Skip to main content

Lightweight SSH key management on AWS EC2

Project description

Keymaker is the missing link between SSH and IAM accounts on Amazon AWS. It’s a stateless synchronization engine that securely manages the process of SSH public key sharing and verification, user and group synchronization, and home directory sharing (via optional EFS integration). You, the AWS account administrator, define or import user and group identities in IAM, and instances in your account dynamically retrieve and use those identities to authenticate your users. Keymaker is the modern, minimalistic alternative to LDAP or Active Directory authentication.

Installation

Run pip install keymaker.

On instances that accept SSH logins:

  • Run keymaker install.

  • Ensure processes launched by sshd have read access to IAM (most easily done by launching the instance with an instance profile/IAM role that has the IAMReadOnlyAccess policy attached).

Keymaker requires OpenSSH v6.2+, provided by Ubuntu 14.04+ and RHEL7+.

Usage

Run keymaker with no arguments to get usage information. In client mode (running on a computer that you will connect from), you can run keymaker <subcommand>, where subcommand is:

upload_key          Upload public SSH key for a user. Run this command for each user who will be accessing EC2 hosts.
list_keys           Get public SSH keys for a given or current IAM/SSH user.
disable_key         Disable a given public SSH key for a given or current IAM/SSH user.
enable_key          Enable a given public SSH key for a given or current IAM/SSH user.
delete_key          Delete a given public SSH key for a given or current IAM/SSH user.

Principle of operation

Amazon Web Services IAM user accounts provide the ability to add SSH public keys to their metadata (up to 5 keys can be added; individual keys can be disabled). Keymaker uses this metadata to authenticate SSH logins. Keymaker provides an integrated way for a user to upload their public SSH key to their IAM account with keymaker upload_key.

Run keymaker install on instances that you want your users to connect to. This installs three components:

  • An AuthorizedKeysCommand sshd configuration directive, which acts as a login event hook and dynamically retrieves public SSH keys from IAM for the user logging in, using the default boto3 credentials (which default to the instance’s IAM role credentials).

  • A pam_exec PAM configuration directive, which causes sshd to call keymaker-create-account-for-iam-user early in the login process. This script detects if a Linux user account does not exist for the authenticating principal but an authorized IAM account exists with the same name, and creates the account on demand.

  • A cron job that runs on your instance once an hour and synchronizes IAM group membership information. Only IAM groups whose names start with a configurable prefix (by default, keymaker_*) are synchronized as Linux groups.

As a result, users who connect to your instances over SSH are given access based on information centralized in your AWS account. Users must have an active IAM account with active matching SSH public keys in order for authentication to succeed. Users’ UIDs and group memberships are also synchronized across your instances, so any UID-based checks or group-based privileges remain current as well.

Security considerations

Integrating IAM user identities with Unix user identities has implications for your security threat model. With Keymaker, a principal with the ability to set SSH public keys on an IAM user account can impersonate that user when logging in to an EC2 instance. As an example, this can expand the scope of a compromised AWS secret key. You can mitigate this threat with an IAM policy restricting access to the UploadSSHPublicKey method.

EFS integration

Email kislyuk@gmail.com for details on the EFS integration.

Authors

  • Andrey Kislyuk

License

Licensed under the terms of the Apache License, Version 2.0.

https://travis-ci.org/kislyuk/keymaker.svg https://coveralls.io/repos/kislyuk/keymaker/badge.svg?branch=master https://img.shields.io/pypi/v/keymaker.svg https://img.shields.io/pypi/l/keymaker.svg https://readthedocs.org/projects/keymaker/badge/?version=latest

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

keymaker-0.4.3.tar.gz (10.5 kB view details)

Uploaded Source

Built Distribution

keymaker-0.4.3-py2.py3-none-any.whl (14.2 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file keymaker-0.4.3.tar.gz.

File metadata

  • Download URL: keymaker-0.4.3.tar.gz
  • Upload date:
  • Size: 10.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No

File hashes

Hashes for keymaker-0.4.3.tar.gz
Algorithm Hash digest
SHA256 6ef30b79c9a1113ae8d7caee433251f1c8657a23a5b1d8ff1987349ca4a57590
MD5 cc2c145bfbd4524846a9d88448564c99
BLAKE2b-256 b4b58cd84ff0475c799a535711979fe8a7ab9fd7246bf43d74f7dd8becd25e76

See more details on using hashes here.

File details

Details for the file keymaker-0.4.3-py2.py3-none-any.whl.

File metadata

File hashes

Hashes for keymaker-0.4.3-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 393f49b1c3f08751a7af6e4bd9d11b1709a35b9ba085a203f12354ef82a217e4
MD5 6db84773a21d30285b05153e74a110a9
BLAKE2b-256 abadd0633129b35f8f74d2f1d21df6e13bd2389b7590380b0b1a28f07beee108

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page