Manage SSH key access for all accounts on your servers with an easy web-interface for users to upload their own public keys.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
Michael Reber 30b5d7c51b Initial Commit 11 months ago
config Initial Commit 11 months ago
extensions Initial Commit 11 months ago
migrations Initial Commit 11 months ago
model Initial Commit 11 months ago
public_html Initial Commit 11 months ago
scripts Initial Commit 11 months ago
systemd-service Initial Commit 11 months ago
templates Initial Commit 11 months ago
views Initial Commit 11 months ago
.gitignore Initial Commit 11 months ago
README.md Initial Commit 11 months ago
core.php Initial Commit 11 months ago
email.php Initial Commit 11 months ago
ldap.php Initial Commit 11 months ago
pagesection.php Initial Commit 11 months ago
requesthandler.php Initial Commit 11 months ago
router.php Initial Commit 11 months ago
routes.php Initial Commit 11 months ago

README.md

LIAM - Linux Account Manager

A tool for managing user and server SSH access to any number of servers.

Features

  • Easily manage SSH key access for all accounts on your servers.
  • Manage user access and server-to-server access rules.
  • Integrate with your LDAP directory service for user authorization.
  • Automatically remove server access from people when they leave your company or team.
  • Provides an easy interface for users to upload their own public keys.
  • Designate server administrators and let them manage access to their server.
  • Create group-based access rules for easy management.
  • Specify SSH access options such as command=, nopty etc on your access rules.
  • All access changes are logged to the database and to the system logs. Granting of access is also reported by email.
  • Be notified when a server becomes orphaned (has no active administrators).

Requirements

  • An LDAP directory service
  • Apache 2.4 or higher
  • PHP 7.2 or higher
  • PHP JSON extension
  • PHP LDAP extension
  • PHP mbstring (Multibyte String) extension
  • PHP MySQL extension
  • PHP ssh2 extension
  • MySQL (5.5+) or MariaDB database

Installation

  1. Clone the repo somewhere outside of your default Apache document root. e.g.(/var/www/liam_core)

  2. Add the following directives to your Apache configuration (eg. virtual host config):

    DocumentRoot /var/www/liam_core
    DirectoryIndex init.php
    FallbackResource /init.php
    
  3. Create a MySQL user and database (run in MySQL shell):

    CREATE USER 'liam-user'@'localhost' IDENTIFIED BY 'password';
    CREATE DATABASE `liam-db` DEFAULT CHARACTER SET utf8mb4;
    GRANT ALL ON `liam-db`.* to 'liam-user'@'localhost';
    
  4. Copy the file config/config-sample.ini to config/config.ini and edit the settings as required.

  5. Set up authnz_ldap for your virtual host (or any other authentication module that will pass on an Auth-user variable to the application).

  6. Set scripts/ldap_update.php to run on a regular cron job.

  7. Generate an SSH key pair to synchronize with. SSH Key Authority will expect to find the files as config/keys-sync and config/keys-sync.pub for the private and public keys respectively. The key must be in pem format. The following command will generate the key in the required format:

    ssh-keygen -t rsa -b 4096 -m PEM -C 'comment' -f config/keys-sync
    
  8. Install the SSH key synchronization daemon. For systemd:

    1. Copy services/systemd/keys-sync.service to /etc/systemd/system/
    2. Modify ExecStart path and User as necessary. If SSH Key Authority is installed under /home, disable ProtectHome.
    3. systemctl daemon-reload
    4. systemctl enable keys-sync.service

Usage

Anyone in the LDAP group defined under admin_group_cn in config/config.ini will be able to manage accounts and servers.

Key distribution

SSH Key Authority distributes authorized keys to your servers via SSH. It does this by:

  1. Connecting to the server with SSH, authorizing as the keys-sync user.
  2. Writing the appropriate authorized keys to named user files in /var/local/keys-sync/ (eg. all authorized keys for the root user will be written to /var/local/keys-sync/root).

This means that your SSH installation will need to be reconfigured to read authorized keys from /var/local/keys-sync/.

Please note that doing so will deny access to any existing SSH public key authorized in the default ~/.ssh directories.

Under OpenSSH, the configuration changes needed are:

AuthorizedKeysFile /var/local/keys-sync/%u
StrictModes no

StrictModes must be disabled because the files will all be owned by the keys-sync user.

The file /var/local/keys-sync/keys-sync must exist, with the same contents as the config/keys-sync.pub file in order for the synchronization daemon to authenticate.

Screenshots

Homepage overview

Homepage overview

Server listing

Server listing

Server account access management

Server account access management

Activity log

Activity log

Getting started guide for new users

Getting started guide for new users