liam-linux-account-manager/README.md

LIAM - Linux Account Manager
=======================

A tool for managing user and server SSH access to any number of servers.

Features
--------

* Easily manage SSH key access for all accounts on your servers.
* Manage user access and server-to-server access rules.
* Integrate with your LDAP directory service for user authorization.
* Automatically remove server access from people when they leave your company or team.
* Provides an easy interface for users to upload their own public keys.
* Designate server administrators and let them manage access to their server.
* Create group-based access rules for easy management.
* Specify SSH access options such as `command=`, `nopty` etc on your access rules.
* All access changes are logged to the database and to the system logs. Granting of access is also reported by email.
* Be notified when a server becomes orphaned (has no active administrators).


Requirements
------------

* An LDAP directory service
* Apache 2.4 or higher
* PHP 7.2 or higher
* PHP JSON extension
* PHP LDAP extension
* PHP mbstring (Multibyte String) extension
* PHP MySQL extension
* PHP ssh2 extension
* MySQL (5.5+) or MariaDB database

Installation
------------

1.  Clone the repo somewhere outside of your default Apache document root. e.g.(/var/www/liam_core)

2.  Add the following directives to your Apache configuration (eg. virtual host config):

        DocumentRoot /var/www/liam_core
        DirectoryIndex init.php
        FallbackResource /init.php

3.  Create a MySQL user and database (run in MySQL shell):

        CREATE USER 'liam-user'@'localhost' IDENTIFIED BY 'password';
        CREATE DATABASE `liam-db` DEFAULT CHARACTER SET utf8mb4;
        GRANT ALL ON `liam-db`.* to 'liam-user'@'localhost';

4.  Copy the file `config/config-sample.ini` to `config/config.ini` and edit the settings as required.

5.  Set up authnz_ldap for your virtual host (or any other authentication module that will pass on an Auth-user
    variable to the application).

6.  Set `scripts/ldap_update.php` to run on a regular cron job.

7.  Generate an SSH key pair to synchronize with. SSH Key Authority will expect to find the files as `config/keys-sync` and `config/keys-sync.pub`
    for the private and public keys respectively. The key must be in `pem` format. The following command will generate the key in the required format:

        ssh-keygen -t rsa -b 4096 -m PEM -C 'comment' -f config/keys-sync

8.  Install the SSH key synchronization daemon. For systemd:

    1.  Copy `services/systemd/keys-sync.service` to `/etc/systemd/system/`
    2.  Modify `ExecStart` path and `User` as necessary. If SSH Key Authority is installed under `/home`, disable `ProtectHome`.
    3.  `systemctl daemon-reload`
    4.  `systemctl enable keys-sync.service`


Usage
-----

Anyone in the LDAP group defined under `admin_group_cn` in `config/config.ini` will be able to manage accounts and servers.

Key distribution
----------------

SSH Key Authority distributes authorized keys to your servers via SSH. It does this by:

1.  Connecting to the server with SSH, authorizing as the `keys-sync` user.
2.  Writing the appropriate authorized keys to named user files in `/var/local/keys-sync/` (eg. all authorized keys for the root user will be written to `/var/local/keys-sync/root`).

This means that your SSH installation will need to be reconfigured to read authorized keys from `/var/local/keys-sync/`.

Please note that doing so will deny access to any existing SSH public key authorized in the default `~/.ssh` directories.

Under OpenSSH, the configuration changes needed are:

    AuthorizedKeysFile /var/local/keys-sync/%u
    StrictModes no

StrictModes must be disabled because the files will all be owned by the keys-sync user.

The file `/var/local/keys-sync/keys-sync` must exist, with the same contents as the `config/keys-sync.pub` file in order for the synchronization daemon to authenticate.

Screenshots
-----------

### Homepage overview
![Homepage overview](public_html/screenshot-home.png)

### Server listing
![Server listing](public_html/screenshot-servers.png)

### Server account access management
![Server account access management](public_html/screenshot-account.png)

### Activity log
![Activity log](public_html/screenshot-activity.png)

### Getting started guide for new users
![Getting started guide for new users](public_html/screenshot-getting-started.png)
Initial Commit 2 years ago			`LIAM - Linux Account Manager`
			`=======================`

			`A tool for managing user and server SSH access to any number of servers.`

			`Features`
			`--------`

			`* Easily manage SSH key access for all accounts on your servers.`
			`* Manage user access and server-to-server access rules.`
			`* Integrate with your LDAP directory service for user authorization.`
			`* Automatically remove server access from people when they leave your company or team.`
			`* Provides an easy interface for users to upload their own public keys.`
			`* Designate server administrators and let them manage access to their server.`
			`* Create group-based access rules for easy management.`
			* Specify SSH access options such as `command=`, `nopty` etc on your access rules.
			`* All access changes are logged to the database and to the system logs. Granting of access is also reported by email.`
			`* Be notified when a server becomes orphaned (has no active administrators).`


			`Requirements`
			`------------`

			`* An LDAP directory service`
			`* Apache 2.4 or higher`
			`* PHP 7.2 or higher`
			`* PHP JSON extension`
			`* PHP LDAP extension`
			`* PHP mbstring (Multibyte String) extension`
			`* PHP MySQL extension`
			`* PHP ssh2 extension`
			`* MySQL (5.5+) or MariaDB database`

			`Installation`
			`------------`

			`1. Clone the repo somewhere outside of your default Apache document root. e.g.(/var/www/liam_core)`

			`2. Add the following directives to your Apache configuration (eg. virtual host config):`

			`DocumentRoot /var/www/liam_core`
			`DirectoryIndex init.php`
			`FallbackResource /init.php`

			`3. Create a MySQL user and database (run in MySQL shell):`

			`CREATE USER 'liam-user'@'localhost' IDENTIFIED BY 'password';`
			CREATE DATABASE `liam-db` DEFAULT CHARACTER SET utf8mb4;
			GRANT ALL ON `liam-db`.* to 'liam-user'@'localhost';

			4. Copy the file `config/config-sample.ini` to `config/config.ini` and edit the settings as required.

			`5. Set up authnz_ldap for your virtual host (or any other authentication module that will pass on an Auth-user`
			`variable to the application).`

			6. Set `scripts/ldap_update.php` to run on a regular cron job.

			7. Generate an SSH key pair to synchronize with. SSH Key Authority will expect to find the files as `config/keys-sync` and `config/keys-sync.pub`
			for the private and public keys respectively. The key must be in `pem` format. The following command will generate the key in the required format:

			`ssh-keygen -t rsa -b 4096 -m PEM -C 'comment' -f config/keys-sync`

			`8. Install the SSH key synchronization daemon. For systemd:`

			1. Copy `services/systemd/keys-sync.service` to `/etc/systemd/system/`
			2. Modify `ExecStart` path and `User` as necessary. If SSH Key Authority is installed under `/home`, disable `ProtectHome`.
			3. `systemctl daemon-reload`
			4. `systemctl enable keys-sync.service`


			`Usage`
			`-----`

			Anyone in the LDAP group defined under `admin_group_cn` in `config/config.ini` will be able to manage accounts and servers.

			`Key distribution`
			`----------------`

			`SSH Key Authority distributes authorized keys to your servers via SSH. It does this by:`

			1. Connecting to the server with SSH, authorizing as the `keys-sync` user.
			2. Writing the appropriate authorized keys to named user files in `/var/local/keys-sync/` (eg. all authorized keys for the root user will be written to `/var/local/keys-sync/root`).

			This means that your SSH installation will need to be reconfigured to read authorized keys from `/var/local/keys-sync/`.

			Please note that doing so will deny access to any existing SSH public key authorized in the default `~/.ssh` directories.

			`Under OpenSSH, the configuration changes needed are:`

			`AuthorizedKeysFile /var/local/keys-sync/%u`
			`StrictModes no`

			`StrictModes must be disabled because the files will all be owned by the keys-sync user.`

			The file `/var/local/keys-sync/keys-sync` must exist, with the same contents as the `config/keys-sync.pub` file in order for the synchronization daemon to authenticate.

			`Screenshots`
			`-----------`

			`### Homepage overview`
			`![Homepage overview](public_html/screenshot-home.png)`

			`### Server listing`
			`![Server listing](public_html/screenshot-servers.png)`

			`### Server account access management`
			`![Server account access management](public_html/screenshot-account.png)`

			`### Activity log`
			`![Activity log](public_html/screenshot-activity.png)`

			`### Getting started guide for new users`
			`![Getting started guide for new users](public_html/screenshot-getting-started.png)`
Initial commit 2 years ago