Switch branches/tags
Nothing to show
Find file History
yashtewari and arcurtis Make policy examples more simple and fine-grained.
- Make package names shorter and more obvious.
- Use separate (but identical) policies for sudo and sshd.
  This has no effect on the trial containers, but allows for
  the OPA PAM tutorial to demonstrate fine-grained control.
- Delete outdated policies files from repository.

Signed-off-by: Yash Tewari <yashtewari1996@gmail.com>
Latest commit 5d18164 Mar 23, 2018


Policy-driven SSH and sudo with OPA and a PAM module

This directory helps provide fine-grained, policy-based control over who can ssh and sudo into each of your servers and containers.

You can find a step-by-step tutorial at SSH and sudo Authorization.

Directory contents

This directory includes:

  • A policy-enabled PAM module that you install on each of your servers or containers (/pam)
  • Code showing you how to install and configure the PAM module and package servers as containers (/docker)

Try it

To get started, make sure you have docker and docker-compose installed and then build the server images using

$ cd $THIS_REPO/pam_authz
$ make && make up

This will fire up docker containers that can be used for trial and testing:

  • One of docker containers runs OPA, using the policies in /docker/policy

  • The other two containers run the PAM modules. You can try running sudo and SSH on them.

SSH in

To SSH into the frontend container:

$ ssh -p 2222 ops@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Enter ramesh and suresh in the prompts that follow to get access.

This behavior can be modified by changing the policies in the directory mentioned above.

Modify OpenSSH

To modify OpenSSH's behavior, edit /docker/etc/sshd_config.

For example you can change the line

AuthenticationMethods keyboard-interactive


AuthenticationMethods publickey,keyboard-interactive

The SSH server will now require both this key and PAM module authorization before it grants access.


For a more details on how to install, run and debug the PAM module on your own machines, see this README.