How to (Extra) Ban Someone: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
(Prevent a CSC user from seeing the light of data at CSC again ;))
 
No edit summary
Line 1: Line 1:
Ahem, so in recent times, we had to *disable/ban* a CSC user's account for their repeated attempts to circumvent their ban in MathSoc/CSC (FR, totally no pun intended)...
Ahem, so in recent times, we had to *disable/ban* a CSC user's account for their repeated attempts to circumvent their ban in MathSoc/CSC (FR, totally no pun intended)...



This is a (hopefully comprehensive) guide on ensuring their existing account (based on their WATIAM) is put out of action for good, and immediately. This guide is mainly for *Syscom* as it requires root or admin access to many CSC services.
This is a (hopefully comprehensive) guide on ensuring their existing account (based on their WATIAM) is put out of action for good, and immediately. This guide is mainly for *Syscom* as it requires root or admin access to many CSC services.


=== Step 1: Remove Membership ===

## Step 1: Remove Membership
Through CEO's TUI (`ceo`) or LDAP ([guide from Raymond](https://wiki.csclub.uwaterloo.ca/Ceo#raymo's_guide_on_how_to_fix_things_after_screwing_up)):
Through CEO's TUI (`ceo`) or LDAP ([guide from Raymond](https://wiki.csclub.uwaterloo.ca/Ceo#raymo's_guide_on_how_to_fix_things_after_screwing_up)):
- Remove all their `memberTerm`s
- Reset their password (**and don't tell them!**)


* Remove all their `memberTerm`
## Step 2: Screw Up Their Account
* Reset their password (**and don't tell them!**)
- Change their Login Shell (through LDAP) to something like `/sbin/nologin` or `/bin/false`

**NOTE**: CEO will not allow this change, so LDAP is best (and likely only way)
=== Step 2: Screw Up Their Account ===

* Change their Login Shell (through LDAP) to something like `/sbin/nologin` or `/bin/false`

'''NOTE''': CEO will not allow this change, so LDAP is best (and likely only way)

=== Step 3: Deauth Them Everywhere ===

* '''<u>Suspend Kerberos</u>''': https://wiki.csclub.uwaterloo.ca/Kerberos#Suspending_an_Account - Remove their SSH keys:
** Go to a Syscom-only machine that could edit the `/users` directory ('''be extremely careful''')
** Navigate to the banned users directory, and remove their ssh keys (`.ssh/authorized_keys`)


* '''<u>Remove their CSC Cloud VMs</u>''': https://wiki.csclub.uwaterloo.ca/CloudStack#Administration - (optional) Kill all processes they are running in General Use
## Step 3: Deauth Them Everywhere
- Suspend Kerberos: https://wiki.csclub.uwaterloo.ca/Kerberos#Suspending_an_Account
- Remove their SSH keys:
- Go to a Syscom-only machine that could edit the `/users` directory (**be extremely careful**)
- Navigate to the banned users directory, and remove their ssh keys (`.ssh/authorized_keys`)
- Remove their CSC Cloud VMs: https://wiki.csclub.uwaterloo.ca/CloudStack#Administration
- (optional) Kill all processes they are running in General Use

Revision as of 11:04, 18 September 2023

Ahem, so in recent times, we had to *disable/ban* a CSC user's account for their repeated attempts to circumvent their ban in MathSoc/CSC (FR, totally no pun intended)...

This is a (hopefully comprehensive) guide on ensuring their existing account (based on their WATIAM) is put out of action for good, and immediately. This guide is mainly for *Syscom* as it requires root or admin access to many CSC services.

Step 1: Remove Membership

Through CEO's TUI (`ceo`) or LDAP ([guide from Raymond](https://wiki.csclub.uwaterloo.ca/Ceo#raymo's_guide_on_how_to_fix_things_after_screwing_up)):

  • Remove all their `memberTerm`
  • Reset their password (**and don't tell them!**)

Step 2: Screw Up Their Account

  • Change their Login Shell (through LDAP) to something like `/sbin/nologin` or `/bin/false`

NOTE: CEO will not allow this change, so LDAP is best (and likely only way)

Step 3: Deauth Them Everywhere

Retrieved from "https://wiki.csclub.uwaterloo.ca/index.php?title=How_to_(Extra)_Ban_Someone&oldid=5065"