This directory helps provide fine-grained, policy-based control over who can ssh and sudo into each of your servers and containers.
You can find a step-by-step tutorial at SSH and sudo Authorization.
This directory includes:
- A policy-enabled PAM module that you install on each of your servers or containers (/pam)
- Code showing you how to install and configure the PAM module and package servers as containers (/docker)
To get started, make sure you have docker and docker-compose installed and then build the server
images using
$ cd $THIS_REPO/pam_opa
$ make && make upThis will fire up docker containers that can be used for trial and testing:
-
One of docker containers runs OPA, using the policies in
/docker/policy -
The other two containers run the PAM modules. You can try running
sudoandSSHon them.
To SSH into the frontend container:
$ ssh -p 2222 ops@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/nullEnter ramesh and suresh in the prompts that follow to get access.
This behavior can be modified by changing the policies in the directory mentioned above.
To modify OpenSSH's behavior, edit /docker/etc/sshd_config.
For example you can change the line
AuthenticationMethods keyboard-interactive
to
AuthenticationMethods publickey,keyboard-interactive
The SSH server will now require both this key and PAM module authorization before it grants access.
For a more details on how to install, run and debug the PAM module on your own machines, see this README.