🐙 Management linux user and authentication with team or collaborator on Github.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
builds
debian update for deb Oct 22, 2018
dockerfiles add selinux-policy to dockerfile Oct 22, 2018
misc support ubuntu for Vagrantfile Oct 9, 2018
rpm update rpm Oct 22, 2018
selinux add type enforcement file of selinux Oct 22, 2018
test update keys Oct 26, 2018
.clang-format move C source to top dir Feb 15, 2017
.gitignore ignore unnecessary selinux policy files Oct 22, 2018
.travis.yml fix wrong attribute in travis.yml Sep 13, 2017
COPYING use latest GPLv3 COPYING Feb 20, 2017
Makefile split task for policy build Oct 22, 2018
README.md update README Oct 22, 2018
Vagrantfile add provision Oct 22, 2018
_config.yml Set theme jekyll-theme-tactile Oct 23, 2018
docker-compose.yml add bionic dockerfile Jun 30, 2018
nss_octopass-group.c use abstract method! Sep 16, 2017
nss_octopass-group_cli.c add copy to headers Feb 20, 2017
nss_octopass-group_test.c use test/octopass.conf in test Feb 22, 2017
nss_octopass-passwd.c use abstract method! Sep 16, 2017
nss_octopass-passwd_cli.c add copy to headers Feb 20, 2017
nss_octopass-passwd_test.c use test/octopass.conf in test Feb 22, 2017
nss_octopass-shadow.c use abstract method! Sep 16, 2017
nss_octopass-shadow_cli.c add copy to headers Feb 20, 2017
nss_octopass-shadow_test.c use test/octopass.conf in test Feb 22, 2017
octopass.c syslog curl error Oct 9, 2018
octopass.conf.example update conf example Sep 23, 2017
octopass.h bump version to 0.6.0 Oct 22, 2018
octopass_cli.c add prefix to methods Feb 28, 2017
octopass_test.c update keys Oct 26, 2018

README.md

OCTOPASS

OCTOPASS: Management linux user and authentication with team or collaborator on Github.

Description

This is user management tool for linux by github. The name-resolves and authentication is provided the team or collaborator on github. Features easy handling and ease of operation.

Usage

Github Org/Team

For example, adding "Ken" to a team with github organization ...

OCTOPASS is a valid linux server, Ken will be able to ssh login with the key registered in github.

Wow!?

By OCTOPASS name resolution, you can check the id of team members of github organization.

$ id ken
uid=5458(ken) gid=2000(operators) groups=2000(operators)

You can also see a list like /etc/passwd,shadow,group by OCTOPASS. For detail --help.

$ octopass passwd
chun-li:x:14301:2000:managed by octopass:/home/chun-li:/bin/bash
dhalsim:x:8875:2000:managed by octopass:/home/dhalsim:/bin/bash
ken:x:5458:2000:managed by octopass:/home/ken:/bin/bash
ryu:x:74049:2000:managed by octopass:/home/ryu:/bin/bash
sagat:x:93011:2000:managed by octopass:/home/sagat:/bin/bash
zangief:x:8305:2000:managed by octopass:/home/zangief:/bin/bash

And OCTOPASS gets the public key from github for key authentication.

$ octopass ken
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqUJvs1vRgHRMH9dpxYcBBV687njS2YrJ+oeIKvbAbg6yL4QsJMeElcPOlmfWEYsp8vbRLXQCTvv14XJfKmgp8V9es5P/l8r5Came3X1S/muqRMONUTdygCpfyo+BJGIMVKtH8fSsBCWfJJ1EYEesyzxqc2u44yIiczM2b461tRwW+7cHNrQ6bKEY9sRMV0p/zkOdPwle30qQml+AlS1SvbrMiiJLEW75dSSENr5M+P4ciJHYXhsrgLE95+ThFPqbznZYWixxATWEYMLiK6OrSy5aYss4o9mvEBJozyrVdKyKz11zSK2D4Z/JTh8eP+NxAw5otqBmfNx+HhKRH3MhJQ==

Why?

I did not need functions like ldap, and asked for ease and ease of introduction. Therefore, the user only considers it as administrator authority. However, it is very easy to add a newly added user or to remove a user who leaves.

Also, in order to speedily resolve names, Github API responses are file cached. With this, even if Github is down, it will work if past caches remain.

Architecture

Architecture

Installation

Ubuntu:

$ curl -s https://packagecloud.io/install/repositories/linyows/octopass/script.deb.sh | sudo bash
$ sudo apt-get install octopass

CentOS:

$ curl -s https://packagecloud.io/install/repositories/linyows/octopass/script.rpm.sh | sudo bash
$ sudo yum install octopass

Packages are provided via packagecloud.

Building from Source

Dependency

  • glibc
  • libcurl
  • jansson
$ git clone https://github.com/linyows/octopass
$ make && make install
$ mv octopass.conf.example /etc/octopass.conf

Configuration

Edit octopass.conf:

$ mv /etc/{octopass.conf.example,octopass.conf}
Key Description Default
Endpoint github endpoint https://api.github.com
Token github personal access token -
Organization github organization -
Team github team -
Owner github owner -
Repository github repository -
Permission github collaborator permission write
Group group on linux same as team
Home user home /home/%s
Shell user shell /bin/bash
UidStarts start number of uid 2000
Gid gid 2000
Cache github api cache sec 500
Syslog use syslog false
SharedUsers share auth of specific users on team []

Generate token from here: https://github.com/settings/tokens/new. Need: Read org and team membership

SSHD Configuration

/etc/ssh/sshd_config:

AuthorizedKeysCommand /usr/bin/octopass
AuthorizedKeysCommandUser root
UsePAM yes
PasswordAuthentication no

PAM Configuration

Add to top of /etc/pam.d/sshd this:

auth	requisite	pam_exec.so	quiet	expose_authtok	/usr/bin/octopass pam
auth	optional	pam_unix.so	not_set_pass	use_first_pass	nodelay
session	required	pam_mkhomedir.so	skel=/etc/skel/	umask=0022

NSS Switch Configuration

/etc/nsswitch.conf:

passwd:     files octopass sss
shadow:     files octopass sss
group:      files octopass sss

Enable OCTOPASS as name resolution.

Provisioning

Thank you @uchida, @hnmx4 and @hfm for some provisioning tools.

Backers 🚀

Support us with a monthly donation and help us continue our activities. [Become a backer]

Author

linyows