guardctrl.md

@@ -17,6 +17,8 @@ guardctrl assumes a systemd --user instance.  For the LIGO site installations we
 ```
 We use `uid=1010` to not collide with any of the other standard system users, and we add it to the `controls` group so that it can write archive and channel info to locations owned by the controls group.
 
+NOTE: For a site setup where guardctrl will be accessed through a ~passwordless-SSH-interface, the guardian user should not have a password.  Otherwise the guardian user can have a password as usual.
+
 ### guardctrl setup
 
 The `guardctrl` interface knows that it's running as the correct user by the presence of a `~/.guardctrl-home` file.  Touch this file in the `guardian` user home directory:
@@ -34,6 +36,27 @@ GUARD_ARCHIVE_ROOT=/ligo/cds/lho/h1/guardian/archive
 NDSSERVER=h1nds0:8088,h1nds1:8088
 ```
 
-### SSH interface setup
+### passwordless SSH interface
+
+For accessing the guardctrl interface via passwordless SSH, we add a "Match" stanza to the sshd_config:
+```
+Match User guardian
+  # PermitEmptyPasswords yes
+  PermitTTY yes
+  X11Forwarding no
+  AllowTcpForwarding no
+  ForceCommand /etc/guardian/guardctrl-ssh-bridge
+```
+After adding the Match stanza, reload sshd:
+```shell
+# systemctl force-reload sshd
+```
+
+#### local guardian user access
 
-/opt/rtcds/userapps/release/cds/h1/daqfiles/ini/H1EDCU_GRD.ini
+Occasionally it might be necessary to access the guardian user directly.  If passwordless SSH access has been enabled, this will need to be done with something like su.  However, su and sudo do not provide access to the user dbus needed to interact with systemctl --user.  However the systemd-container package includes the `machinectl` interface whose `shell` command allows for a clean user environment with all dbus interfaces available:
\ No newline at end of file
+```shell
+root@h1guardian1:~# machinectl shell guardian@ /bin/bash
+guardian@h1guardian1:~$ systemctl --user status
+...
+```
\ No newline at end of file