For our standard SSH access, the SSH keys of users able to login get deployed to /etc/ssh/userkeys, which allows for fine-grained access control via profile::standard::admin_groups.
For kerberised SSH access we need to build a similar mechanism ourselves:
- Users which only have a kerberos login get added to a krblogin group (can happen via data.yaml)
- The OpenSSH config for this gets amended with a ForceCommand which redirects to a wrapper:
Match Group krblogin ForceCommand /usr/local/bin/cumin-login-wrapper
- Which ultimatetely hits a wrapper like this (stub code), $SSH_ORIGINAL_COMMAND gets populated by OpenSSH:
#!/usr/bin/env python3 # -*- coding: utf-8 -*- import os import sys import subprocess with open('/etc/kerberos-users', 'r') as f: users = [l.strip() for l in f] remote_user = os.environ['USER'] if remote_user not in users: print("User not allowed for Kerberos access") sys.exit(1) else: subprocess.run(os.environ['SSH_ORIGINAL_COMMAND'], shell=True)
In addition, data yaml needs to be extended to track kerberos-only users so that the user's SSH keys get installed to cuminunpriv* and the bastions.