• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

man/H18-Oct-2019-9164

packaging/H18-Oct-2019-771522

selinux/H03-May-2022-6444

src/H03-May-2022-2,9712,139

test/H18-Oct-2019-692548

MakefileH A D18-Oct-2019422 2013

OWNERSH A D18-Oct-2019194 119

README.mdH A D18-Oct-20198.2 KiB223181

google_oslogin_controlH A D03-May-202214.5 KiB465334

README.md

1## OS Login Guest Environment for Google Compute Engine
2
3This repository contains the system components responsible for providing Google
4Cloud OS Login features on Google Compute Engine instances.
5
6**Table of Contents**
7
8* [Overview](#overview)
9* [Components](#components)
10    * [Authorized Keys Command](#authorized-keys-command)
11    * [NSS Modules](#nss-modules)
12    * [PAM Modules](#pam-modules)
13* [Utilities](#Utilities)
14    * [Control Script](#control-script)
15    * [SELinux Policy](#selinux-policy)
16* [Source Packages](#source-packages)
17    * [DEB](#deb)
18    * [RPM](#rpm)
19
20## Overview
21
22The OS Login Guest Environment consists of the following main components:
23
24*   **Authorized Keys Command** which provides SSH keys from the user's OS Login
25    profile to sshd for authenticating users at login.
26*   **NSS Modules** which provide support for making OS Login user and group
27    information available to the system, using NSS (Name Service Switch)
28    functionality.
29*   **PAM Modules** which provide authorization (and authentication if
30    two-factor support is enabled) support allowing the system to use Google
31    Cloud IAM permissions to control the ability to log into an instance or to
32    perform operations as root (via `sudo`).
33
34In addition to the main components, there are also the following utilities:
35
36*   **google_oslogin_control** is a shell script for activating/deactivating the
37    OS Login components.
38*   **google_oslogin_nss_cache** is a utility for updating the local user and
39    group cache.
40*   **selinux** contains SELinux policy definition files and a compiled policy
41    package for configuring SELinux to support OS Login.
42
43The **packaging** directory also contains files used to generate `.deb` and
44`.rpm` packages for the OS Login components.
45
46## Components
47
48#### Authorized Keys Command
49
50The `google_authorized_keys` binary is designed to be used with the sshd
51`AuthorizedKeysCommand` option in [sshd_config(5)](https://linux.die.net/man/5/sshd_config).
52It does the following:
53
54*   Reads the user's profile information from the metadata server:
55    ```
56    http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username>
57    ```
58*   Checks to make sure that the user is authorized to log in:
59    ```
60    http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?email=<user_email>&policy=login
61    ```
62*   If the check is successful, returns the SSH keys associated with the user
63    for use by sshd. Otherwise, exits with an error code.
64
65#### NSS Modules
66
67`libnss_oslogin.so` and `libnss_cache_oslogin.so` are NSS service modules which
68make OS Login users and groups available for use on the local system. The module
69is activated by adding `oslogin` and `cache_oslogin` entries for services in
70[nsswitch.conf(5)](https://linux.die.net/man/5/nsswitch.conf).
71
72*   To return a list of all users, the NSS module queries:
73    ```
74    http://metadata.google.internal/computeMetadata/v1/oslogin/users?pagesize=<pagesize>
75    ```
76*   To look up a user by username, the NSS module queries:
77    ```
78    http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username>
79    ```
80*   To look up a user by UID, the NSS module queries:
81    ```
82    http://metadata.google.internal/computeMetadata/v1/oslogin/users?uid=<uid>
83    ```
84
85#### PAM Modules
86
87`pam_oslogin_login.so` is a PAM module which determines whether a given user is
88allowed to SSH into an instance.
89
90It is activated by adding an entry for the account group to the PAM service
91config for sshd as:
92   ```
93   account requisite pam_oslogin_login.so
94   ```
95
96This module:
97
98*   Retrieves the user's profile information from the metadata server:
99    ```
100    http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username>
101    ```
102*   If the user does not have OS Login profile information it is passed on to
103    the system authentication modules to be processed as a local user.
104*   Otherwise, the module confirms whether the user has permissions to SSH into
105    the instance:
106    ```
107    http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?email=<user_email>&policy=login
108    ```
109*   If the user is authorized, PAM returns a success message and SSH can
110    proceed. Otherwise, PAM returns a denied message and the SSH check will
111    fail.
112
113`pam_oslogin_admin.so` is a PAM module which determines whether a given user
114should have admin (sudo) permissions on the instance.
115
116It is activated by adding an entry for the `account` group to the PAM service
117config for sshd config as:
118   ```
119   account optional pam_oslogin_admin.so
120   ```
121
122This module:
123
124*   Retrieves the user's profile information from the metadata server.
125    ```
126    http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username>
127    ```
128*   If the user is not an OS Login user (a local user account), the module
129    returns success.
130*   Otherwise, the module determines if the user has admin permissions:
131    ```
132    http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?email=<user_email>&policy=adminLogin
133    ```
134*   If the user is authorized as an admin, a file with the username is added to
135    `/var/google-sudoers.d/`. The file gives the user sudo privileges.
136*   If the authorization check fails for admin permissions, the file is removed
137    from `/var/google-sudoers.d/` if it exists.
138
139## Utilities
140
141#### Control Script
142
143The `google_oslogin_control` shell script activates or deactivates the OS Login
144features. It is invoked by the google accounts daemon. The control file performs
145the following tasks:
146
147*   Adds (or removes) AuthorizedKeysCommand and AuthorizedKeysCommandUser lines
148    to (from) `sshd_config` and restarts sshd.
149*   Adds (or removes) `oslogin` and `cache_oslogin` to (from) `nsswitch.conf`.
150*   Adds (or removes) the `account` entries to (from) the PAM sshd config. Also
151    adds (or removes) the `pam_mkhomedir.so` module to automatically create the
152    home directory for an OS Login user.
153*   Creates (or deletes) the `/var/google-sudoers.d/` directory, and a file
154    called `google-oslogin` in `/etc/sudoers.d/` that includes the directory.
155
156#### SELinux Policy
157
158The `selinux` directory contains `.te` (type enforcement) and `.fc` (file
159context) files used by SELinux to give the OS Login features the appropriate
160SELinux permissions. These are compiled using `checkmodule` and
161`semodule_package` to create an policy package `oslogin.pp`.
162
163## Source Packages
164
165There is currently support for creating packages for the following distros:
166
167*   Debian 9
168*   CentOS/RHEL 6
169*   CentOS/RHEL 7
170
171Files for these packages are in the `packaging/` directory.
172
173#### DEB
174
175_Note: the `packaging/setup_deb.sh` script performs these steps, but is not
176production quality._
177
1781.  Install build dependencies:
179    ```
180    sudo apt-get -y install make g++ libcurl4-openssl-dev libjson-c-dev libpam-dev
181    ```
1821.  Install deb creation tools:
183    ```
184    sudo apt-get -y install debhelper devscripts build-essential
185    ```
1861.  Create a compressed tar file named
187    `google-compute-engine-oslogin_M.M.R.orig.tar.gz` using the files in this
188    directory, excluding the `packaging` directory (where M.M.R is the version
189    number).
1901.  In a separate directory, extract the `.orig.tar.gz` file and copy the
191    `debian` directory into the top level.
1921.  To build the package, run the command
193    ```
194    debuild -us -uc
195    ```
196
197#### RPM
198
199_Note: the `packaging/setup_rpm.sh` script performs these steps, but is not
200production quality._
201
2021.  Install build dependencies:
203    ```
204    sudo yum -y install make gcc-c++ libcurl-devel json-c json-c-devel pam-devel policycoreutils-python
205    ```
2061.  Install rpm creation tools:
207    ```
208    sudo yum -y install rpmdevtools
209    ```
2101.  Create a compressed tar file named
211    `google-compute-engine-oslogin_M.M.R.orig.tar.gz` using the files in this
212    directory, excluding the `packaging` directory (where M.M.R is the version
213    number).
2141.  In a separate location, create a directory called `rpmbuild` and a
215    subdirectory called `SOURCES`. Copy the `.orig.tar.gz` file into the
216    `SOURCES` directory.
2171.  Copy the `SPECS` directory from the `rpmbuild` directory here into the
218    `rpmbuild` directory you created.
2191.  To build the package, run the command:
220    ```
221    rpmbuild --define "_topdir /path/to/rpmbuild" -ba /path/to/rpmbuild/SPECS/google-compute-engine-oslogin.spec
222    ```
223