ssh-iam-bridge

command module

v0.0.0-...-abb857b Latest Latest Go to latest Published: Jan 5, 2017 License: MIT Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/davidrjonas/ssh-iam-bridge

Links

Open Source Insights

README ¶

AWS IAM/SSH Bridge

ssh-iam-bridge lets you use the SSH public keys stored in AWS IAM to authenticate users on linux hosts.

Inspired by and nearly a direct port of Keymaker from Python to Go.

Theory of Operation

When a client connects to a host via SSH the sshd daemon may look to an external command to find the list of authorized keys for that user. Those keys can be pulled from IAM on demand. Assuming we trust IAM, at that point the user is considered "known" and good. Pam can be configured to trust ssh and add the user to the system. The local system groups are synchronized from the IAM groups by looking for ones with a given prefix. This allows group management to be done from IAM alone.

Resources

Usage

Create groups in AWS IAM with the prefix "system-" and "system-<role>-". These groups will be created on your servers. For instance, the IAM group "system-wheel" will be created as the "wheel" group on the system.

When launching EC2 instances give them an IAM Role (instance profile) that includes read access to IAM. There is a predefined policy named IAMReadOnlyAccess that works well. Or, since this program uses the official AWS SDK, it will search out credentials in the usual places.

Run ssh-iam-bridge install on your linux host. This does a few things: create a script for sshd AuthorizedKeysCommand to run, create a user under which the script is run, modify sshd_config to run the script, modify pam to create the iam user locally during ssh, and install a cronjob to synchronize the groups.

usage: ssh-iam-bridge [<flags>] <command> [<args> ...]

Flags:
  --help     Show context-sensitive help (also try --help-long and --help-man).
  --version  Show application version.

Commands:
  help [<command>...]
    Show help.

  install [<flags>] [<user>]
    Install this program to authenticate SSH connections and create users

    Flags:
      --no-pam   Don't install to PAM (no autocreate user on login, create users on sync)

  authorized_keys <user>
    Get the authorized_keys from IAM for user

  sync
    Sync the IAM users and groups with the local system

  sync_groups
    Sync only the IAM groups with the local system groups

  pam_create_user
    Create a user from the env during the sshd pam phase

Warranty

I'm not a security expert and I don't program in Go very often. Use at your own risk. Pull requests will be received with immense gratitude.

TODO

Sanitize usernames. IAM is more permissive than linux. (use the ARN in the comment to get iam user)
Test with 2FA also enabled (like Duo Security or libpam-google-authenticator)

Similar Projects

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
directory
strarray
unix

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL