/Kerberos#Suspending_an_Account |
||
* |
* Remove their SSH keys: |
||
** Run <code>sudo -u <user_to_ban> mv ~<user_to_ban>/.ssh/{authorized_keys,banned_keys}</code> from a CSC machine. |
|||
** Go to a Syscom-only machine that could edit the `/users` directory ('''be extremely careful''') |
|||
** Navigate to the banned users directory, and remove their ssh keys (`.ssh/authorized_keys`) |
|||
=== Step 4: Remove all Their Resources === |
=== Step 4: Remove all Their Resources === |
||
| Line 24: | Line 22: | ||
* '''<u>Remove their CSC Cloud VMs</u>''': https://wiki.csclub.uwaterloo.ca/CloudStack#Administration |
* '''<u>Remove their CSC Cloud VMs</u>''': https://wiki.csclub.uwaterloo.ca/CloudStack#Administration |
||
* (optional) Kill all processes they are running in General Use |
* (optional) Kill all processes they are running in General Use |
||
* (optional) Delete their home directory |
* (optional) Delete their home directory - '''ONLY if necessary''' |
||
Latest revision as of 14:23, 10 October 2023
This is a (hopefully comprehensive) guide on ensuring their existing account (based on their WatIAM) is put out of action for good, and immediately. This guide is mainly intended for Syscom as it requires root or admin access to many CSC services.
Step 1: Remove Membership
Through CEO's TUI (ceo) :
- Reset their password
Step 2: Screw Up Their Account
- Change their Login Shell (through LDAP - guide here) to something like
/sbin/nologinor/bin/false
NOTE: CEO will not allow this change, so LDAP is the best (and likely only way)
Step 3: Deauth Them Everywhere
- Suspend Kerberos: https://wiki.csclub.uwaterloo.ca/Kerberos#Suspending_an_Account
- Remove their SSH keys:
- Run
sudo -u <user_to_ban> mv ~<user_to_ban>/.ssh/{authorized_keys,banned_keys}from a CSC machine.
- Run
Step 4: Remove all Their Resources
- Remove their CSC Cloud VMs: https://wiki.csclub.uwaterloo.ca/CloudStack#Administration
- (optional) Kill all processes they are running in General Use
- (optional) Delete their home directory - ONLY if necessary