The simple alternative to user account management on Linux.
Userd gathers user account definitions from a git repository, then
administrates the user accounts and ssh access for Linux servers.
Download the latest userd
binary from the github releases tab and put the
file into a $PATH. Ensure the file is executable. Then add it as a cron
jon or systemd timer on every server that you want to administrate.
# /etc/crontab
*/15 * * * * root userd --realm development --repo https://github.com/somewhere/ourusers
When the application is run, userd
clones a git repository into memory.
The repository should contain a list of users. Userd
checks that list and
adds or removes user accounts from a server as required.
The user account git repository should be locked down to prevent unauthorized write access.
If the git repo contains ssh public keys, userd
will keep each user's
~/.ssh/authorized_keys
up to date with those keys. Each user's group membership
(and other account details) will be updated as well.
Since all user administration is performed by git repository commits, there is a solid audit trail behind every access that is granted to every user. A Pull Request may be created by unauthorized users to kick-start a grant for access.
Realms are used to define access perimeters. The actual realm names are arbitrary and defined by you.
Each server belongs to a realm. The realm name is used by userd
to decide
whether a user account should or shouldn't exist on a server (ie is this user
in that realm?).
You might decide to define your realms quite broadly eg: green, orange, red. Or take a fine-grained approach eg: using each server's hostname or IP address as a separate realm.
For example, we use AWS Instance Profile names as our realms. This works because our particular applications are spread across multiple servers that may all have the same Instance Profile name.
The git repository that contains all the user accounts should contain multiple
JSON files, one JSON file per user. Each JSON file should have the file suffix
.json
.
The contents of one file should define all the servers and groups that one user
belongs to, eg here is jane.smith.json
:
{
"username": "jsmith",
"comment": "Jane Smith",
"realms": [
"production",
"development",
"test-*"
],
"groups": [
"admin",
"sudo:development"
],
"shell": "/bin/bash",
"password": "[encrypted-password-hash]",
"ssh_keys": [
"ssh-ed25519 AAAAC3NzaKYCoqgI7JQGXzMQ jsmith@home"
]
}
In this example Jane will be added to all servers that are part of the production or development realms, she will also be granted access to every realm whose name begins with "test-".
Jane will be in the admin group for every realm, but will only be in the sudo group for the development realm.
The encrypted password hash can be generated using the openssl
tool, eg:
openssl passwd -1
Password: [enter a new password]
Verifying - Password: [enter it again]
$1$uxa.NCuA$Y6FQJaSRaRtfK1OUcOD5P1
Most fields in the JSON file can be omitted if they are not desired. If the
realms are set to an empty array []
then that user account will be removed
from every server that userd
is administrating.