@@ -17,6 +17,8 @@ guardctrl assumes a systemd --user instance. For the LIGO site installations we
...
@@ -17,6 +17,8 @@ guardctrl assumes a systemd --user instance. For the LIGO site installations we
```
```
We use `uid=1010` to not collide with any of the other standard system users, and we add it to the `controls` group so that it can write archive and channel info to locations owned by the controls group.
We use `uid=1010` to not collide with any of the other standard system users, and we add it to the `controls` group so that it can write archive and channel info to locations owned by the controls group.
NOTE: For a site setup where guardctrl will be accessed through a ~passwordless-SSH-interface, the guardian user should not have a password. Otherwise the guardian user can have a password as usual.
### guardctrl setup
### guardctrl setup
The `guardctrl` interface knows that it's running as the correct user by the presence of a `~/.guardctrl-home` file. Touch this file in the `guardian` user home directory:
The `guardctrl` interface knows that it's running as the correct user by the presence of a `~/.guardctrl-home` file. Touch this file in the `guardian` user home directory:
For accessing the guardctrl interface via passwordless SSH, we add a "Match" stanza to the sshd_config:
\ No newline at end of file
```
Match User guardian
# PermitEmptyPasswords yes
PermitTTY yes
X11Forwarding no
AllowTcpForwarding no
ForceCommand /etc/guardian/guardctrl-ssh-bridge
```
After adding the Match stanza, reload sshd:
```shell
# systemctl force-reload sshd
```
#### local guardian user access
Occasionally it might be necessary to access the guardian user directly. If passwordless SSH access has been enabled, this will need to be done with something like su. However, su and sudo do not provide access to the user dbus needed to interact with systemctl --user. However the systemd-container package includes the `machinectl` interface whose `shell` command allows for a clean user environment with all dbus interfaces available:
