You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
115 lines
4.3 KiB
Markdown
115 lines
4.3 KiB
Markdown
LIAM - Linux Account Manager
|
|
=======================
|
|
|
|
A tool for managing user and server SSH access to any number of servers.
|
|
|
|
Features
|
|
--------
|
|
|
|
* Easily manage SSH key access for all accounts on your servers.
|
|
* Manage user access and server-to-server access rules.
|
|
* Integrate with your LDAP directory service for user authorization.
|
|
* Automatically remove server access from people when they leave your company or team.
|
|
* Provides an easy interface for users to upload their own public keys.
|
|
* Designate server administrators and let them manage access to their server.
|
|
* Create group-based access rules for easy management.
|
|
* Specify SSH access options such as `command=`, `nopty` etc on your access rules.
|
|
* All access changes are logged to the database and to the system logs. Granting of access is also reported by email.
|
|
* Be notified when a server becomes orphaned (has no active administrators).
|
|
|
|
|
|
Requirements
|
|
------------
|
|
|
|
* An LDAP directory service
|
|
* Apache 2.4 or higher
|
|
* PHP 7.2 or higher
|
|
* PHP JSON extension
|
|
* PHP LDAP extension
|
|
* PHP mbstring (Multibyte String) extension
|
|
* PHP MySQL extension
|
|
* PHP ssh2 extension
|
|
* MySQL (5.5+) or MariaDB database
|
|
|
|
Installation
|
|
------------
|
|
|
|
1. Clone the repo somewhere outside of your default Apache document root. e.g.(/var/www/liam_core)
|
|
|
|
2. Add the following directives to your Apache configuration (eg. virtual host config):
|
|
|
|
DocumentRoot /var/www/liam_core
|
|
DirectoryIndex init.php
|
|
FallbackResource /init.php
|
|
|
|
3. Create a MySQL user and database (run in MySQL shell):
|
|
|
|
CREATE USER 'liam-user'@'localhost' IDENTIFIED BY 'password';
|
|
CREATE DATABASE `liam-db` DEFAULT CHARACTER SET utf8mb4;
|
|
GRANT ALL ON `liam-db`.* to 'liam-user'@'localhost';
|
|
|
|
4. Copy the file `config/config-sample.ini` to `config/config.ini` and edit the settings as required.
|
|
|
|
5. Set up authnz_ldap for your virtual host (or any other authentication module that will pass on an Auth-user
|
|
variable to the application).
|
|
|
|
6. Set `scripts/ldap_update.php` to run on a regular cron job.
|
|
|
|
7. Generate an SSH key pair to synchronize with. SSH Key Authority will expect to find the files as `config/keys-sync` and `config/keys-sync.pub`
|
|
for the private and public keys respectively. The key must be in `pem` format. The following command will generate the key in the required format:
|
|
|
|
ssh-keygen -t rsa -b 4096 -m PEM -C 'comment' -f config/keys-sync
|
|
|
|
8. Install the SSH key synchronization daemon. For systemd:
|
|
|
|
1. Copy `services/systemd/keys-sync.service` to `/etc/systemd/system/`
|
|
2. Modify `ExecStart` path and `User` as necessary. If SSH Key Authority is installed under `/home`, disable `ProtectHome`.
|
|
3. `systemctl daemon-reload`
|
|
4. `systemctl enable keys-sync.service`
|
|
|
|
|
|
Usage
|
|
-----
|
|
|
|
Anyone in the LDAP group defined under `admin_group_cn` in `config/config.ini` will be able to manage accounts and servers.
|
|
|
|
Key distribution
|
|
----------------
|
|
|
|
SSH Key Authority distributes authorized keys to your servers via SSH. It does this by:
|
|
|
|
1. Connecting to the server with SSH, authorizing as the `keys-sync` user.
|
|
2. Writing the appropriate authorized keys to named user files in `/var/local/keys-sync/` (eg. all authorized keys for the root user will be written to `/var/local/keys-sync/root`).
|
|
|
|
This means that your SSH installation will need to be reconfigured to read authorized keys from `/var/local/keys-sync/`.
|
|
|
|
Please note that doing so will deny access to any existing SSH public key authorized in the default `~/.ssh` directories.
|
|
|
|
Under OpenSSH, the configuration changes needed are:
|
|
|
|
AuthorizedKeysFile /var/local/keys-sync/%u
|
|
StrictModes no
|
|
|
|
StrictModes must be disabled because the files will all be owned by the keys-sync user.
|
|
|
|
The file `/var/local/keys-sync/keys-sync` must exist, with the same contents as the `config/keys-sync.pub` file in order for the synchronization daemon to authenticate.
|
|
|
|
Screenshots
|
|
-----------
|
|
|
|
### Homepage overview
|
|
![Homepage overview](public_html/screenshot-home.png)
|
|
|
|
### Server listing
|
|
![Server listing](public_html/screenshot-servers.png)
|
|
|
|
### Server account access management
|
|
![Server account access management](public_html/screenshot-account.png)
|
|
|
|
### Activity log
|
|
![Activity log](public_html/screenshot-activity.png)
|
|
|
|
### Getting started guide for new users
|
|
![Getting started guide for new users](public_html/screenshot-getting-started.png)
|
|
|