Giter Site home page Giter Site logo

nbisweden / localega-auth Goto Github PK

View Code? Open in Web Editor NEW
1.0 24.0 0.0 222 KB

Authentication of EGA users

Home Page: http://localega.readthedocs.io/en/stable/inbox.html

License: Apache License 2.0

Makefile 4.27% C 78.27% Roff 10.97% C++ 0.52% Assembly 2.81% Dockerfile 2.10% Shell 1.05%

localega-auth's Introduction

An NSS module to find the EGA users in a (remote) database

Compile the library

make

Add it to the system

make install

echo '/usr/local/lib/ega' > /etc/ld.so.conf.d/ega.conf

ldconfig -v

ldconfig recreates the ld cache and also creates some extra links. (important!).

It is necessary to create /etc/ega/auth.conf. Use auth.conf.sample as an example.

Make the system use it

Update /etc/nsswitch.conf and add the ega module first, for passwd

passwd: files ega ...

Note: Don't put it first, otherwise it'll search for every users on the system (eg sshd, root, ...).

Then update your PAM service file. For example, include lines like:

# module_interface     control_flag     module_name                     module_arguments
auth                   required         /usr/local/lib/ega/pam_ega.so   use_first_pass
session                required         /usr/local/lib/ega/pam_ega.so

See the LocalEGA general documentation for further information, and examples.

How it is build

This repository contains the NSS and PAM module for LocalEGA.

We use NSS to find out about the users, and PAM to authenticate them (and chroot them for each session).

When the system needs to know about a specific user, it looks at its passwd database. Above you see that it first looks at its local files (ie /etc/passwd) and then, if the user is not found, it looks at the "ega" NSS module.

The NSS EGA module proceed in several steps:

  • If the user is found a local cache, and that local cache has not expired, it is returned immediately.

  • If the user is not found in the cache, we query CentralEGA (with a REST call). If the user doesn't exist there, it's the end of the road.

  • If the user exists at CentralEGA, we parse the JSON answer (at the moment a pair: (password_hash, public_key)) and put the retrieved user in the local cache. We then create the user's home directory (which location might vary per LocalEGA site).

  • Upon new requests, only the cache gets queried.

Now that the user is retrieved, the PAM module takes the relay baton.

There are 4 components:

  • auth is used to challenge the user credentials. We retrieve from the cache the user's password hash, which we compare to the one supplied by the user.

  • account is used to check if the account has expired. Here, it just a pass-through, it always succeeds. We can use it later, for users that are not in CentralEGA.

  • password is used to re-create passwords. In our case, we don't need it so that component is left unimplemented.

  • session is used whenever a user passes the authentication step and is about the log onto the service (in our case: sshd). When a session is open, we refresh the last access date of the user and chroot the user into its home directory.

The configuration settings are in /etc/ega/auth.conf.

localega-auth's People

Contributors

silverdaz avatar jbygdell avatar viklund avatar juhtornr avatar

Stargazers

Nick Clark avatar

Watchers

avatar Erik Ylipää avatar Nick Clark avatar James Cloos avatar Malin Klang avatar Björn avatar avatar Jonas Hagberg avatar avatar Richèl Bilderbeek avatar Per Johnsson avatar Jessica Lindvall avatar John Lövrot avatar Nanjiang Shu avatar Andreas Kähäri avatar Guilherme Borges Dias avatar avatar Agustín Andrés Corbat avatar Martin Pippel avatar Juliana Assis avatar Dimitris Bampalikis avatar Oskar Vidarsson avatar Emilio Mármol Sánchez avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.