Policy-driven SSH and sudo with OPA and a PAM module
This directory helps provide fine-grained, policy-based control over who can ssh and sudo into each of your servers and containers.
You can find a step-by-step tutorial at SSH and sudo Authorization.
This directory includes:
- A policy-enabled PAM module that you install on each of your servers or containers (/pam)
- Code showing you how to install and configure the PAM module and package servers as containers (/docker)
To get started, make sure you have
docker-compose installed and then build the server
$ cd $THIS_REPO/pam_authz $ make && make up
This will fire up docker containers that can be used for trial and testing:
One of docker containers runs OPA, using the policies in
The other two containers run the PAM modules. You can try running
To SSH into the
$ ssh -p 2222 ops@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
suresh in the prompts that follow to get access.
This behavior can be modified by changing the policies in the directory mentioned above.
To modify OpenSSH's behavior, edit
For example you can change the line
The SSH server will now require both this key and PAM module authorization before it grants access.
For a more details on how to install, run and debug the PAM module on your own machines, see this README.