Code Monkey home page Code Monkey logo

pam-nss-signedjit's Introduction

pam-nss-signedjit

About

pam-nss-signedjit reads a signed (via CMS) file from an HTTPS endpoint and applies the file to local NSS and PAM files for the purposes of enabling Just-in-Time (JIT) administration.

It intended to be used with:

  • ssh keys via AuthorizedKeysCommand
  • PAM listfile for authorization / JIT
  • NSS extrausers for user and group (admin / sudoers group) info
  • pam_mkhomedir for homedir creation

Install instructions

First make a bootstrap.json and also a signed json file uploaded to the url in bootstrap.json. This can be done either via:

  • openssl
gzip bootstrap.example.json
openssl cms -sign -in cat bootstrap.example.json.gz -text -outform pem -out jit.signed -signer acert.pem
  • via certsign.ps1

It can be validated with either powershell/.NET CMS or via openssl:

openssl cms -verify -in jit.signed -inform pem -out bootstrap.example.json.gz -certfile acert.pem -noverify -nointern
gunzip bootstrap.example.json.gz

Next on client machines:

  1. cp pam-nss-signedjit /usr/local/bin/pam-nss-signedjit
  2. mkdir /var/lib/pam-nss-signedjit && mkdir /etc/pam-nss-signedjit
  3. /usr/local/bin/pam-nss-signedjit bootstrap --filepath bootstrap.json
  4. apt install libnss-extrausers
  5. ln -s /var/lib/pam-nss-signedjit/passwd /var/lib/extrausers/passwd && ln -s /var/lib/pam-nss-signedjit/group /var/lib/extrausers/group
  6. edit /etc/nsswitch.conf adding
   passwd:         compat extrausers
   group:          compat extrausers
  1. Add the following to /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/local/bin/pam-nss-signedjit sshkey --username %u
AuthorizedKeysCommandUser nobody
  1. Add a crontab entry * * * * * /usr/local/bin/pam-nss-signedjit update 2>/dev/null >/dev/null
  2. Add a sudoers entry %jitadmins ALL=(ALL) NOPASSWD: ALL
  3. Add a common-auth entry auth requisite pam_listfile.so item=user sense=allow file=/var/lib/pam-nss-signedjit/jitedusers onerr=fail
    • If you want separate break-glass allow list you can use [success=1 default=ignore] instead of requisite and a second pam_listfile.so line with requisite
  4. Add a common-session entry session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

pam-nss-signedjit's People

Contributors

n6udp avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.