Code Monkey home page Code Monkey logo

guest-oslogin's Introduction

OS Login Guest Environment for Google Compute Engine

This repository contains the system components responsible for providing Google Cloud OS Login features on Google Compute Engine instances.

Table of Contents

Overview

The OS Login Guest Environment consists of the following main components:

  • Authorized Keys Command which provides SSH keys from the user's OS Login profile to sshd for authenticating users at login.
  • NSS Modules which provide support for making OS Login user and group information available to the system, using NSS (Name Service Switch) functionality.
  • PAM Modules which provide authorization (and authentication if two-factor support is enabled) support allowing the system to use Google Cloud IAM permissions to control the ability to log into an instance or to perform operations as root (via sudo).

In addition to the main components, there are also the following utilities:

  • google_oslogin_nss_cache is a utility for updating the local user and group cache.
  • selinux contains SELinux policy definition files and a compiled policy package for configuring SELinux to support OS Login.

The packaging directory also contains files used to generate .deb and .rpm packages for the OS Login components.

Components

Authorized Keys Command

The google_authorized_keys binary is designed to be used with the sshd AuthorizedKeysCommand option in sshd_config(5). It does the following:

  • Reads the user's profile information from the metadata server: 
    http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username>
  • Checks to make sure that the user is authorized to log in: 
    http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?email=<user_email>&policy=login
  • If the check is successful, returns the SSH keys associated with the user for use by sshd. Otherwise, exits with an error code.

NSS Modules

libnss_oslogin.so and libnss_cache_oslogin.so are NSS service modules which make OS Login users and groups available for use on the local system. The module is activated by adding oslogin and cache_oslogin entries for services in nsswitch.conf(5).

  • To return a list of all users, the NSS module queries: 
    http://metadata.google.internal/computeMetadata/v1/oslogin/users?pagesize=<pagesize>
  • To look up a user by username, the NSS module queries: 
    http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username>
  • To look up a user by UID, the NSS module queries: 
    http://metadata.google.internal/computeMetadata/v1/oslogin/users?uid=<uid>

PAM Modules

pam_oslogin_login.so is a PAM module which determines whether a given user is allowed to SSH into an instance.

It is activated by adding an entry for the account group to the PAM service config for sshd as:

account requisite pam_oslogin_login.so

This module:

  • Retrieves the user's profile information from the metadata server: 
    http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username>
  • If the user does not have OS Login profile information it is passed on to the system authentication modules to be processed as a local user.
  • Otherwise, the module confirms whether the user has permissions to SSH into the instance: 
    http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?email=<user_email>&policy=login
  • If the user is authorized, PAM returns a success message and SSH can proceed. Otherwise, PAM returns a denied message and the SSH check will fail.

pam_oslogin_admin.so is a PAM module which determines whether a given user should have admin (sudo) permissions on the instance.

It is activated by adding an entry for the account group to the PAM service config for sshd config as:

account optional pam_oslogin_admin.so

This module:

  • Retrieves the user's profile information from the metadata server. 
    http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username>
  • If the user is not an OS Login user (a local user account), the module returns success.
  • Otherwise, the module determines if the user has admin permissions: 
    http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?email=<user_email>&policy=adminLogin
  • If the user is authorized as an admin, a file with the username is added to /var/google-sudoers.d/. The file gives the user sudo privileges.
  • If the authorization check fails for admin permissions, the file is removed from /var/google-sudoers.d/ if it exists.

Utilities

SELinux Policy

The selinux directory contains .te (type enforcement) and .fc (file context) files used by SELinux to give the OS Login features the appropriate SELinux permissions. These are compiled using checkmodule and semodule_package to create an policy package oslogin.pp.

Source Packages

There is currently support for creating packages for the following distros:

  • Debian 9
  • CentOS/RHEL 6
  • CentOS/RHEL 7

Files for these packages are in the packaging/ directory.

guest-oslogin's People

Contributors

chaitanyakulkarni28 avatar dexter-1 avatar dorileo avatar ericdand avatar gonzoua avatar google-oss-robot avatar helen-fornazier avatar hopkiw avatar illfelder avatar jjerger avatar linskeyd avatar rjschwei avatar vorakl avatar zmarano avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

github30 hopkiw illfelder ekkarat-w-gmail-com bongoeadgc6 collabora-gce bsiegert rjschwei jeffstable-blog zmarano gaohannk pkeslin tank0226 henrypan muskanmahajan37 dexter-1 hatuyen1122 isabella232 global-localhost global19 global19-atlassian-net jazzed-edtech metaver5o t33m zacht1711 nochristrequired mahammadbaig reshmaks kallisti5 linskeyd nychph psasidhar devopsvj dorileo chaitanyakulkarni28 gonzoua ilyamar jjerger ericdand utkarsh2102 bpl4vv mattiasa renovate-bot

guest-oslogin's Issues

OSLogin presents multiple 2FA prompts

When SSHing into VMs with OSLogin and 2FA enabled, the 2FA prompt is displayed twice. It also has to be successfully passed twice to grant access.

This happens on both Ubuntu 18.04 and Debian 10 UEFI images with the Shielded VM settings enabled. It looks like this when it happens:

$ gcloud compute ssh <instance>
No zone specified. Using zone [europe-west4-b] for instance: [...].
Available authentication methods:
1: Google phone prompt
2: Security code from Google Authenticator application
3: Voice or text message verification code

Enter a number: 1
A login prompt has been sent to your enrolled device. Press enter to continue
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    19  100    19    0     0   1583      0 --:--:-- --:--:-- --:--:--  1583
Available authentication methods:
1: Google phone prompt
2: Security code from Google Authenticator application
3: Voice or text message verification code

Enter a number: 2
Enter your one-time password: 204649
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.0.0-1033-gcp x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Oct  9 16:53:06 UTC 2020

Inconsistent state of sudoers file when boot disk fills up

Steps to reproduce:

  1. Fill up boot disk to 100%
  2. SSH into machine using an account that has admin privileges, but hasn't ssh'd into the machine before
  3. Try running sudo su

Expected outcome:

  1. User can enter sudo mode

Actual outcome:

  1. User is prompted for sudo password.

Upon investigating, we realized that while the file for the user was created under google-sudoers.d, the file was empty. Even if the boot disk's space is increased by leveraging another vm, that user no longer has sudo access.

I believe the issue is here:

guest-oslogin/src/pam/pam_oslogin_admin.cc

Line 106 in 5126d1d

if (sudoers_file.is_open()) {

The file can be opened, but cannot be written to. This leads to an empty file being left in the sudoers.d directory

We verified this and resolved it by manually adding ALL=(ALL) NOPASSWD: ALL to the empty file using another user account that had root access.

While this is an edge case, it could be prudent to do a cleanup of empty files in this script to give users sudo access when they add disk space.

PAM account function broken in 20230919.00

We use the PAM account function as documented in the README, but as of the google-compute-engine-oslogin-20231004 release, PAM account lookups using the pam_oslogin_login.so module fail with the error: PAM unable to resolve symbol: pam_sm_acct_mgmt.

I see the pam_sm_acct_mgmt function was removed in #116. This change broke functionality that we depend on. Can it be reversed?

For reference, our pam configuration uses code like this to apply different policies to oslogin vs local or ldap user accounts (e.g. restricting user account login based on group membership).

account     [success=1 default=ignore]                   pam_oslogin_login.so
account     substack                                     user-policy

The project README documents how to use both the pam_oslogin_login.so and pam_oslogin_admin.so modules in the PAM account stack, so I would expect this functionality to still be supported. (https://github.com/GoogleCloudPlatform/guest-oslogin/tree/master#pam-modules)

Pluto pam_oslogin_login issues

Utilizing /etc/pam.d/pluto for an IPSEC connection into a GCP hosted box.

SSH into the server utilizing os_login is working fine (just standard os_login, not MFA required)

This is our /etc/pam.d/pluto

account required pam_oslogin_login.so
account optional pam_oslogin_admin.so

This is the log we get from /var/log/auth/log

Nov 19 03:24:59 instance-1 pluto[21665]: pam_unix(pluto:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=X.X.X.X 
Nov 19 03:25:01 instance-1 pluto[21665]: "xauth-psk"[8] X.X.X.X #4: XAUTH FAILED during pam_authenticate with 'Authentication failure' for state #4, xauth-psk[8] user=user_domain_com.
Nov 19 03:25:01 instance-1 pluto[21056]: "xauth-psk"[8] X.X.X.X #4: PAM: authentication of user 'user_domain_com' FAILED after 2.189794 seconds
Nov 19 03:25:01 instance-1 pluto[21056]: "xauth-psk"[8] X.X.X.X #4: XAUTH: User user_domain_com: Authentication Failed: Incorrect Username or Password
Nov 19 03:25:01 instance-1 pluto[21056]: "xauth-psk"[8] X.X.X.X #4: Expected MODE_CFG_REPLY is missing username and password attribute
Nov 19 03:25:01 instance-1 pluto[21056]: "xauth-psk"[8] X.X.X.X #4: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0)
Nov 19 03:25:01 instance-1 pluto[21056]: "xauth-psk"[8] X.X.X.X #4: XAUTH: User <unknown>: Authentication Failed (retry 1)
Nov 19 03:25:01 instance-1 pluto[21056]: "xauth-psk"[8] X.X.X.X #4: received Delete SA payload: self-deleting ISAKMP State #4
Nov 19 03:25:01 instance-1 pluto[21056]: "xauth-psk"[8] X.X.X.X #4: deleting state (STATE_XAUTH_R0) aged 2.468544s and sending notification

Any suggestions on what we are doing wrong?

Add a timer

Many linux distros no longer enable cron by default using systemd timers instead. The code should have a timer implementation as well.

support configurable metadata server address

It would be useful to make the address of the metadata service configurable for testing purpose or for proxying requests through http caching proxy or custom http filters. For NSS libs metadata server address can be passed with configuration file, for PAM modules as PAM Module argument and for google_authorized_keys as a command line flag.

google_oslogin_control groups.conf edit is not idempotent

google_oslogin_control attempts to add a line to /etc/security/groups.conf if it's not already there. However, because there are * characters in the line that get interpreted by grep, it actually just always adds the line.

Due to another bug (ours) this was running repeatedly and putting thousands of lines into the group.conf file, which made ssh take several minutes to do a login.

(source here)

  local group_conf_entry="sshd;*;*;Al0000-2400;adm,dip,docker,lxd,plugdev,video"

  if ! grep -q "$group_conf_entry" "$group_config"; then

I suggest using fgrep so the search expression is treated literally.

bash autocompletion slow

Hello,

It looks like after this patch: ef11bfe

The bash autocompletion on certain strings waits for the full 3 second timeout. This is on a a stock gcp vm running the latest debian image.

$ time ls ~*
ls: cannot access '~*': No such file or directory

real    0m3.066s
user    0m0.002s
sys     0m0.001s

It looks like the underlying http request to the metadata server is:

$ curl -v "http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=%2A" -H "Metadata-Flavor: Google"
*   Trying 169.254.169.254:80...
* Connected to metadata.google.internal (169.254.169.254) port 80 (#0)
> GET /computeMetadata/v1/oslogin/users?username=%2A HTTP/1.1
> Host: metadata.google.internal
> User-Agent: curl/7.88.1
> Accept: */*
> Metadata-Flavor: Google
> 
< HTTP/1.1 400 Bad Request
< Metadata-Flavor: Google
< Date: Mon, 13 May 2024 18:35:47 GMT
< Content-Type: text/html
< Server: Metadata Server for VM
< Content-Length: 288
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< 
[ReqId=....] Error Details: Username is not POSIX compliant.

Should retry logic be disabled on these types of errors in addition to 404?

Broken os user after turning on oslogin on instances with metadata based ssh

I would like to turn metadata based ssh configuration instances to oslogin. I performed test with following scenario:

  1. Create new VM using ubuntu-os-cloud/ubuntu-1804-lts image, it uses metadata ssh configuration. SSH with metadata creds are fine

  2. I enabled oslogin on the instance by setting 'enable-oslogin' instance metadata to 'TRUE'

  3. I created service account with roles 'roles/iap.tunnelResourceAccessor', 'roles/compute.osAdminLogin', and 'roles/iam.serviceAccountUser' then created service account key

  4. SSH to the VM with gcloud compute ssh vmname --tunnel-through-iap --account [email protected]

I could ssh into VM but then I got error:

Could not chdir to home directory /home/sa_108979697182048649586: No such file or directory

The generated user's home directory doesn't exist. The user also don't have sudo access. Using normal account instead of service account also resulting the same thing. Restarting the VM does not help.

If this could help, I found this on /var/log/syslog:

Sep 15 11:37:09 staging-test-iap-oslogin2 GCEGuestAgent[21317]: 2021-09-15T11:37:09.4552Z GCEGuestAgent Info: Enabling OS Login 
Sep 15 11:37:09 staging-test-iap-oslogin2 GCEGuestAgent[21317]: 2021-09-15T11:37:09.4607Z GCEGuestAgent Info: Removing user user1. 
Sep 15 11:37:09 staging-test-iap-oslogin2 GCEGuestAgent[21317]: 2021-09-15T11:37:09.4775Z GCEGuestAgent Info: Removing user user2. 
Sep 15 11:37:09 staging-test-iap-oslogin2 GCEGuestAgent[21317]: 2021-09-15T11:37:09.4914Z GCEGuestAgent Info: Removing user user3. 
Sep 15 11:37:09 staging-test-iap-oslogin2 GCEGuestAgent[21317]: 2021-09-15T11:37:09.5051Z GCEGuestAgent Info: Removing user user4. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: Stopping Login Service... 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: Stopped Login Service. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: Starting Login Service... 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: Started Login Service. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: Stopping Regular background program processing daemon... 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: Stopped Regular background program processing daemon. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: Started Regular background program processing daemon. 
Sep 15 11:37:09 staging-test-iap-oslogin2 cron[31836]: (CRON) INFO (pidfile fd = 3) 
Sep 15 11:37:09 staging-test-iap-oslogin2 cron[31836]: (CRON) INFO (Skipping @reboot jobs -- not system startup) 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: Stopping OpenBSD Secure Shell server... 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: Stopped OpenBSD Secure Shell server. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: ssh.service: Found left-over process 30590 (sshd) in control group while starting unit. Ignoring. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: ssh.service: Found left-over process 30603 (sshd) in control group while starting unit. Ignoring. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: ssh.service: Found left-over process 30606 (bash) in control group while starting unit. Ignoring. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: Starting OpenBSD Secure Shell server... 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: ssh.service: Found left-over process 30590 (sshd) in control group while starting unit. Ignoring. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: ssh.service: Found left-over process 30603 (sshd) in control group while starting unit. Ignoring. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: ssh.service: Found left-over process 30606 (bash) in control group while starting unit. Ignoring. 
Sep 15 11:37:09 staging-test-iap-oslogin2 systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.

Needs license

The code base has no LICENSE file. While the provided packaging examples state the project is Apache-v2 license I think this is insufficient and a License file needs to exists at the top level to specify the license. With no explicit license the code becomes non-distributable by distro vendors.

Oslogin cache doesn't prevent requests to metadata

When cache is enabled i still see request sent to metadata service

Example of nsswitch.conf

passwd:            compat cache_oslogin oslogin
group:             compat cache_oslogin oslogin

#hosts networks etc

Surprisingly if i disable module with non-cached oslogin altogether it works with cache as expected
Example of nsswitch.conf

passwd:            compat cache_oslogin
group:             compat cache_oslogin

#hosts networks etc

I was able to reproduce this on Ubuntu Xenial and Focal. It looks like even though cache returns proper results nss still inovkes next module.

google-oslogin-cache service dies on getting groups

I am running into a problem on pretty much all of my servers that are running the oslogin service daemon. I see there is a closed issue (#45) where the groups feature appears to be in alpha at this point and it looks like I am running into an issue related to that. Right now, when I try to run the oslogin service I am seeing a fail when getting the groups.

$ sudo systemctl status google-oslogin-cache.service
● google-oslogin-cache.service - NSS cache refresh
Loaded: loaded (/lib/systemd/system/google-oslogin-cache.service; static; vendor preset: enabled)
Active: inactive (dead) since Wed 2020-12-16 15:35:18 UTC; 23s ago
Process: 21022 ExecStart=/usr/bin/google_oslogin_nss_cache (code=exited, status=0/SUCCESS)
Main PID: 21022 (code=exited, status=0/SUCCESS)

Dec 16 15:35:18 cis-vm-1 systemd[1]: Starting NSS cache refresh...
Dec 16 15:35:18 cis-vm-1 google_oslogin_nss_cache[21022]: oslogin_cache_refresh[21022]: Refreshing passwd entry cache
Dec 16 15:35:18 cis-vm-1 oslogin_cache_refresh[21022]: Refreshing passwd entry cache
Dec 16 15:35:18 cis-vm-1 google_oslogin_nss_cache[21022]: oslogin_cache_refresh[21022]: Refreshing group entry cache
Dec 16 15:35:18 cis-vm-1 oslogin_cache_refresh[21022]: Refreshing group entry cache
Dec 16 15:35:18 cis-vm-1 google_oslogin_nss_cache[21022]: oslogin_cache_refresh[21022]: Failure getting groups, quitting
Dec 16 15:35:18 cis-vm-1 google_oslogin_nss_cache[21022]: oslogin_cache_refresh[21022]: Produced empty group cache file, removing /etc/oslogin_group.cache.bak.
Dec 16 15:35:18 cis-vm-1 oslogin_cache_refresh[21022]: Failure getting groups, quitting
Dec 16 15:35:18 cis-vm-1 oslogin_cache_refresh[21022]: Produced empty group cache file, removing /etc/oslogin_group.cache.bak.
Dec 16 15:35:18 cis-vm-1 systemd[1]: Started NSS cache refresh.

Looking at the code, I see that the service is running the following metatdata query and getting and empty response. Looks like the service
$ curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/oslogin/groups?pagesize=10"
{"nextPageToken":"0"}

On line 249
if (!HttpGet(url.str(), &response, &http_code) || http_code != 200 ||
response.empty() || !LoadJsonGroupsToCache(response)) {
*errnop = ENOENT;
return false;
}

the empty response throws an errors and the process dies...

Am I missing something?

Version of google-compute-engine-oslogin I am running
$ dpkg-query --list |grep oslog
ii google-compute-engine-oslogin 20200925.00-0ubuntu3~18.04.0 amd64 Google Compute Engine OS Login

Log cause of failure in authorized keys utility

While testing new functionality, we've got stuck on a mysterious rejection from the /usr/bin/google_authorized_keys utility; the PAM module simply logs this as:

error: AuthorizedKeysCommand /usr/bin/google_authorized_keys ${USERNAME} failed, status 1

The authorized keys module itself seems to do no logging whatsoever: https://github.com/GoogleCloudPlatform/guest-oslogin/blob/master/src/authorized_keys/authorized_keys.cc

Please add logging to the authorized keys utility that indicates where and how it has failed.

Segmentation fault (core dumped) while running tests

Hello,

Whilst trying to prep a release for 20210728.00 in Ubuntu, the package failed to build. More specifically, the tests crashed with a segfault. Here are the logs:

[...]
 debian/rules build
dh build
   dh_update_autotools_config
   dh_autoreconf
   debian/rules override_dh_auto_configure
make[1]: Entering directory '/<<PKGBUILDDIR>>'
cp -r /usr/src/gtest/ ./
dh_auto_configure
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
   dh_auto_build
	make -j8 "INSTALL=install --strip-program=true"
make[1]: Entering directory '/<<PKGBUILDDIR>>'
make -C src all
make[2]: Entering directory '/<<PKGBUILDDIR>>/src'
g++ -fPIC -Wall -g -Iinclude -I/usr/include/json-c  -c -o nss/nss_oslogin.o nss/nss_oslogin.cc
g++ -fPIC -Wall -g -Iinclude -I/usr/include/json-c  -c -o oslogin_utils.o oslogin_utils.cc
cc -fPIC -Wall -g -Wstrict-prototypes -Iinclude -I/usr/include/json-c  -c -o nss/nss_cache_oslogin.o nss/nss_cache_oslogin.c
cc -fPIC -Wall -g -Wstrict-prototypes -Iinclude -I/usr/include/json-c  -c -o nss/compat/getpwent_r.o nss/compat/getpwent_r.c
g++ -fPIC -Wall -g -Iinclude -I/usr/include/json-c  -c -o pam/pam_oslogin_login.o pam/pam_oslogin_login.cc
g++ -fPIC -Wall -g -Iinclude -I/usr/include/json-c  -c -o pam/pam_oslogin_admin.o pam/pam_oslogin_admin.cc
g++ -fPIC -Wall -g -Iinclude -I/usr/include/json-c  -c -o cache_refresh/cache_refresh.o cache_refresh/cache_refresh.cc
g++ -fPIC -Wall -g -Iinclude -I/usr/include/json-c  -c -o authorized_keys/authorized_keys.o authorized_keys/authorized_keys.cc
cache_refresh/cache_refresh.cc: In function ‘int refreshgroupcache()’:
cache_refresh/cache_refresh.cc:171:35: warning: catching polymorphic type ‘class std::ios_base::failure’ by value [-Wcatch-value=]
  171 |     catch (std::ofstream::failure e) {
      |                                   ^
cache_refresh/cache_refresh.cc:180:33: warning: catching polymorphic type ‘class std::ios_base::failure’ by value [-Wcatch-value=]
  180 |   catch (std::ofstream::failure e) {
      |                                 ^
g++ -fPIC -Wall -g -Iinclude -I/usr/include/json-c -shared -Wl,-z,defs -Wl,-soname,libnss_oslogin.so.2 nss/nss_oslogin.o oslogin_utils.o -o libnss_oslogin-20210728.00.so -lcurl -ljson-c
g++ -fPIC -Wall -g -Iinclude -I/usr/include/json-c -shared -Wl,-z,defs -Wl,-soname,libnss_cache_oslogin.so.2 nss/nss_cache_oslogin.o nss/compat/getpwent_r.o oslogin_utils.o -o libnss_cache_oslogin-20210728.00.so -lcurl -ljson-c
g++ -fPIC -Wall -g -Iinclude -I/usr/include/json-c -shared pam/pam_oslogin_login.o oslogin_utils.o -o pam_oslogin_login.so -lpam -lcurl -ljson-c
g++ -fPIC -Wall -g -Iinclude -I/usr/include/json-c -shared pam/pam_oslogin_admin.o oslogin_utils.o -o pam_oslogin_admin.so -lpam -lcurl -ljson-c
g++ -fPIC -Wall -g -Iinclude -I/usr/include/json-c cache_refresh/cache_refresh.o oslogin_utils.o -o google_oslogin_nss_cache -lcurl -ljson-c
g++ -fPIC -Wall -g -Iinclude -I/usr/include/json-c authorized_keys/authorized_keys.o oslogin_utils.o -o google_authorized_keys -lcurl -ljson-c
make[2]: Leaving directory '/<<PKGBUILDDIR>>/src'
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
   debian/rules override_dh_auto_test
make[1]: Entering directory '/<<PKGBUILDDIR>>'
(cd gtest && cmake . && /usr/bin/make )
-- The CXX compiler identification is GNU 11.2.0
-- The C compiler identification is GNU 11.2.0
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Could NOT find PythonInterp (missing: PYTHON_EXECUTABLE) 
-- Looking for pthread.h
-- Looking for pthread.h - found
-- Performing Test CMAKE_HAVE_LIBC_PTHREAD
-- Performing Test CMAKE_HAVE_LIBC_PTHREAD - Failed
-- Looking for pthread_create in pthreads
-- Looking for pthread_create in pthreads - not found
-- Looking for pthread_create in pthread
-- Looking for pthread_create in pthread - found
-- Found Threads: TRUE  
-- Configuring done
-- Generating done
-- Build files have been written to: /<<PKGBUILDDIR>>/gtest
make[2]: Entering directory '/<<PKGBUILDDIR>>/gtest'
make[3]: Entering directory '/<<PKGBUILDDIR>>/gtest'
make[4]: Entering directory '/<<PKGBUILDDIR>>/gtest'
Scanning dependencies of target gtest
make[4]: Leaving directory '/<<PKGBUILDDIR>>/gtest'
make[4]: Entering directory '/<<PKGBUILDDIR>>/gtest'
[ 25%] Building CXX object CMakeFiles/gtest.dir/src/gtest-all.cc.o
[ 50%] Linking CXX static library lib/libgtest.a
make[4]: Leaving directory '/<<PKGBUILDDIR>>/gtest'
[ 50%] Built target gtest
make[4]: Entering directory '/<<PKGBUILDDIR>>/gtest'
Scanning dependencies of target gtest_main
make[4]: Leaving directory '/<<PKGBUILDDIR>>/gtest'
make[4]: Entering directory '/<<PKGBUILDDIR>>/gtest'
[ 75%] Building CXX object CMakeFiles/gtest_main.dir/src/gtest_main.cc.o
[100%] Linking CXX static library lib/libgtest_main.a
make[4]: Leaving directory '/<<PKGBUILDDIR>>/gtest'
[100%] Built target gtest_main
make[3]: Leaving directory '/<<PKGBUILDDIR>>/gtest'
make[2]: Leaving directory '/<<PKGBUILDDIR>>/gtest'
make -C test CXXFLAGS="-g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -I/<<PKGBUILDDIR>>/gtest" GTEST_DIR=/<<PKGBUILDDIR>>/gtest
make[2]: Entering directory '/<<PKGBUILDDIR>>/test'
g++ -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -I/<<PKGBUILDDIR>>/gtest -Wdate-time -D_FORTIFY_SOURCE=2 -I/<<PKGBUILDDIR>>/src/include -I/usr/include/json-c -I/<<PKGBUILDDIR>>/gtest -isystem /<<PKGBUILDDIR>>/gtest/include  -c -o oslogin_utils_test.o oslogin_utils_test.cc
g++ -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -I/<<PKGBUILDDIR>>/gtest -Wdate-time -D_FORTIFY_SOURCE=2 -I/<<PKGBUILDDIR>>/src/include -I/usr/include/json-c -I/<<PKGBUILDDIR>>/gtest -isystem /<<PKGBUILDDIR>>/gtest/include -c /<<PKGBUILDDIR>>/gtest/src/gtest-all.cc
g++ -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -I/<<PKGBUILDDIR>>/gtest -Wdate-time -D_FORTIFY_SOURCE=2 -I/<<PKGBUILDDIR>>/src/include -I/usr/include/json-c -I/<<PKGBUILDDIR>>/gtest -isystem /<<PKGBUILDDIR>>/gtest/include oslogin_utils_test.o /<<PKGBUILDDIR>>/src/oslogin_utils.o gtest-all.o -o test_runner -lcurl -ljson-c -lpthread
g++ -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -I/<<PKGBUILDDIR>>/gtest -Wdate-time -D_FORTIFY_SOURCE=2 -I/<<PKGBUILDDIR>>/src/include -I/usr/include/json-c -I/<<PKGBUILDDIR>>/gtest -isystem /<<PKGBUILDDIR>>/gtest/include  -c -o oslogin_test.o oslogin_test.cc
g++ -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -I/<<PKGBUILDDIR>>/gtest -Wdate-time -D_FORTIFY_SOURCE=2 -I/<<PKGBUILDDIR>>/src/include -I/usr/include/json-c -I/<<PKGBUILDDIR>>/gtest -isystem /<<PKGBUILDDIR>>/gtest/include oslogin_test.o gtest-all.o -o new_test_runner -lcurl -ljson-c -lpthread
./test_runner --gtest_output=xml --gtest_filter=*-GetGroupByTest.*:GetUsersForGroupTest.*
Note: Google Test filter = *-GetGroupByTest.*:GetUsersForGroupTest.*
[==========] Running 35 tests from 12 test suites.
[----------] Global test environment set-up.
[----------] 2 tests from BufferManagerTest
[ RUN      ] BufferManagerTest.TestAppendString
[       OK ] BufferManagerTest.TestAppendString (0 ms)
[ RUN      ] BufferManagerTest.TestAppendStringTooLarge
[       OK ] BufferManagerTest.TestAppendStringTooLarge (0 ms)
[----------] 2 tests from BufferManagerTest (0 ms total)

[----------] 4 tests from NssCacheTest
[ RUN      ] NssCacheTest.TestLoadJsonArray
[       OK ] NssCacheTest.TestLoadJsonArray (1 ms)
[ RUN      ] NssCacheTest.TestLoadJsonPartialArray
[       OK ] NssCacheTest.TestLoadJsonPartialArray (0 ms)
[ RUN      ] NssCacheTest.TestLoadJsonFinalResponse
[       OK ] NssCacheTest.TestLoadJsonFinalResponse (0 ms)
[ RUN      ] NssCacheTest.ResetNullPtrTest
[       OK ] NssCacheTest.ResetNullPtrTest (0 ms)
[----------] 4 tests from NssCacheTest (1 ms total)

[----------] 8 tests from ParseJsonPasswdTest
[ RUN      ] ParseJsonPasswdTest.ParseJsonToPasswdSucceeds
[       OK ] ParseJsonPasswdTest.ParseJsonToPasswdSucceeds (0 ms)
[ RUN      ] ParseJsonPasswdTest.ParseJsonToPasswdSucceedsWithHighUid
[       OK ] ParseJsonPasswdTest.ParseJsonToPasswdSucceedsWithHighUid (0 ms)
[ RUN      ] ParseJsonPasswdTest.ParseJsonToPasswdSucceedsWithStringUid
[       OK ] ParseJsonPasswdTest.ParseJsonToPasswdSucceedsWithStringUid (0 ms)
[ RUN      ] ParseJsonPasswdTest.ParseJsonToPasswdNoLoginProfilesSucceeds
[       OK ] ParseJsonPasswdTest.ParseJsonToPasswdNoLoginProfilesSucceeds (0 ms)
[ RUN      ] ParseJsonPasswdTest.ParseJsonToPasswdFailsWithERANGE
[       OK ] ParseJsonPasswdTest.ParseJsonToPasswdFailsWithERANGE (0 ms)
[ RUN      ] ParseJsonPasswdTest.ParseJsonToPasswdFailsWithEINVAL
[       OK ] ParseJsonPasswdTest.ParseJsonToPasswdFailsWithEINVAL (0 ms)
[ RUN      ] ParseJsonPasswdTest.ValidatePartialJsonResponse
[       OK ] ParseJsonPasswdTest.ValidatePartialJsonResponse (0 ms)
[ RUN      ] ParseJsonPasswdTest.ValidateInvalidJsonResponse
[       OK ] ParseJsonPasswdTest.ValidateInvalidJsonResponse (0 ms)
[----------] 8 tests from ParseJsonPasswdTest (0 ms total)

[----------] 5 tests from ParseJsonToGroupsTest
[ RUN      ] ParseJsonToGroupsTest.ParseJsonToGroupsSucceeds
[       OK ] ParseJsonToGroupsTest.ParseJsonToGroupsSucceeds (0 ms)
[ RUN      ] ParseJsonToGroupsTest.ParseJsonToGroupsSucceedsWithHighGid
[       OK ] ParseJsonToGroupsTest.ParseJsonToGroupsSucceedsWithHighGid (0 ms)
[ RUN      ] ParseJsonToGroupsTest.ParseJsonToGroupsSucceedsWithStringGid
[       OK ] ParseJsonToGroupsTest.ParseJsonToGroupsSucceedsWithStringGid (0 ms)
[ RUN      ] ParseJsonToGroupsTest.ParseJsonToGroupsFails
[       OK ] ParseJsonToGroupsTest.ParseJsonToGroupsFails (0 ms)
[ RUN      ] ParseJsonToGroupsTest.TestGroups
[       OK ] ParseJsonToGroupsTest.TestGroups (0 ms)
[----------] 5 tests from ParseJsonToGroupsTest (0 ms total)

[----------] 2 tests from ParseJsonToUsersTest
[ RUN      ] ParseJsonToUsersTest.ParseJsonToUsersSucceeds
[       OK ] ParseJsonToUsersTest.ParseJsonToUsersSucceeds (0 ms)
[ RUN      ] ParseJsonToUsersTest.ParseJsonToUsersEmptyGroupSucceeds
[       OK ] ParseJsonToUsersTest.ParseJsonToUsersEmptyGroupSucceeds (0 ms)
[----------] 2 tests from ParseJsonToUsersTest (0 ms total)

[----------] 2 tests from ParseJsonEmailTest
[ RUN      ] ParseJsonEmailTest.SuccessfullyParsesEmail
[       OK ] ParseJsonEmailTest.SuccessfullyParsesEmail (0 ms)
[ RUN      ] ParseJsonEmailTest.FailsParseEmail
[       OK ] ParseJsonEmailTest.FailsParseEmail (0 ms)
[----------] 2 tests from ParseJsonEmailTest (0 ms total)

[----------] 4 tests from ParseJsonSshKeyTest
[ RUN      ] ParseJsonSshKeyTest.ParseJsonToSshKeysSucceeds
[       OK ] ParseJsonSshKeyTest.ParseJsonToSshKeysSucceeds (0 ms)
[ RUN      ] ParseJsonSshKeyTest.ParseJsonToSshKeysMultipleKeys
[       OK ] ParseJsonSshKeyTest.ParseJsonToSshKeysMultipleKeys (0 ms)
[ RUN      ] ParseJsonSshKeyTest.ParseJsonToSshKeysFiltersExpiredKeys
[       OK ] ParseJsonSshKeyTest.ParseJsonToSshKeysFiltersExpiredKeys (0 ms)
[ RUN      ] ParseJsonSshKeyTest.ParseJsonToSshKeysFiltersMalformedExpiration
[       OK ] ParseJsonSshKeyTest.ParseJsonToSshKeysFiltersMalformedExpiration (0 ms)
[----------] 4 tests from ParseJsonSshKeyTest (0 ms total)

[----------] 1 test from ParseJsonAuthorizeSuccess
[ RUN      ] ParseJsonAuthorizeSuccess.SuccessfullyAuthorized
[       OK ] ParseJsonAuthorizeSuccess.SuccessfullyAuthorized (0 ms)
[----------] 1 test from ParseJsonAuthorizeSuccess (0 ms total)

[----------] 2 tests from ValidateUserNameTest
[ RUN      ] ValidateUserNameTest.ValidateValidUserNames
[       OK ] ValidateUserNameTest.ValidateValidUserNames (4 ms)
[ RUN      ] ValidateUserNameTest.ValidateInvalidUserNames
[       OK ] ValidateUserNameTest.ValidateInvalidUserNames (4 ms)
[----------] 2 tests from ValidateUserNameTest (8 ms total)

[----------] 2 tests from ParseJsonKeyTest
[ RUN      ] ParseJsonKeyTest.TestKey
[       OK ] ParseJsonKeyTest.TestKey (0 ms)
[ RUN      ] ParseJsonKeyTest.TestMissingKey
[       OK ] ParseJsonKeyTest.TestMissingKey (0 ms)
[----------] 2 tests from ParseJsonKeyTest (0 ms total)

[----------] 2 tests from ParseJsonChallengesTest
[ RUN      ] ParseJsonChallengesTest.TestChallenges
Segmentation fault (core dumped)
make[2]: *** [Makefile:31: non_network_tests] Error 139
make[2]: Leaving directory '/<<PKGBUILDDIR>>/test'
make[1]: *** [debian/rules:16: override_dh_auto_test] Error 2
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
make: *** [debian/rules:8: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
--------------------------------------------------------------------------------

Any idea what's up? Thanks in advance! \o/

Please tag releases

There is no tagged release since splitting guest-oslogin from compute-image-packages. Please tag a release to help packaging this project.

os-login and sssd pam modules are incompatible

In newer versions of sudo (observed with 1.8.27 most likely present since 1.8.23) the code changed such that even if a user is configured to have sudo access without a password the PAM account management modules and BSD auth approval modules now run. For oslogin this results in a failure:

sudo: PAM account management error: User not known to the underlying authentication module

The use of ldap and sssd modules in PAM is a fairly common use case for Enterprises to tie their GCE instances into their existing authentication system.

The incompatibility should be addressed in the oslogin code.

OSlogin makes chef (ruby) crash

Hello Google Cloud team !

Whilst in the process of upgrading our VMs to debian 11 I encountered an issue with our configuration management tool tool, chef. It is written in ruby and it turns out some calls make it crash (segmentation fault). My first thought has been to search in chef itself, but after compiling several versions, with different ruby and chef versions, on different OSes it only happened in our GCP environment

It crashed as this :

/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-18.0.126/lib/chef/provider/group.rb:39: [BUG] Segmentation fault at 0x0000000000000000
ruby 3.0.3p157 (2021-11-24 revision 3fb7d2cadc) [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0036 p:---- s:0175 e:000174 CFUNC  :getgrnam
c:0035 p:0057 s:0170 e:000169 METHOD /opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-18.0.126/lib/chef/provider/group.rb:39
c:0034 p:0004 s:0165 e:000164 METHOD /opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-18.0.126/lib/chef/provider/group/groupadd.rb:31
c:0033 p:0004 s:0161 e:000160 METHOD /opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-18.0.126/lib/chef/provider/group/gpasswd.rb:28
c:0032 p:0054 s:0157 e:000156 METHOD /opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-18.0.126/lib/chef/provider.rb:228
c:0031 p:0008 s:0152 e:000151 BLOCK  /opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-18.0.126/lib/chef/resource.rb:601
c:0030 p:0028 s:0149 e:000148 METHOD /opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-18.0.126/lib/chef/resource.rb:628
c:0029 p:0186 s:0144 e:000143 METHOD /opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-18.0.126/lib/chef/resource.rb:600
c:0028 p:0063 s:0134 e:000133 METHOD /opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-18.0.126/lib/chef/runner.rb:74
c:0027 p:0008 s:0125 e:000124 BLOCK  /opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-18.0.126/lib/chef/runner.rb:108 [FINISH]
..... stripped .....

By stracing the process I came to narrow the libnss_oslogin.so.2 as the culprit :

openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_oslogin.so.2", O_RDONLY|O_CLOEXEC) = 24
read(24, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\"\7\0\0\0\0\0"..., 832) = 832
fstat(24, {st_mode=S_IFREG|0644, st_size=800192, ...}) = 0
mmap(NULL, 802240, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 24, 0) = 0x7ff1baa35000
mmap(0x7ff1baa9e000, 241664, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 24, 0x69000) = 0x7ff1baa9e000
mmap(0x7ff1baad9000, 106496, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 24, 0xa4000) = 0x7ff1baad9000
mmap(0x7ff1baaf3000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 24, 0xbd000) = 0x7ff1baaf3000
close(24)                               = 0
mprotect(0x7ff1baaf3000, 4096, PROT_READ) = 0
munmap(0x7ff1e5472000, 14012)           = 0
access("/etc/oslogin_group.cache", R_OK) = 0
futex(0x7ff1bb724858, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7ff1bb72484c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7ff1bb724844, FUTEX_WAKE_PRIVATE, 2147483647) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---

and I confirmed it was this, because removing the google-compute-engine-oslogin package and thus the shared library, makes the problem go away.

But we need oslogin since it's a building block of our login process :(

Can you advise or think of a workaround ?

Thanks

Add admin users to posix group

Would it be feasible to add all members with compute.instances.osAdminLogin to a group within the VM? These users are granted password-less sudo but they are not a member of the group sudo. They are only members of their own group (and video if logging in from sshd)

Adding members to this sudo group or the google-sudoers group would allow (among other things) setting policykit permissions to skip asking for a password. e.g. #92

How to handle groups assigned to users in a centralized way

I need my oslogin-managed users to belong to groups like docker and lxd. I've been poring over all the available documentation, code, etc trying to figure out how to make this happen, but I was not able to find this information.

From looking at the code in this repo, it seems like oslogin is supposed to handle groups, but I couldn't find anything about how to set local groups. Getting the group information seems to fail for google_oslogin_nss_cache:

marga_kinvolk_io@instance-1 ~ $ sudo /usr/libexec/google_oslogin_nss_cache   
oslogin_cache_refresh[1360]: Refreshing passwd entry cache
oslogin_cache_refresh[1360]: Refreshing group entry cache
oslogin_cache_refresh[1360]: Failure getting groups, quitting
oslogin_cache_refresh[1360]: Produced empty group cache file, removing /etc/oslogin_group.cache.bak.

Running the same command with strace I see this:

sendto(5, "GET /computeMetadata/v1/oslogin/groups?pagesize=499 HTTP/1.1\r\nHost: metadata.google.internal\r\nAccept: */*\r\nMetadata-Flavor: Google\r\n\r\n", 134, MSG_NOSIGNAL, NULL, 0) = 134
1313  recvfrom(5, "HTTP/1.1 500 Internal Server Error\r\nMetadata-Flavor: Google\r\nDate: Fri, 18 Sep 2020 09:50:26 GMT\r\nContent-Type: text/html\r\nServer: Metadata Server for VM\r\nConnection: Close\r\nContent-Length: 14\r\nX-XSS-Protection: 0\r\nX-Frame-Options: SAMEORIGIN\r\n\r\ninternal error", 16384, 0, NULL, NULL) = 260

And sure enough, if I try that call myself I get the same error:

marga_kinvolk_io@instance-1 ~ $ curl "http://metadata.google.internal/computeMetadata/v1/oslogin/groups?pagesize=499&pagetoken=0" -H "Metadata-Flavor: Google"
internal error

This could be because my user requires some permission that's not available or something like that (it's not an "owner" user). But if that's the case, there's no documentation detailing which permissions are necessary. Also, other metadata calls work fine:

marga_kinvolk_io@instance-1 ~ $ curl "http://metadata.google.internal/computeMetadata/v1/oslogin/users?pagesize=1&pagetoken=0" -H "Metadata-Flavor: Google"
{"loginProfiles":[{"name":"103737192707657643592","posixAccounts":[{"primary":true,"username":"marga_kinvolk_io","uid":"1676322516","gid":"1676322516","homeDirectory":"/home/marga_kinvolk_io",....

I could find no documentation in the OS Login docs that mentioned the groups URL used by the nss_cache tool. I don't know if this used to work but no longer does or if it never worked.

In a separate attempt to get the groups to work, I tried modifying /etc/security/group.conf and adding some groups (taken from an old guest-oslogin entry):

marga_kinvolk_io@instance-1 ~ $ tail -1 /etc/security/group.conf 
sshd;*;*;Al0000-2400;adm,dip,docker,lxd,plugdev,video

But this also made no difference. My user doesn't belong to the necessary groups (not even after rebooting and logging in again).

So, would it be possible to please clarify how user groups are supposed to be managed when using oslogin? In particular, I want to make whatever necessary changes to ensure that any users created by oslogin belong to a bunch of groups, in the same way that this is possible by modifying /etc/default/instance_configs.cfg when not using oslogin.

Thanks!

Ability to operate outside of GCP

We have servers on GCE and on various other environments as well.
I would be nice to be able to centralize the Identity and Access to our Google Cloud Identity using IAM and OS Login.

There currently isn't a Google solution for this, and it seems a natural progression just like Windows has GCPW we also need GCPL (for Linux) and OS Login would be perfect if it could have an option to work outside of the GCP network.

Question: Using OS Login from a Bastion for SSH + IAP inside a chroot to second VM in a different project

Hello, a bit of a longwinded question but what I am attempting to achieve is the ability to have a Bastion Host in one GCP project connect via SSH to the internal IP of another VM in a different project. At the moment I cannot use gcloud compute ssh and can only use ssh from /bin/ssh. Additionally I cannot use a shared VPC setup and need networking on both projects to be independent of one another.

In a testing environment outside of a chroot I was able to successfully get a gcloud compute ssh connection across two VMs using their internal IPs across projects. The command used the --tunnel-through-iap flag.

Did this only work because of the --tunnel-through-iap flag which sets up TCP forwarding? I guess I am a bit confused on how this works overall and is there a way to replicate it with the normal ssh command? How exactly does gcloud compute ssh <INSTANCE> --zone=<ZONE> --tunnel-through-iap --project=<PROJECT_ID> translate into a ssh command?

If there is a better GitHub repository to post this issue at let me know.

Improve error reporting when user has no 2fa methods configured

If a Google Workspace user doesn't have any 2FA methods enabled pam_oslogin_login.so fails with only a Permission Denied without explaining why. In our case we use an external IDP which implements 2FA when authenticating to Google so a lot of users don't have 2FA methods configured on their Google accounts.

I had to resort to strace on my sshd process to figure out that the call to /computeMetadata/v1/oslogin/authenticate/sessions/start returned status: NO_AVAILABLE_CHALLENGES.

I'm going to submit a PR which adds more informative logging in this failure case.

don't segfault if invalid data is returned from metadata server

NixOS packages the google-oslogin in nixpkgs. Because our setup is a bit more complicated (as we have to use ns(n)cd), we ship an (isolated) integration test, spinning up a mock metadata server.

We didn't implement the /computeMetadata/v1/oslogin/groups endpoint in there (probably because it didn't exist at the time), and observed a bunch of segfaults in the code that loads the oslogin NSS module (in our case, in the ns(n)cd daemon, without that in all client applications). Adding that endpoint in our mock implementation made the segfaults go away.

While "the real" metadata server(s) in GCP might not return 404 on that endpoint, segfautling seems to be a sign of insufficient error handling.

Can you make sure these paths are properly handled without segfautling? Other paths in the code return a NSS_STATUS_NOTFOUND, maybe that or another bad status code could be used.

sudo access depends upon SSH key registration with OS Login

Customers report the following observed sudo behavior of VMs when OS Login is enabled is as follows:

  1. If the user logs in with a key registered in OS Login (most typically via gcloud compute ssh) and the user has roles/compute.osAdminLogin, then the AuthorizedKeysCommand / google_authorized_keys binary adds a per-user sudoers file to /var/google-sudoers.d/ and the user is able to run sudo.
  2. If the user subsequently logs in with a key not registered in OS Login, but has been manually added to the user's authorized_keys file, then they may retain sudo access from step 1 for a period of hours, but it is eventually lost and they must repeat Step 1.

If Step 2 is accurate, then this is probably being reset by OS Login cache systemd timer. Perhaps VMs are rebooting without their awareness? I'd like some insight if you have any.

Step 2 is common enough in clusters of VMs with shared filesystems, especially when user /home directories are shared for purposes of large-scale workloads. Could sudo escalation occur by a PAM-based mechanism rather than set by sshd at initial authentication? I see this mentioned in the README:

*   **PAM Modules** which provide authorization (and authentication if
    two-factor support is enabled) support allowing the system to use Google
    Cloud IAM permissions to control the ability to log into an instance or to
    perform operations as root (via `sudo`).

but I was not able to find the file pam_oslogin_login.so anywhere within the OS. We have been using recent copies of the guest-oslogin package. If you need a specific version for reproduction purposes, please let me know. I believe the gap in PAM may be a known issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.