AWS IAM/SSH Bridge
ssh-iam-bridge lets you use the SSH public keys stored in AWS IAM to
authenticate users on linux hosts.
Inspired by and nearly a direct port of
Keymaker from Python to Go.
Theory of Operation
When a client connects to a host via SSH the sshd daemon may look to an
external command to find the list of authorized keys for that user. Those keys
can be pulled from IAM on demand. Assuming we trust IAM, at that point the user
is considered "known" and good.
Pam can be
configured to trust ssh and add the user to the system. The local system groups
are synchronized from the IAM groups by looking for ones with a given prefix.
This allows group management to be done from IAM alone.
Resources
Usage
Create groups in AWS IAM with the prefix "system-" and "system-<role>-". These
groups will be created on your servers. For instance, the IAM group
"system-wheel" will be created as the "wheel" group on the system.
When launching EC2 instances give them an IAM Role (instance profile) that
includes read access to IAM. There is a predefined policy named
IAMReadOnlyAccess
that works well. Or, since this program uses the official
AWS SDK, it will search out credentials
in the usual places.
Run ssh-iam-bridge install
on your linux host. This does a few things: create
a script for sshd AuthorizedKeysCommand to run, create a user under which the
script is run, modify sshd_config to run the script, modify pam to create the
iam user locally during ssh, and install a cronjob to synchronize the groups.
usage: ssh-iam-bridge [<flags>] <command> [<args> ...]
Flags:
--help Show context-sensitive help (also try --help-long and --help-man).
--version Show application version.
Commands:
help [<command>...]
Show help.
install [<flags>] [<user>]
Install this program to authenticate SSH connections and create users
Flags:
--no-pam Don't install to PAM (no autocreate user on login, create users on sync)
authorized_keys <user>
Get the authorized_keys from IAM for user
sync
Sync the IAM users and groups with the local system
sync_groups
Sync only the IAM groups with the local system groups
pam_create_user
Create a user from the env during the sshd pam phase
Warranty
I'm not a security expert and I don't program in Go very often. Use at your own
risk. Pull requests will be received with immense gratitude.
TODO
- Sanitize usernames. IAM is more permissive than linux. (use the ARN in
the comment to get iam user)
- Test with 2FA also enabled (like Duo Security or
libpam-google-authenticator)
Similar Projects