GitHub - bruj0/iam_acctmgr: Synchronize local Name Service Switch database against AWS IAM

bruj0 / iam_acctmgr Public

forked from Demeterr/iam_acctmgr

Notifications You must be signed in to change notification settings
Fork 0
Star 0

Synchronize local Name Service Switch database against AWS IAM

Apache-2.0 license

0 stars 1 fork Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 13 Commits
test		test
LICENSE		LICENSE
README		README
iam_acctmgr		iam_acctmgr
iam_acctmgr.py		iam_acctmgr.py
libnss-extrausers.spec		libnss-extrausers.spec
setup.cfg		setup.cfg
setup.py		setup.py
tox.ini		tox.ini

Repository files navigation

aws_acctmgr
===========

``aws_acctmgr`` synchronizes a local NSS database against Amazon Web Services
(AWS) Identity and Access Management (IAM) with the primary use-case of
providing SSH access to AWS EC2 instances for remote administrators.

This relies on the SSH Public Key metadata feature added to AWS IAM.
Note that the AWS documentation currently only mentions this feature in the
context of the AWS CodeCommit product but the API naming itself has no such
context.

See:
    https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetSSHPublicKey.html
    https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListSSHPublicKeys.html


Features:

* UID derived by the IAM UserID property, users will always have the same UID across
all the intances

* IAM groups for Sudo users and regular users.

* Automatic creation of users home directory using the skel profile.

* Local groups support

IAM users are not added to the system via traditional mechanisms (e.g.
``/etc/passwd``).  Instead they are registered in a dedicated directory
provided by the "libnss-extrausers" package.  The host's ``/etc/nsswitch``
should have ``extrausers`` appended to the ``passwd`` and ``shadow`` entries.

    passwd:         compat extrausers
    group:          compat extrausers
    shadow:         compat extrausers

See:
    https://packages.debian.org/jessie/libnss-extrausers

Manual Installation
-------------------

* Install the package libnss-extrausers for your distribution, you can find RPMs for Centos here
* iam_acctmgr_configure is used to add the configuration to the proper services.

# git clone https://github.com/bruj0/iam_acctmgr.git
# cd iam_acctmgr
# python setup.py install
# /usr/local/bin/iam_acctmgr_configure --sshd /etc/ssh/sshd_config --nsswitch /etc/nsswitch.conf --pam /etc/pam.d/sshd /usr/local/bin
# service sshd restart
# mkdir /var/lib/extrausers/
# /etc/init.d/iam_accrtmgr start

RPM Based Install
-----------------

I have created 2 rpms for Amazon Linux version amzn-ami-hvm-2017.09.1.20180115-x86_64-gp2 (ami-97785bed) :

https://github.com/bruj0/iam_acctmgr/releases/download/0.2/iam_acctmgr-0.2-1.noarch.rpm
https://github.com/bruj0/iam_acctmgr/releases/download/0.2/libnss-extrausers-0.6-0.x86_64.rpm


$ rpm -i iam_acctmgr-0.1-1.noarch.rpm 
$ rpm -i libnss-extrausers-0.6-0.x86_64.rpm
$ /usr/bin/iam_acctmgr_configure --sshd /etc/ssh/sshd_config --nsswitch /etc/nsswitch.conf --pam /etc/pam.d/sshd /usr/bin
$ service sshd restart
$ /etc/init.d/iam_accrtmgr start
$ chkconfig --add iam_acctmgr
$ chkconfig iam_acctmgr on


See Also
--------

https://github.com/google/nsscache


Forked from
------------

https://github.com/Demeterr/iam_acctmgr 
https://github.com/bshi