Getting started

So you now have a brand new installation of PaSSHport, but you don't know what to do next…

Example prerequisites

For this tutorial, we will use the following infos :

_images/PaSSHport-getting_started_1_EN.png
  • 1 PaSSHport node

We'll use a monolithic installation of PaSSHport : passhportd, passhport and passhport-admin are on the same host.

3 users

  • John, a linux/unix administrator, who needs to access all linux/unix servers
  • Vincent, a network administrator, who needs to access all network appliances
  • Alice, a general appliance administrator who needs to access all tier appliances
  • Yann, a consultant who's here for a temporary mission about storage infrastructure, that need to access the NAS server and a the SAN bay

1 PaSSHport admin

  • Marc, the ISSM, who configures PaSSHport, to control all the access rights

3 types of targets

  • Linux/Unix servers :
  • 1 web server, Linux, www-server / 10.0.1.24
  • 1 VPN server, OpenBSD, vpn-srv1 / 10.0.23.51
  • 1 NAS server, FreeBSD, nas-srv1 / 10.0.12.87
  • Network appliances
  • 1 WiFi access points, net-AP9-23 / 172.22.9.23
  • 1 router, net-RO10-98 / 172.16.10.98
  • 1 network switch, net-SW22-57 / 172.20.22.57
  • Other appliances
  • 1 IPBX, ipbx1 / 10.192.98.76
  • 1 Network printer, prntr44 / 192.168.254.44
  • 1 SAN bay, san1 / 10.192.1.10

Configure targets

First of all, we'll include the targets into PaSSHport.

Let's connect to your PaSSHport node, and add the linux target. We can do this as passhport user :

[email protected]:~$ passhport-admin target create www-server 10.0.1.24
OK: "www-server" -> created
[email protected]:~$

We can check that the target has been well recorded :

[email protected]:~$ passhport-admin target list
www-server
[email protected]:~$

Now let's add the other Linux/Unix server :

[email protected]:~$ passhport-admin target create vpn-srv1 10.0.23.51
OK: "vpn-srv1" -> created
[email protected]:~$ passhport-admin target create nas-srv1 10.0.23.51
OK: "nas-srv1" -> created
[email protected]:~$

Do the same for the network appliances, and the remaining :

[email protected]:~$ passhport-admin target create net-AP9-23 172.22.9.23
OK: "net-AP9-23" -> created
[email protected]:~$ passhport-admin target create net-RO10-98 172.16.10.98
OK: "net-RO10-98" -> created
[email protected]:~$ passhport-admin target create net-SW22-57 172.20.22.57
OK: "net-SW22-57" -> created
[email protected]:~$ passhport-admin target create ipbx1 10.192.98.76
OK: "ipbx1" -> created
[email protected]:~$ passhport-admin target create prntr44 192.168.254.44
OK: "prntr44" -> created
[email protected]:~$ passhport-admin target create san1 10.192.1.10
OK: "san1" -> created
[email protected]:~$

We now have all our targets configured into PaSSHport.

Special target, with a specific login

We want to be able to connect to the SAN bay, as another user, because Yann should not have access to the SAN bay as the root user, but as "admin" user :

[email protected]:~# passhport-admin target create
Name: [email protected]
Hostname: 10.192.1.10
Login (default is root): admin
Port: 22
SSH Options:
Comment: SAN bay, login as admin user, not root.
OK: "[email protected]" -> created
[email protected]:~#

The SAN will now be accessible through two targets : "san1" and "admin@san1".

Configure target's groups

We'll group the targets we just created into three groups : unices, network and others.

We create the groups :

[email protected]:~$ passhport-admin targetgroup create unices
OK: "unices" -> created
[email protected]:~$ passhport-admin targetgroup create network
OK: "network" -> created
[email protected]:~$ passhport-admin targetgroup create others
OK: "others" -> created
[email protected]:~$

Now we put the targets into the corresponding target groups :

[email protected]:~$ passhport-admin targetgroup addtarget www-server unices
OK: "www-server" added to "unices"
[email protected]:~$

I'm a bit lazy, so I'll script the remainings :

[email protected]:~$ for UNICE in vpn-srv1 nas-srv1; do passhport-admin targetgroup addtarget ${UNICE} unices; done
OK: "vpn-srv1" added to "unices"
OK: "nas-srv1" added to "unices"
[email protected]:~$ for NETAPPLIANCE in net-AP9-23 net-RO10-98 net-SW22-57; do passhport-admin targetgroup addtarget ${NETAPPLIANCE} network; done
OK: "net-AP9-23" added to "network"
OK: "net-RO10-98" added to "network"
OK: "net-SW22-57" added to "network"
[email protected]:~$ for OTHERAPPLIANCE in ipbx1 prntr44 san1; do passhport-admin targetgroup addtarget ${OTHERAPPLIANCE} others; done
OK: "ipbx1" added to "others"
OK: "prntr44" added to "others"
OK: "san1" added to "others"
[email protected]:~$

We'll create a last group, that will have all the targets in it (again, I'm gonna script this) :

[email protected]:~$ passhport-admin targetgroup create all-targets
OK: "all-targets" -> created
[email protected]:~$ for TARGET in `passhport-admin target list`; do passhport-admin targetgroup addtarget ${TARGET} all-targets; done
OK: "ipbx1" added to "all-targets"
OK: "nas-srv1" added to "all-targets"
OK: "net-AP9-23" added to "all-targets"
OK: "net-RO10-98" added to "all-targets"
OK: "net-SW22-57" added to "all-targets"
OK: "prntr44" added to "all-targets"
OK: "san1" added to "all-targets"
OK: "vpn-srv1" added to "all-targets"
OK: "www-server" added to "all-targets"
[email protected]:~$

We're now done with the targets/targetgroups, at least for the moment…

Configure the users

We take it for granted that our users have all created a ssh public key (rsa, dsa or ecdsa), and that they gave us the public part. We have all the following keys :

Alice, a 2048 bits RSA key :

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8JMsMgyRUEMoq31rPTIWpWKgGFQ7fxt5Kray8yzCPga2pohMLstjJeHpWjkVhH8FhRUwCFXOM8zBEykz1IVFjowzFqR9kPvV0fELuIeK/V/42j3izeRH5liXFwotxzfpqTijTxAfj/60IadcUSf5dE8WAiREarrV82ieU5eNZ4FoCH4W0xPS8pEYJDv6hQ8TFHYQCrwHloA3HgzEJgQSFWaS3niMDfNbgbJEOVhXuT2l7pWgSnp1l5jewAq5CB71mMiUyF+zG8FRAYqUKd4VNRN+3/tp+9FEAqGCH3kTuFhFnWCgguQxDxH4XiIj7n2w79ARPzMbn2vTtd+6N0or7 [email protected]

John, an 521 bits ECDSA key :

ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHTlnhl23T9NiHn06wWaDpT1aJqEY0aOW7E4dfu7kQJsmRqg2SWMld6H8Q+bggwCLSkRKubOWyoJkprAfwOP8OArAGPCIr9PeQfC581EVqaev/yJYbKwwPQEaHpiQoHMaBfsgA2BYS5cNVcrOpLk8nHgKSJGEcdYipbZZxqDrLaeX3lBA== [email protected]

Marc, a 4096 bits RSA key :

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFOU5Saf+epkm79BeSniE7VtYMexJeL6BvXUsKUb7m8W4gnD3YTBW93uykO/6ovi9TfYdm+4nKQ9gUGUgzNyD8o7zW8w6wKogoL24UbJKmkZOCU1IgHJSt1QYIs/qHQZ2MR6S6K2f/1J1joYINPtGpQJ475OZfYQbP79fEdRdylupC8L+fvxkka4C0Uxj0I1VjDCVJCjO0md5oXzN75I2aw+RFWuiiL5P/gHRu+2iff2rdhebJZs4ux8u76LQLzYsG9a85Xlagw6N7/aXWnUZ/9gqoF/qVUHfS8ggesTwEJyNnY7EpPcKRUcwnlonn5CIS++Yo8iqjLd93RjFxShUqXlw9Cct4hdh/clW/QYsJRMfN9860mZ9v9dEitM2X1w8HCCD5NAHGqRRrtONM99kZRxmkCQ/Tb+jXvJ+VAl4qffuPPdxY+Bev7wygm4rVnjF2Ac5ioWb4Zd+zIb712VTQDQlRxsu73yWtHSodeSgPpgCWTjCwW/841QbPGkclnE6DKIwQ/vxC0ggSXouc5G6j0gHu90eQ24XL6Gurqr2C11w9saRyzrYRRlS0Ihkp3rMSteVcvrb1Qi4UGmJCHHSBhvP8jRFH4mbdkSGyzsxtjr8puJc8DiQ1UKG3O9X12m8nbOYeNdIofTw615k0YitoQ/60fdEELQyX+kNFQ2VoCw== [email protected]

Vincent, a 521 bits ECDSA key :

ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHJk+qDLEi283+rUmSek3eEF4PqXYMmQlPTj352w0XO75EGJzfavEDFe0h+Bu39XN/xVc+ypwOb2vv6pcjVsvuHTwHgXR2ElyfE8gGV7mITyXMdDyoWP5N8Ly3s7njNChSL9z3NiG38lg3E4Vg10nbmmoZZCA3WCffV4ugp3lYPnFmtfA== [email protected]

And Yann, a 2048 bits RSA key :

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs9YpOfP9vgViYa1SSntrydEBLGyWGAr9nvEjqHcMwHQb9JEmhIjvk1ctb8+Kns3/52F0hBrxic6k6UPvvvjbtJX33muFv5dd0k1W4lLcYe4ONTFwLOqCph4Is5r9lbZ5KXxhN/8YC/08jBJow0CoYdc+Yr7MlA51+tEQFwPbuB5vHMUteye0IgmaH9MLzXes/j5BUhnBjDscWVQSvNHY4/PKtHvIdvoI1uKAplstuHI6CDqnb0aJ5P9wME3P1lhRwcVDTm48/AMcfmpp5s+DwOmyDGfGXf+hE0cu7ulAkwHBhR6ciJJg1pz4DqraglxyVyrt+PFq6KDeV/7WwoNEP [email protected]

With those keys, we can add the users as follow…

  • Interactively :
[email protected]:~$ passhport-admin user create
Email (user name): [email protected]
SSH Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8JMsMgyRUEMoq31rPTIWpWKgGFQ7fxt5Kray8yzCPga2pohMLstjJeHpWjkVhH8FhRUwCFXOM8zBEykz1IVFjowzFqR9kPvV0fELuIeK/V/42j3izeRH5liXFwotxzfpqTijTxAfj/60IadcUSf5dE8WAiREarrV82ieU5eNZ4FoCH4W0xPS8pEYJDv6hQ8TFHYQCrwHloA3HgzEJgQSFWaS3niMDfNbgbJEOVhXuT2l7pWgSnp1l5jewAq5CB71mMiUyF+zG8FRAYqUKd4VNRN+3/tp+9FEAqGCH3kTuFhFnWCgguQxDxH4XiIj7n2w79ARPzMbn2vTtd+6N0or7 [email protected]
Comment: Alice is the general applicance admin
OK: "[email protected]" -> created
[email protected]:~$
  • On a single line, one shot :
[email protected]:~$ passhport-admin user create [email protected] "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHTlnhl23T9NiHn06wWaDpT1aJqEY0aOW7E4dfu7kQJsmRqg2SWMld6H8Q+bggwCLSkRKubOWyoJkprAfwOP8OArAGPCIr9PeQfC581EVqaev/yJYbKwwPQEaHpiQoHMaBfsgA2BYS5cNVcrOpLk8nHgKSJGEcdYipbZZxqDrLaeX3lBA== [email protected]" --comment="John is the Unices admin. He rocks."
OK: "[email protected]" -> created
[email protected]:~$

We add the others :

[email protected]:~$ passhport-admin user create [email protected] "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFOU5Saf+epkm79BeSniE7VtYMexJeL6BvXUsKUb7m8W4gnD3YTBW93uykO/6ovi9TfYdm+4nKQ9gUGUgzNyD8o7zW8w6wKogoL24UbJKmkZOCU1IgHJSt1QYIs/qHQZ2MR6S6K2f/1J1joYINPtGpQJ475OZfYQbP79fEdRdylupC8L+fvxkka4C0Uxj0I1VjDCVJCjO0md5oXzN75I2aw+RFWuiiL5P/gHRu+2iff2rdhebJZs4ux8u76LQLzYsG9a85Xlagw6N7/aXWnUZ/9gqoF/qVUHfS8ggesTwEJyNnY7EpPcKRUcwnlonn5CIS++Yo8iqjLd93RjFxShUqXlw9Cct4hdh/clW/QYsJRMfN9860mZ9v9dEitM2X1w8HCCD5NAHGqRRrtONM99kZRxmkCQ/Tb+jXvJ+VAl4qffuPPdxY+Bev7wygm4rVnjF2Ac5ioWb4Zd+zIb712VTQDQlRxsu73yWtHSodeSgPpgCWTjCwW/841QbPGkclnE6DKIwQ/vxC0ggSXouc5G6j0gHu90eQ24XL6Gurqr2C11w9saRyzrYRRlS0Ihkp3rMSteVcvrb1Qi4UGmJCHHSBhvP8jRFH4mbdkSGyzsxtjr8puJc8DiQ1UKG3O9X12m8nbOYeNdIofTw615k0YitoQ/60fdEELQyX+kNFQ2VoCw== [email protected]"
OK: "[email protected]" -> created
[email protected]:~$ passhport-admin user create [email protected] "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHJk+qDLEi283+rUmSek3eEF4PqXYMmQlPTj352w0XO75EGJzfavEDFe0h+Bu39XN/xVc+ypwOb2vv6pcjVsvuHTwHgXR2ElyfE8gGV7mITyXMdDyoWP5N8Ly3s7njNChSL9z3NiG38lg3E4Vg10nbmmoZZCA3WCffV4ugp3lYPnFmtfA== [email protected]" --comment="Vincent is the network admin."
OK: "[email protected]" -> created
[email protected]:~$ passhport-admin user create [email protected] "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs9YpOfP9vgViYa1SSntrydEBLGyWGAr9nvEjqHcMwHQb9JEmhIjvk1ctb8+Kns3/52F0hBrxic6k6UPvvvjbtJX33muFv5dd0k1W4lLcYe4ONTFwLOqCph4Is5r9lbZ5KXxhN/8YC/08jBJow0CoYdc+Yr7MlA51+tEQFwPbuB5vHMUteye0IgmaH9MLzXes/j5BUhnBjDscWVQSvNHY4/PKtHvIdvoI1uKAplstuHI6CDqnb0aJ5P9wME3P1lhRwcVDTm48/AMcfmpp5s+DwOmyDGfGXf+hE0cu7ulAkwHBhR6ciJJg1pz4DqraglxyVyrt+PFq6KDeV/7WwoNEP [email protected]" --comment="Yann is an external consultant, for a temporary mission bout storage infrastructure."
OK: "[email protected]" -> created
[email protected]:~$

As you can see above, I forgot to put a comment on "marc@myfirm.com" account. Let's add one :

[email protected]:~$ passhport-admin user edit [email protected] --newcomment="Marc is the ISSM. He access all."
OK: "[email protected]" -> edited
[email protected]:~$

Users are now created. Let's put them in usergroups…

Configure usergroups :

Even if in this example we only have one user for each purpose of administration, it's generaly a good idea to add a group for one type skill.

Let's add those groups :

[email protected]:~# passhport-admin usergroup create unices_admins
OK: "unices_admins" -> created
[email protected]:~# passhport-admin usergroup create network_admins
OK: "network_admins" -> created
[email protected]:~# passhport-admin usergroup create appliance_admins
OK: "appliance_admins" -> created
[email protected]:~# passhport-admin usergroup create super_admins
OK: "super_admins" -> created
[email protected]:~#

We add the users to each corresponding groups :

[email protected]:~$ passhport-admin usergroup adduser [email protected] unices_admins
OK: "[email protected]" added to "unices_admins"
[email protected]:~$ passhport-admin usergroup adduser [email protected] network_admins
OK: "[email protected]" added to "network_admins"
[email protected]:~$ passhport-admin usergroup adduser [email protected] appliance_admins
OK: "[email protected]" added to "appliance_admins"
[email protected]:~$ passhport-admin usergroup adduser [email protected] super_admins
OK: "[email protected]" added to "super_admins"
[email protected]:~$

Connect usergroups and targetgroups :

We now can connect each usergroups to targetgroups :

[email protected]:~# passhport-admin targetgroup addusergroup unices_admins unices
OK: "unices_admins" added to "unices"
[email protected]:~# passhport-admin targetgroup addusergroup network_admins network
OK: "network_admins" added to "network"
[email protected]:~# passhport-admin targetgroup addusergroup appliance_admins others
OK: "appliance_admins" added to "others"
[email protected]:~# passhport-admin targetgroup addusergroup super_admins all-targets
OK: "super_admins" added to "all-targets"
[email protected]:~#

Special configuration for Yann :

Because Yann is only here for a short mission, and need to access to different targets, that won't be grouped into a targetgroup, so we connect him directly to the targets :

[email protected]:~$ passhport-admin target adduser [email protected] nas-srv1
OK: "[email protected]" added to "nas-srv1"
[email protected]:~# passhport-admin target adduser [email protected] [email protected]
OK: "[email protected]" added to "[email protected]"
[email protected]:~#

As you can see above, we did not give Yann access directly to san1 as root, but as admin user, through the admin@san1 target we created before.

Check rights :

We can check what we configured with the "show" sub-command of passhport-admin :

passhport[email protected]:~$ passhport-admin user show [email protected]
Email: [email protected]
SSH key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFOU5Saf+epkm79BeSniE7VtYMexJeL6BvXUsKUb7m8W4gnD3YTBW93uykO/6ovi9TfYdm+4nKQ9gUGUgzNyD8o7zW8w6wKogoL24UbJKmkZOCU1IgHJSt1QYIs/qHQZ2MR6S6K2f/1J1joYINPtGpQJ475OZfYQbP79fEdRdylupC8L+fvxkka4C0Uxj0I1VjDCVJCjO0md5oXzN75I2aw+RFWuiiL5P/gHRu+2iff2rdhebJZs4ux8u76LQLzYsG9a85Xlagw6N7/aXWnUZ/9gqoF/qVUHfS8ggesTwEJyNnY7EpPcKRUcwnlonn5CIS++Yo8iqjLd93RjFxShUqXlw9Cct4hdh/clW/QYsJRMfN9860mZ9v9dEitM2X1w8HCCD5NAHGqRRrtONM99kZRxmkCQ/Tb+jXvJ+VAl4qffuPPdxY+Bev7wygm4rVnjF2Ac5ioWb4Zd+zIb712VTQDQlRxsu73yWtHSodeSgPpgCWTjCwW/841QbPGkclnE6DKIwQ/vxC0ggSXouc5G6j0gHu90eQ24XL6Gurqr2C11w9saRyzrYRRlS0Ihkp3rMSteVcvrb1Qi4UGmJCHHSBhvP8jRFH4mbdkSGyzsxtjr8puJc8DiQ1UKG3O9X12m8nbOYeNdIofTw615k0YitoQ/60fdEELQyX+kNFQ2VoCw== [email protected]
Comment: Marc is the ISSM. He access all.
Accessible target list: ipbx1 nas-srv1 net-AP9-23 net-RO10-98 net-SW22-57 prntr44 san1 vpn-srv1 www-server

Details in access:
Accessible directly:
Accessible through usergroups:
super_admins: www-server ; vpn-srv1 ; nas-srv1 ; net-AP9-23 ; net-RO10-98 ; net-SW22-57 ; ipbx1 ; prntr44 ; san1 ;
Accessible through targetgroups:
[email protected]:~$

As you can see, the "show" sub-command shows how the user has access to each target. We can see above that Marc has access to all the target we configured, because we placed him in the "super_admins" group.

Here is the example for Yann :

[email protected]:~$ passhport-admin user show [email protected]
Email: [email protected]
SSH key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs9YpOfP9vgViYa1SSntrydEBLGyWGAr9nvEjqHcMwHQb9JEmhIjvk1ctb8+Kns3/52F0hBrxic6k6UPvvvjbtJX33muFv5dd0k1W4lLcYe4ONTFwLOqCph4Is5r9lbZ5KXxhN/8YC/08jBJow0CoYdc+Yr7MlA51+tEQFwPbuB5vHMUteye0IgmaH9MLzXes/j5BUhnBjDscWVQSvNHY4/PKtHvIdvoI1uKAplstuHI6CDqnb0aJ5P9wME3P1lhRwcVDTm48/AMcfmpp5s+DwOmyDGfGXf+hE0cu7ulAkwHBhR6ciJJg1pz4DqraglxyVyrt+PFq6KDeV/7WwoNEP [email protected]
Comment: Yann is an external consultant, for a temporary mission bout storage infrastructure.
Accessible target list: nas-srv1 san1

Details in access:
Accessible directly: nas-srv1 ; san1 ;
Accessible through usergroups:
Accessible through targetgroups:
[email protected]:~$

You can see above that Yann has a direct access to targets, not through usergroups, or targetgroups.

Let's connect !

Let's say that I'm John, I connect to PaSSHport, using the id_rsa key that I sent to the PaSSHport admin :

[email protected]:~$ ssh [email protected]
Welcome [email protected]
Here is the list of servers you can access:
1  www-server  10.0.1.24
2  vpn-srv1    10.0.23.51
3  nas-srv1    10.0.12.87
Type the number, name or hostname of the server you want to connect to :

As John, I can see that I can access to 3 servers : www-server, vpn-srv1 and nas-srv1. I can now access to each server, using :

  • the number in the first column;
  • the name of the server (www-serve…);
  • the IP address.
[email protected]:~$ ssh [email protected]
Welcome [email protected]
Here is the list of servers you can access:
1  www-server  10.0.1.24
2  vpn-srv1    10.0.23.51
3  nas-srv1    10.0.12.87
Type the number, name or hostname of the server you want to connect to : 1
Linux www-server 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) x86_64
[email protected]:~#

John is now on the www-server.

Let's say that I'm now Alice, a Windows user. I'm going to use putty to connect to PaSSHport. Let's configure putty…

We launch Putty (you can download it from here), and on the left configuration tree, goes to Connection -> SSH -> Auth , then select the ppk key Alice generated (with puttygen for exemple) :

_images/putty02-circle.PNG

Then we go to Connection -> SSH -> Data , and set the login name as passhport :

_images/putty03-circle.PNG

Finally, we go to the root of the configuration tree Session :

  • enter the hostname or IP of your PaSSHport server
  • enter its SSH port (usually 22)
  • select SSH as connection type
  • enter a name for this connection configuration

For debugging purpose, it may be useful to Never close window on exit (so you can see the error message).

Save, and click Open !

_images/putty01-circle.PNG

If it's the first time we connect to the PaSSHport server, we'll have a window that says the fingerprint is new, and ask us if we want to accept it… Just accept it :

_images/putty04-circle.PNG

Then we'll have the PaSSHport prompt, and as we want to connect to IPBX, we select 1 :

_images/putty06-circle.PNG

We are now landed on our target.

Last relevant example, Yann, who access nas-srv1 and san1. He uses a linux laptop :

[email protected]:~$ ssh [email protected]
Welcome [email protected]
Here is the list of servers you can access:
1  nas-srv1    10.0.12.87
2  [email protected]  10.192.1.10  SAN bay, login as admin user, not root.
Type the number, name or hostname of the server you want to connect to :

He can now connect to any of those two servers.

Delete a user

Yann has finished his mission, and left the compagny. There is two way to revoke his access :

  • remove all his target ;
  • delete the user.

You may prefer the first way if you know that Yann will may come back later to do another mission, so you won't have to recreate the user (get his ssh key, etc…). Here is how you can delete his access…

First, list his rights :

[email protected]:~$ passhport-admin user show [email protected]
Email: [email protected]
SSH key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs9YpOfP9vgViYa1SSntrydEBLGyWGAr9nvEjqHcMwHQb9JEmhIjvk1ctb8+Kns3/52F0hBrxic6k6UPvvvjbtJX33muFv5dd0k1W4lLcYe4ONTFwLOqCph4Is5r9lbZ5KXxhN/8YC/08jBJow0CoYdc+Yr7MlA51+tEQFwPbuB5vHMUteye0IgmaH9MLzXes/j5BUhnBjDscWVQSvNHY4/PKtHvIdvoI1uKAplstuHI6CDqnb0aJ5P9wME3P1lhRwcVDTm48/AMcfmpp5s+DwOmyDGfGXf+hE0cu7ulAkwHBhR6ciJJg1pz4DqraglxyVyrt+PFq6KDeV/7WwoNEP [email protected]
Comment: Yann is an external consultant, for a temporary mission bout storage infrastructure.
Accessible target list: [email protected] nas-srv1

Details in access:
Accessible directly: nas-srv1 ; [email protected] ;
Accessible through usergroups:
Accessible through targetgroups:
[email protected]:~$

You can see that he has access to nas-srv1 and admin@san1, directly. Let's revoke those access :

[email protected]:~$ passhport-admin target rmuser [email protected] [email protected]
OK: "[email protected]" removed from "[email protected]"
[email protected]:~$ passhport-admin target rmuser [email protected] nas-srv1
OK: "[email protected]" removed from "nas-srv1"
[email protected]:~$

Yann won't have access to any target anymore :

[email protected]:~$ passhport-admin user show [email protected]
Email: [email protected]
SSH key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs9YpOfP9vgViYa1SSntrydEBLGyWGAr9nvEjqHcMwHQb9JEmhIjvk1ctb8+Kns3/52F0hBrxic6k6UPvvvjbtJX33muFv5dd0k1W4lLcYe4ONTFwLOqCph4Is5r9lbZ5KXxhN/8YC/08jBJow0CoYdc+Yr7MlA51+tEQFwPbuB5vHMUteye0IgmaH9MLzXes/j5BUhnBjDscWVQSvNHY4/PKtHvIdvoI1uKAplstuHI6CDqnb0aJ5P9wME3P1lhRwcVDTm48/AMcfmpp5s+DwOmyDGfGXf+hE0cu7ulAkwHBhR6ciJJg1pz4DqraglxyVyrt+PFq6KDeV/7WwoNEP [email protected]
Comment: Yann is an external consultant, for a temporary mission bout storage infrastructure.
Accessible target list:

Details in access:
Accessible directly:
Accessible through usergroups:
Accessible through targetgroups:
[email protected]:~$

The second option, is to delete the user :

[email protected]:~$ passhport-admin user delete [email protected]
Email: [email protected]
SSH key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs9YpOfP9vgViYa1SSntrydEBLGyWGAr9nvEjqHcMwHQb9JEmhIjvk1ctb8+Kns3/52F0hBrxic6k6UPvvvjbtJX33muFv5dd0k1W4lLcYe4ONTFwLOqCph4Is5r9lbZ5KXxhN/8YC/08jBJow0CoYdc+Yr7MlA51+tEQFwPbuB5vHMUteye0IgmaH9MLzXes/j5BUhnBjDscWVQSvNHY4/PKtHvIdvoI1uKAplstuHI6CDqnb0aJ5P9wME3P1lhRwcVDTm48/AMcfmpp5s+DwOmyDGfGXf+hE0cu7ulAkwHBhR6ciJJg1pz4DqraglxyVyrt+PFq6KDeV/7WwoNEP [email protected]
Comment: Yann is an external consultant, for a temporary mission bout storage infrastructure.
Accessible target list:

Details in access:
Accessible directly:
Accessible through usergroups:
Accessible through targetgroups:
Are you sure you want to delete [email protected]? [y/N] y
OK: "[email protected]" -> deleted
[email protected]:~$

Conclusion

You should now be able to use the basic functions of PaSSHport.