3

I have a bunch of VPS's and every now and then I have to create another. Currently I use AWS, Rackspace and DigitalOcean as my IAAS providers. Most of them are Ubuntu-based. Besides, I have the users managed by Google Apps.

For each of the created VPS, I have to manage a root and a normal user, and multiple users must have access to the normal user credential. If a user is blocked (i.e. got fired..) he obviously should not have access to the VPS's anymore. Another must-have feature is to allow/block permissions by users group. The users group would be managed by Google Apps and the VPS's would only point to Google Apps authentication API or equivalent.

I want to know if there is such way of authenticating users in multiple VPS's using Google Credentials. This way, a user should do ssh john.doe@ to access the VPS, where john.doe is valid credential managed by Google Apps.

If there isn't, which is the recommended approach to my problem?

Anthon
  • 78,313
  • 42
  • 165
  • 222
gfernandes
  • 31
  • 2

2 Answers2

1

There is a google_pam module on github which was written to achieve what you want.

This package implements a PAM module to authenticate users against a Google domain. The following features are provided:

Select any Google domain. Allow only users from a certain group. A script to install all Google users as system users. Password caching using files or memcached. Advanced logging setup.

Setting up Google PAM on Ubuntu 12.04 LTS using a PPA

edit 1 reply to @gfernandes 2nd comment below.

I have checked the source code and it just lifts the admin-user/password straight from the config file at 2 locations, when checking groups and then in checking password.

        service = self.GroupsService(
            domain=self.config.get(SECTION_NAME, 'domain'),
            email=self._get_email(
                self.config.get(SECTION_NAME, 'admin-username')),
            password=self.config.get(SECTION_NAME, 'admin-password')
            )

I haven't time to investigate further right now, but would want to try with a 2nd restricted administrator, which could be trashed and or with an application specific password under two step verification. I have had similar thoughts myself.

X Tian
  • 10,413
  • 2
  • 33
  • 48
  • It looks very interesting, tks! Do oyu know if there is any other way to authenticate the admin user than saving his password in plain text? I know the file will be only root-permitted, but I dont like the idea of having the Google Domain Manager account password in blank text in every single VPS that I create.. – gfernandes Mar 11 '14 at 18:17
0

In the same vein as @XTian's answer there's also this PAM called google-authenticator. Setup instructions are also available in the project's wiki.

After building it simply add this line to your PAM configuration:

auth required pam_google_authenticator.so

I also found this interesting PAM called pam-face-authentication, which used image recognition to allow logins based on a user's face.

slm
  • 363,520
  • 117
  • 767
  • 871