Tomohisa Oda

Linux Serverē®”ē†č€…恮ē®”ē†ć‚’ę„½ć«ć™ć‚‹

ę˜Øå¹“ć€libpam-mruby悒ä½æć£ć¦ć€Linux Server恫恊恑悋čŖčØ¼ć‚„ćć®ē®”ē†ć«ć¤ć„ć¦ę€ć†ćØ恓悍悒ę›øćć¾ć—ćŸć€‚ä»Šå›žćÆćć®ē¶šćć§ć™ć€‚

libpam-mruby悒ä½æć£ć¦Githubć®ćƒćƒ¼ćƒ ć§čŖčØ¼ć‚’ć™ć‚‹

OSS悒ä½æć£ć¦ć®Linuxćƒ¦ćƒ¼ć‚¶ē®”ē†ćØć„ć£ćŸć‚‰ć€äø€čˆ¬ēš„恫OpenLDAP悒ē”Ø恄悋ćØę€ć„ć¾ć™ćŒć€ LDAPć£ć¦ēµ±åˆē®”ē†ć§ć‚„ć‚Œć‚‹ć“ćØå¤šć„ć‹ć‚ć‚Šć«ć”ć‚ƒć‚“ćØä½æ恊恆ćØć—ćŸć‚‰ę•·å±…ćŒé«˜ć„ę„Ÿć˜ćŒć™ć‚‹ć‚“ć§ć™ć€‚ LDAP悒触悋頻åŗ¦ćŒä½Žć„ćØ态LDAPć‚³ćƒžćƒ³ćƒ‰ć‚’ęÆŽå›žć‚°ć‚°ć‚‹äŗ‹ć«ćŖć‚Šć€åœ°å‘³ć«é¢å€’ćØ恄恆恮ćÆēµŒéØ“ć—ć¦ć„ć‚‹äŗŗå¤šć„ćØę€ć„ć¾ć™ć€‚

ćć—ć¦ć€č‡Ŗåˆ†ćŸć”ćŒLDAPć‚’é€šć—ć¦č§£ę±ŗ恗恟恄恓ćØć£ć¦å˜ć«sudoęØ©é™ć‚’ęŒć¤ē®”ē†č€…ć‹ćć†ć§ćŖć„ćƒ¦ćƒ¼ć‚¶ć®ē®”ē†ć§ę„å¤–ćØć‚·ćƒ³ćƒ—ćƒ«ć ć£ćŸć‚Šć—ć¾ć™ć€‚ ćć‚Œć«ę°—ć„ć‹ć›ć¦ćć‚ŒćŸć®ćÆć€ć‚¤ć‚±ć¦ć‚‹åŒåƒšć®@pyama갏惗惭惀ć‚Æ惈恮STNSćØ恄恆悄恤恧态STNSćÆćƒ¦ćƒ¼ć‚¶ć‚„éµć®ē®”ē†ć‚’TOMLć§č”Œć†ćØć„ć†ć‚‚ć®ć§ć—ćŸć€‚ čØ­å®šćŒTOMLå½¢å¼ć®ćƒ•ć‚”ć‚¤ćƒ«ć«ćŖ悋恓ćØ恧git恧ē®”ē†ć§ćć¾ć™ć—ć€å¤‰ę›“ćÆGithub恮Pull-Requestć‚’é€šć˜ć¦č”Œćˆć‚‹ć‚ˆć†ć«ćŖć‚Šć¾ć™ć€‚ Pull-Request恌å‡ŗę„ć‚‹ćØ恄恆恓ćØćÆ态ē®”ē†č€…ćÆē¢ŗčŖć—ć¦ćƒžćƒ¼ć‚øć™ć‚‹ć ć‘ćŒä½œę„­ćØćŖć‚Šć€ćƒ›ćƒ³ćƒˆé¢å€’ćŖä½œę„­ć‹ć‚‰č§£ę”¾ć—ć¦ćć‚Œć‚‹ļ¼ćć†ć„ć†ćƒ—ćƒ­ćƒ€ć‚Æ惈恧恙怂

恟恠态ä¾æåˆ©ä»„å¤–ć«ć„ćć¤ć‹čŖ²é”ŒćŒć‚ć£ć¦

  • čæ½åŠ ćƒ»å‰Šé™¤ćÆå®¹ę˜“ć ćŒć€ęœ€åˆć®čØ­å®šćƒ•ć‚”ć‚¤ćƒ«ä½œć‚‹ć®ćŒé¢å€’
  • LDAPćØåŒć˜ććƒćƒƒć‚Æć‚Øćƒ³ćƒ‰ļ¼ˆć‚µćƒ¼ćƒćŖ恩ļ¼‰ćŒåæ…要
  • å°Žå…„ć‚µćƒ¼ćƒć«ć‚ˆć£ć¦ćÆuidćŒč¢«ć£ć¦ćµćŒćµćŒ

ćæ恟恄ćŖ恓ćØćŒć‚ć‚Šć¾ć™ć€‚ćć“ć§ octopass 恮ē™»å “恧恙ļ¼ˆē§ćŒä½œć£ćŸć‚“ć§ć™ćŒļ¼‰ć€‚

About Octopass

octopassćÆ态Github API悒ä½æć£ć¦ć€Github Organization/Team ć«ć‚ˆć£ć¦linuxćƒ¦ćƒ¼ć‚¶ć®åå‰č§£ę±ŗć‚’č”Œć„ć€ Github恫ē™»éŒ²ć—ć¦ć„ć‚‹å…¬é–‹éµć«ć‚ˆć£ć¦SSHD恮čŖčؼćØGithub恮Personal Access Token恧PAMčŖčØ¼ć‚’ć§ćć‚‹ć‚ˆć†ć«ć™ć‚‹ćƒ—ćƒ­ćƒ€ć‚Æ惈恧恙怂

Githubć«ä¾å­˜ć™ć‚‹ć®ć§octocatć‚’ćƒ¢ć‚øć£ć¦ć¤ć‘ćŸåå‰ć€octopass怂

ē°”ę½”ć«ć¾ćØ悁悋ćØ

  • octopass NSSćƒ¢ć‚øćƒ„ćƒ¼ćƒ«ćŒ Github Org/Team ćƒ”ćƒ³ćƒćƒ¼ć‚’å‚ē…§ć™ć‚‹
  • octopass ć‚³ćƒžćƒ³ćƒ‰ć«ć‚ˆć£ć¦Github恮public keysć‚’å–å¾—ć™ć‚‹
  • octopass PAMćƒ˜ćƒ«ćƒ‘ćƒ¼ć«ć‚ˆć£ć¦ Github恮Authorizationć‚’å¾—ć‚‹

ć®ć‚ˆć†ćŖ恓ćØć‚’ć‚„ć£ć¦ćć‚Œć‚‹ć®ć§ć€Linux恮ē®”ē†č€…恮ē®”ē†ć‚’Github恮Org/Teamćƒ”ćƒ³ćƒćƒ¼ć®ē®”ē†ć‚’é€šć˜ć¦č”Œćˆć‚‹ć‚ć‘ć§ć™ć€‚

Questions

ć“ć“ć§å¤§ä½“ē–‘å•ć«ę€ć†ć“ćØćÆ恓悓ćŖꄟ恘恧恗悇恆怂

  • Github API恌Downć—ćŸć‚‰ć©ć†ćŖ悋恮ļ¼Ÿ
  • ęµ·å¤–ć®APIč¶Šć—ć«åå‰č§£ę±ŗć—ć¦ćŸć‚‰é…ć„ć‚“ć§ćÆļ¼Ÿ
  • ć‚µćƒ¼ćƒå°ę•°å¤šć„ćØAPI恮Ratelimitļ¼ˆåˆ¶é™ļ¼‰ć«ć‹ć‹ć‚‹ć®ć§ćÆļ¼Ÿ

ćÆ恄怂å…ØéƒØćć®é€šć‚Šć§ć™ā€¦ ;-( 恗恋恗态äøŠć®2恤ćÆć‚­ćƒ£ćƒƒć‚·ćƒ„ć«ć‚ˆć£ć¦č§£ę±ŗć—ć¦ć„ć¾ć™ć€‚ :-)

Architecture

octopass恧ćÆGithub APIć®ćƒ¬ć‚¹ćƒćƒ³ć‚¹ćƒœćƒ‡ć‚£ć‚’ćƒ•ć‚”ć‚¤ćƒ«ć‚­ćƒ£ćƒƒć‚·ćƒ„ć—ć¦ć„ć¦ć€ ä½•ć‹ć—ć‚‰ć®åŽŸå› ć§Github APIćø恮ćƒŖć‚Æć‚Øć‚¹ćƒˆćŒ200恧čæ”悉ćŖć‹ć£ćŸå “åˆćÆć‚­ćƒ£ćƒƒć‚·ćƒ„ć‚æć‚¤ćƒ ć‚’č¶…ćˆć¦ć„ć¦ć‚‚ć‚­ćƒ£ćƒƒć‚·ćƒ„ć‚’ä½æć†ä»•ę§˜ć«ćŖć£ć¦ć„ć¾ć™ć€‚ ć¾ćŸć€ć‚­ćƒ£ćƒƒć‚·ćƒ„ć—ć¦ć„ć‚‹ć®ć§åå‰č§£ę±ŗć«éƒ½åŗ¦APIćƒŖć‚Æć‚Øć‚¹ćƒˆćÆęŠ•ć’ć¾ć›ć‚“ć€‚

3恤ē›®ćÆć€ä¾‹ćˆć°ć€ć‚µćƒ¼ćƒå°ę•°ćŒ10000å°ć‚ć‚‹ē’°å¢ƒć«octopassć‚’å°Žå…„ć™ć‚‹ćØ Github API恮Rate LimitćÆ 5,000/hour ćŖć®ć§ć€å³åˆ»APIåˆ¶é™ć•ć‚Œć¦ć—ć¾ć†åÆčƒ½ę€§ćÆć‚ć‚Šć¾ć™ć€‚ ć“ć†ć„ć†å “åˆćÆ态Github API恫proxyć‚’ęŒŸć‚“ć§ć‚­ćƒ£ćƒƒć‚·ćƒ„ć—ć¦ć‚‚ć‚‰ć†ć®ćŒć„ć„ćØę€ć„ć¾ć™ćŒć€ ćć‚‚ćć‚‚ć€å¤§č¦ęØ”ćŖ恮恧LDAPćć®ä»–ć®ćƒŸćƒ‰ćƒ«ć‚¦ć‚§ć‚¢ć®ę–¹ćŒå‘ć„ć¦ć„ć‚‹ćØčØ€ćˆć¾ć™ć€‚

Conclusion

ć“ć®ć‚ˆć†ć«ć€octopass悒ä½æ恈恰态 č‡Ŗåˆ†ćŸć”ć®č³‡ē”£ļ¼ˆć‚³ćƒ¼ćƒ‰ļ¼‰ć‚’Githubć¾ćŸćÆGithub Enterprise恧ē®”ē†ć—ć¦ć„ć‚‹å‰ęć«ćÆćŖć‚Šć¾ć™ćŒć€ 恝悌ļ¼ˆč³‡ē”£ļ¼‰ć«ć‚³ćƒŸćƒƒćƒˆć™ć‚‹ęة限ćØåŒć˜ć‚ˆć†ć«ć€é–¢äæ‚ć™ć‚‹ć‚µćƒ¼ćƒć«ć—ć¦ć‚‚åŒć˜ć‚ˆć†ć«ęØ©é™ć‚’ē®”ē†ć§ćć‚‹ć‚ˆć†ć«ćŖć‚Šć¾ć™ć€‚ćŖć‚“ć¦ć‚·ćƒ³ćƒ—ćƒ«ļ¼

ć¾ćŸć€ę™‚ä»£ēš„ć«ć‚µćƒ¼ćƒć«č¤‡ę•°ćƒ­ćƒ¼ćƒ«ćÆꌁ恟ćŖ恄恮恧č‡Ŗ恚ćØ複雑ćŖćƒ¦ćƒ¼ć‚¶ē®”ē†ćŒäøč¦ć«ćŖć£ć¦ć„ć‚‹ćØć„ć†ęµć‚Œć§ćÆć‚ć‚Šć¾ć™ć®ć§ć€ äø€č¦‹č¤‡é›‘ćŖ恓ćØ恌恧恍ćŖć„å°č¦ęØ”å‘ć‘ć®ć‚ˆć†ćŖoctopassćŒå¤§č¦ęØ”ćŖć‚µćƒ¼ćƒē¾¤ć«åƾåæœć§ćć‚‹ć®ć‹ć‚‚ć—ć‚Œć¾ć›ć‚“ć€‚ ꙂćÆć™ć§ć«ć‚³ćƒ³ćƒ†ćƒŠć®ę™‚ä»£ć«ēŖå…„ć—ć¦ć„ć¾ć™ć®ć§SSH悒恙悋恓ćØ悂恠恄恶ęø›ć£ć¦ćć¦ćÆć„ć¾ć™ć€‚

@matsumotory ꛰恏态怌惞悤ć‚Æćƒ­ć‚»ć‚°ćƒ”ćƒ³ćƒˆļ¼ć€

Installation

ć‚¤ćƒ³ć‚¹ćƒˆćƒ¼ćƒ«ćÆ态RHEL/7 恮ćæćƒ‘ćƒƒć‚±ćƒ¼ć‚øć‚’ä½œć£ć¦ć„ć‚‹ć®ć§ yum ć§ć‚¤ćƒ³ć‚¹ćƒˆćƒ¼ćƒ«ćŒåÆčƒ½ć§ć™ć€‚ ļ¼ˆćƒ‘ćƒƒć‚±ćƒ¼ć‚øē½®ćå “ćÆpackagecloudć‚’åˆ©ē”Øć—ć¦ć„ć¾ć™ļ¼‰

$ curl -s https://packagecloud.io/install/repositories/linyows/octopass/script.rpm.sh | sudo bash
$ sudo yum install octopass-0.1.0-1.x86_64

ä»–ć®ćƒćƒ¼ć‚øćƒ§ćƒ³ć‚„ä»–ć®ćƒ‡ć‚£ć‚¹ćƒˆćƒŖćƒ“ćƒ„ćƒ¼ć‚·ćƒ§ćƒ³ć«ć¤ć„ć¦ćÆčæ½ć€…čæ½åŠ ć—ć¦ć„ćć¾ć™ćŒć€ ę‰‹ä¼ć£ć¦ć„ćŸć ć‘ć‚‹ę–¹ćŒć„ć‚Œć°éžåøø恫ꭓčæŽć§ć™ļ¼

ć‚½ćƒ¼ć‚¹ć‹ć‚‰ćƒ“ćƒ«ćƒ‰ć‚¤ćƒ³ć‚¹ćƒˆćƒ¼ćƒ«ć™ć‚‹ć«ćÆ仄äø‹ć®ę–¹ę³•ć§ć™ć€‚

# ä¾å­˜ćƒ‘ćƒƒć‚±ćƒ¼ć‚øć‚’ćƒ‡ć‚£ć‚¹ćƒˆćƒŖćƒ“ćƒ„ćƒ¼ć‚·ćƒ§ćƒ³ć«åæœć˜ć¦å…„ć‚Œć¦ćć ć•ć„
# glibc, libcurl, jansson
$ wget https://github.com/linyows/octopass/releases/download/v0.1.0/linux_amd64.zip
$ unzip linux_amd64.zip
$ mv octopass /usr/bin/
$ git clone https://github.com/linyows/octopass
$ cd nss
$ make && make install

ć‚¤ćƒ³ć‚¹ćƒˆćƒ¼ćƒ«ćŒć™ć‚“ć ć‚‰čØ­å®šćƒ•ć‚”ć‚¤ćƒ«ć‚’ä½œć‚Šć¾ć™ć€‚åŸŗęœ¬ēš„恫ćÆ态Github APIć‚’å©ććŸć‚ć® Personal Access Token悒TokenćØ恗恦čؘčæ°ć—态OrganizationćØTeam悒čØ­å®šć™ć‚‹ć ć‘ć«ćŖć‚Šć¾ć™ć€‚ ćŸć ę°—ć‚’ć¤ć‘ć‚‹ć®ćÆć€ćć®TokenćÆä»–ć®ćƒ¦ćƒ¼ć‚¶ć‹ć‚‰č¦‹ćˆć‚‹ć®ć§Github Organization Member恫åÆ¾ć—ć¦readęØ©é™ć®ćæć‚’ęŒćŸć›ć‚‹ć®ćŒå‰ć§ć™ć€‚ čح定項ē›®ćÆREADME.md恮Configurationć«ć‚ć‚Šć¾ć™ć€‚

$ cat <<EOF > /etc/octopass.conf
Token = "xxxxxxxxxxxxxxxxxxxxxxxxxxx"
Organization = "hoge"
Team = "fuga"
EOF

ćć—ć¦ć€å„ćƒ•ć‚”ć‚¤ćƒ«ć®é …ē›®ć«äæ®ę­£ć‚’åŠ ćˆć¾ć™ć€‚

# /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/bin/octopass
AuthorizedKeysCommandUser root
UsePAM yes
PasswordAuthentication no

# /etc/pam.d/sshd:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

# /etc/nsswitch.conf:
passwd:     files octopass sss
shadow:     files octopass sss
group:      files octopass sss

恓悌恧Githubć®ć‚¢ć‚«ć‚¦ćƒ³ćƒˆćØéµć§SSHćƒ­ć‚°ć‚¤ćƒ³ćŒć§ćć‚‹ć‚ˆć†ć«ćŖć‚Šć¾ć™ć€‚ čˆˆå‘³ćŒć‚ć‚‹ę–¹ćÆę˜Æ非ä½æć£ć¦ćæć¦ćć ć•ć„ć€‚ćƒć‚°å ±å‘Šē­‰ćÆGithub Issueć«ć¦ćŠå¾…ć”ć—ć¦ćŠć‚Šć¾ć™ļ¼

Octopass: https://github.com/linyows/octopass

Next Ideas

恔ćŖćæć«ć€ę¬”ć®ę©Ÿčƒ½ćØć—ć¦č€ƒćˆć¦ć„ć‚‹ć®ćÆ恓恔悉恧恙怂

  • å…±ęœ‰ć‚¢ć‚«ć‚¦ćƒ³ćƒˆļ¼ˆćƒ‡ćƒ—ćƒ­ć‚¤ē”Øć®ćƒ¦ćƒ¼ć‚¶ćŖ恩
  • č¤‡ę•°ćƒ­ćƒ¼ćƒ«ļ¼ˆćƒćƒ¼ćƒ ćƒ»ć‚°ćƒ«ćƒ¼ćƒ—ļ¼‰ć®čح定
  • Github恮čŖčØ¼ć‚’VaultēµŒē”±ć§č”Œć†

ä½•ć‹ć‚¢ć‚¤ćƒ‡ć‚¢ć‚„č¦ęœ›ć‚’ćŠęŒć”ć®ę–¹ć„ć‚Œć°ć€ę°—č»½ć«Issueć«ęŠ•ć’ć¤ć‘ć¦ćć ć•ć„ć­ļ¼

ęœ€å¾Œć«ć€STNSć«ć¤ć„ć¦ä»•ę§˜ć®ē¢ŗčŖć‚’Slack恧@pyama갏ćØć—ć¦ćŸćØćć«ć€ć„ć„č©±ćŒå‡ŗć¦ććŸć®ć§ćŗ恟悊怂