summaryrefslogtreecommitdiff
path: root/packages/google-compute-engine-oslogin/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'packages/google-compute-engine-oslogin/README.md')
-rw-r--r--packages/google-compute-engine-oslogin/README.md170
1 files changed, 84 insertions, 86 deletions
diff --git a/packages/google-compute-engine-oslogin/README.md b/packages/google-compute-engine-oslogin/README.md
index 6f967c5..4acc31e 100644
--- a/packages/google-compute-engine-oslogin/README.md
+++ b/packages/google-compute-engine-oslogin/README.md
@@ -1,76 +1,73 @@
## OS Login Guest Environment for Google Compute Engine
-This package enables Google Cloud OS Login features on Google Compute Engine
-instances.
+This repository contains the system components responsible for providing Google
+Cloud OS Login features on Google Compute Engine instances.
**Table of Contents**
* [Overview](#overview)
* [Components](#components)
* [Authorized Keys Command](#authorized-keys-command)
- * [NSS Module](#nss-module)
- * [PAM Module](#pam-module)
- * [Utils](#utils)
-* [Utility Directories](#utility-directories)
- * [bin](#bin)
- * [packaging](#packaging)
- * [policy](#policy)
+ * [NSS Modules](#nss-modules)
+ * [PAM Modules](#pam-modules)
+* [Utilities](#Utilities)
+ * [Control Script](#control-script)
+ * [SELinux Policy](#selinux-policy)
* [Source Packages](#source-packages)
* [DEB](#deb)
* [RPM](#rpm)
-* [Version Updates](#version-updates)
## Overview
-The OS Login package has the following components:
+The OS Login Guest Environment consists of the following main components:
-* **Authorized Keys Command** to fetch SSH keys from the user's OS Login
- profile and make them available to sshd.
-* **NSS Module** provides support for making OS Login user and group
+* **Authorized Keys Command** which provides SSH keys from the user's OS Login
+ profile to sshd for authenticating users at login.
+* **NSS Modules** which provide support for making OS Login user and group
information available to the system, using NSS (Name Service Switch)
functionality.
-* **PAM Module** provides authorization and authentication support allowing
- the system to use data stored in Google Cloud IAM permissions to control
- both, the ability to log into an instance, and to perform operations as root
- (sudo).
-* **Utils** provides common code to support the components listed above.
-
-In addition to the main components, there are also utilities for packaging and
-installing these components:
-
-* **bin** contains a shell script for activating/deactivating the package
- components.
-* **packaging** contains files used to generate `.deb` and `.rpm` packages for
- the OS Login components.
-* **policy** contains SELinux "type enforcement" files for configuring SELinux
- on CentOS/RHEL systems.
+* **PAM Modules** which provide authorization (and authentication if
+ two-factor support is enabled) support allowing the system to use Google
+ Cloud IAM permissions to control the ability to log into an instance or to
+ perform operations as root (via `sudo`).
+
+In addition to the main components, there are also the following utilities:
+
+* **google_oslogin_control** is a shell script for activating/deactivating the
+ OS Login components.
+* **google_oslogin_nss_cache** is a utility for updating the local user and
+ group cache.
+* **selinux** contains SELinux policy definition files and a compiled policy
+ package for configuring SELinux to support OS Login.
+
+The **packaging** directory also contains files used to generate `.deb` and
+`.rpm` packages for the OS Login components.
## Components
#### Authorized Keys Command
The `google_authorized_keys` binary is designed to be used with the sshd
-[AuthorizedKeysCommand](https://linux.die.net/man/5/sshd_config) option in
-`sshd_config`. It does the following:
+`AuthorizedKeysCommand` option in [sshd_config(5)](https://linux.die.net/man/5/sshd_config).
+It does the following:
-* Reads the user's profile information from the metadata server.
+* Reads the user's profile information from the metadata server:
```
http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username>
```
-* Checks to make sure that the user is authorized to log in.
+* Checks to make sure that the user is authorized to log in:
```
http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?email=<user_email>&policy=login
```
* If the check is successful, returns the SSH keys associated with the user
- for use by sshd.
+ for use by sshd. Otherwise, exits with an error code.
-#### NSS Module
+#### NSS Modules
-The `nss_oslogin` module is built and installed in the appropriate `lib`
-directory as a shared object with the name `libnss_oslogin.so.2`. The module is
-then activated by an `oslogin` entry in `/etc/nsswitch.conf`. The NSS module
-supports looking up `passwd` entries from the metadata server via
-`getent passwd`.
+`libnss_oslogin.so` and `libnss_cache_oslogin.so` are NSS service modules which
+make OS Login users and groups available for use on the local system. The module
+is activated by adding `oslogin` and `cache_oslogin` entries for services in
+[nsswitch.conf(5)](https://linux.die.net/man/5/nsswitch.conf).
* To return a list of all users, the NSS module queries:
```
@@ -78,47 +75,59 @@ supports looking up `passwd` entries from the metadata server via
```
* To look up a user by username, the NSS module queries:
```
- http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username
+ http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username>
```
* To look up a user by UID, the NSS module queries:
```
http://metadata.google.internal/computeMetadata/v1/oslogin/users?uid=<uid>
```
-#### PAM Module
+#### PAM Modules
-The `pam_module` directory contains two modules used by Linux PAM (Pluggable
-Authentication Modules).
+`pam_oslogin_login.so` is a PAM module which determines whether a given user is
+allowed to SSH into an instance.
-The first module, `pam_oslogin_login.so`, determines whether a given user is
-allowed to SSH into an instance. It is activated by adding an
-`account requisite` line to the PAM sshd config file and does the following:
+It is activated by adding an entry for the account group to the PAM service
+config for sshd as:
+ ```
+ account requisite pam_oslogin_login.so
+ ```
-* Retrieves the user's profile information from the metadata server.
+This module:
+
+* Retrieves the user's profile information from the metadata server:
```
http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username>
```
-* If the user has OS Login profile information (as opposed to a local user
- account), confirms whether the user has permissions to SSH into the
- instance.
+* If the user does not have OS Login profile information it is passed on to
+ the system authentication modules to be processed as a local user.
+* Otherwise, the module confirms whether the user has permissions to SSH into
+ the instance:
```
http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?email=<user_email>&policy=login
```
-* If the user is a local user account or is authorized, PAM returns a success
- message and SSH can proceed. Otherwise, PAM returns a denied message and the
- SSH check will fail.
+* If the user is authorized, PAM returns a success message and SSH can
+ proceed. Otherwise, PAM returns a denied message and the SSH check will
+ fail.
+
+`pam_oslogin_admin.so` is a PAM module which determines whether a given user
+should have admin (sudo) permissions on the instance.
-The second module, `pam_oslogin_admin.so`, determines whether a given user
-should have admin (sudo) permissions on the instance. It is activated by adding
-an `account optional` line to the PAM sshd config file and does the following:
+It is activated by adding an entry for the `account` group to the PAM service
+config for sshd config as:
+ ```
+ account optional pam_oslogin_admin.so
+ ```
+
+This module:
* Retrieves the user's profile information from the metadata server.
```
http://metadata.google.internal/computeMetadata/v1/oslogin/users?username=<username>
```
-* If the user is a local user account, the module exits with success.
-* If the user is an OS Login user, the module perform an authorization check
- to determine if the user has admin permissions.
+* If the user is not an OS Login user (a local user account), the module
+ returns success.
+* Otherwise, the module determines if the user has admin permissions:
```
http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?email=<user_email>&policy=adminLogin
```
@@ -127,49 +136,40 @@ an `account optional` line to the PAM sshd config file and does the following:
* If the authorization check fails for admin permissions, the file is removed
from `/var/google-sudoers.d/` if it exists.
-#### Utils
-
-`oslogin_utils` contains common functions for making HTTP calls,
-interacting with the metadata server, and for parsing JSON objects.
+## Utilities
-## Utility Directories
+#### Control Script
-#### bin
-
-The `bin` directory contains a shell script called `google_oslogin_control` that
-activates or deactivates the OS Login features. It is called in the pre and post
-install scripts in the `.deb` and `.rpm` packages. The control file performs the
-following tasks:
+The `google_oslogin_control` shell script activates or deactivates the OS Login
+features. It is invoked by the google accounts daemon. The control file performs
+the following tasks:
* Adds (or removes) AuthorizedKeysCommand and AuthorizedKeysCommandUser lines
to (from) `sshd_config` and restarts sshd.
-* Adds (or removes) `oslogin` to (from) `nsswitch.conf`.
+* Adds (or removes) `oslogin` and `cache_oslogin` to (from) `nsswitch.conf`.
* Adds (or removes) the `account` entries to (from) the PAM sshd config. Also
adds (or removes) the `pam_mkhomedir.so` module to automatically create the
home directory for an OS Login user.
* Creates (or deletes) the `/var/google-sudoers.d/` directory, and a file
called `google-oslogin` in `/etc/sudoers.d/` that includes the directory.
-#### packaging
-
-The `packaging` directory contains files for creating `.deb` and `.rpm`
-packages. See [Source Packages](#source-packages) for details.
+#### SELinux Policy
-#### policy
-
-The `policy` directory contains `.te` (type enforcement) files used by SELinux
-to give the OS Login features the appropriate SELinux permissions. These are
-compiled using `checkmodule` and `semodule_package` to create an `oslogin.pp`
-that is intstalled in the appropriate SELinux directory.
+The `selinux` directory contains `.te` (type enforcement) and `.fc` (file
+context) files used by SELinux to give the OS Login features the appropriate
+SELinux permissions. These are compiled using `checkmodule` and
+`semodule_package` to create an policy package `oslogin.pp`.
## Source Packages
There is currently support for creating packages for the following distros:
-* Debian 8
+
* Debian 9
* CentOS/RHEL 6
* CentOS/RHEL 7
+Files for these packages are in the `packaging/` directory.
+
#### DEB
_Note: the `packaging/setup_deb.sh` script performs these steps, but is not
@@ -188,9 +188,7 @@ production quality._
directory, excluding the `packaging` directory (where M.M.R is the version
number).
1. In a separate directory, extract the `.orig.tar.gz` file and copy the
- appropriate `debian` directory into the top level. (e.g. When working on
- Debian 8, copy the `debian8` directory to a directory named `debian` within
- the code directory.)
+ `debian` directory into the top level.
1. To build the package, run the command
```
debuild -us -uc
View Lorry Controller Status