How to integrate PAM and OPA together to get security control over SSH in linux

Question

Recently I was going through a RBAC tool Open Policy Agent(OPA). There is link on OPA website to leverage security control for SSH and Sudo using OPA. To make it work we have to use it with linux PAM module.

Please find below link:

https://www.openpolicyagent.org/docs/v0.12.2/ssh-and-sudo-authorization/

Here they have provided example using docker image. Where PAM and OPA integration part is not clear. and my requirement is there to leverage OPA feature using PAM in Linux system without docker image.

I googled it but didn't get any useful article. So, It will be very helpful if anyone can provide or point me in right direction with some example or reference link. Thanks in advance!

Answer 1

You can download and run OPA as a self-contained executable without Docker being involved. See the downloads page from the official OPA pages.

You may then run OPA on your system the same way as instructed in the docs:

opa run --server --set=decision_logs.console=true

The OPA server will run on localhost:8181 by default - consult opa run --help for further options.

Answer 2

I implemented this at the company I work for and gave a high-level presentation of the overview of how it all works => https://www.youtube.com/watch?v=6vUw6f7KlqI

The video gives more of an overview, and not so much details on how to configure PAM. However, I'd be happy to answer any follow-up questions about how we set up our PAM configuration, but basically we had OPA running as a systemd service on our linux hosts, and added a pam_exec invocation to /etc/pam.d/sshd =>

auth sufficient pam_exec.so quiet /some/path/pam_opa_entrypoint.sh ssh

And the pam_opa_entrypoint.sh more or less looks like:

#!/bin/bash

INPUT_JSON=$(jq -n -c --arg username "$PAM_USER" '{input:{pam_username:$username}}')

OPA_RESULT_JSON=$(curl -s -X POST https://opa.local/v1/data/linux/$1 -H "Content-Type: application/json" -d $INPUT_JSON)

OPA_RESULT=$(jq -r '.result.allowed' <<< "$OPA_RESULT_JSON")

if [[ "$OPA_RESULT" == "true" ]]; then
    # Authorization success
    exit 0
else
    # Authorization failed
    exit 1
fi

The pam_exec.so approach is much desirable over the Styra provided examples of writing a PAM module in C.