Page MenuHomePhabricator

Per host access control for kerberized SSH
Open, MediumPublic

Description

For our standard SSH access, the SSH keys of users able to login get deployed to /etc/ssh/userkeys, which allows for fine-grained access control via profile::standard::admin_groups.

For kerberised SSH access we need to build a similar mechanism ourselves:

  1. Users which only have a kerberos login get added to a krblogin group (can happen via data.yaml)
  2. The OpenSSH config for this gets amended with a ForceCommand which redirects to a wrapper:
Match Group krblogin
   ForceCommand /usr/local/bin/cumin-login-wrapper
  1. Which ultimatetely hits a wrapper like this (stub code), $SSH_ORIGINAL_COMMAND gets populated by OpenSSH:
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import os
import sys
import subprocess

with open('/etc/kerberos-users', 'r') as f:
    users = [l.strip() for l in f]

remote_user = os.environ['USER']
if remote_user not in users:
    print("User not allowed for Kerberos access")
    sys.exit(1)
else:
    subprocess.run(os.environ['SSH_ORIGINAL_COMMAND'], shell=True)

In addition, data yaml needs to be extended to track kerberos-only users so that the user's SSH keys get installed to cuminunpriv* and the bastions.