go-libnss-etcd

command module

v0.0.0-...-7cf9b87 Latest Latest Go to latest Published: Dec 27, 2022 License: MIT Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/protosam/go-libnss-etcd

Links

Open Source Insights

README ¶

⚠️ Avoid relying on Go for shared libraries. The runtime uses signals it assumed to be unused for concurrency management. Assumptions like this are why the verion of Go can not be updated for go-libnss and make Go less predicable when building shared libraries.

The current recommendation is to build services to be compatible with existing protocols like LDAP.

go-libnss-etcd

A libnss module and commands for managing additional users in etcd.

Note: At this time go-libnss-etcd works. The nss-etcd-passwd needs rigorous testing before it should ever go into production, because it is expected to always run as root. If you need that command, I recommend not setting the sticky bit for it to run as root in production, so that unprivileged users can run it.

To get this package run:

go get -d github.com/protosam/go-libnss-etcd

Simple Installation (Quick and Lazy)

Do the steps in the section Locking Down ETCD
Do the steps in the section Configuration Files
Run this as root:

# make && make install

Do the showing the example of configuring /etc/nsswitch.conf mentioned in the Installing libnss_etcd.so.2 section.

After that you should be done. Just use the management tools documented in the last section of this README.

Building Manually

There are 3 parts to compile this. There is the libnss_etcd.so.2 shared library, the nss-etcd-manage CLI tool, and the nss-etcd-passwd CLI tool.

Compiling libnss_etcd.so.2 is done by running the following command.

CGO_CFLAGS="-g -O2 -D __LIB_NSS_NAME=etcd" go build --buildmode=c-shared -o libnss_etcd.so.2 libnss-etcd.go etcd-db.go

The nss-etcd-manage CLI tool is used for managing users and groups in etcd. Compiling it is done by running:

go build -o nss-etcd-manage etcd-db.go nss-etcd-manage.go

Lastly is nss-etc-passwd for user password changes. It is compiled by running

go build -o nss-etcd-passwd etcd-db.go nss-etcd-passwd.go

Installation

The install process is broken up into a few parts. You need to lock down your etcd keystore a bit, putting compiled files into place, and setting the sticky bit on nss-etc-passwd. Just do the following after compiling the binaries and you should be in business.

Additional note: selinux does not like allowing these users to login through SSH. I personally just disable selinux, because it causes a lot of unneccessary hassle. However if you can't disable selinux because you need the additional security it provides, please do troubleshoot this and share with me in the issues section what steps I need to add for setting contexts and whatnot. I'll be happy to add them to this readme.

Locking Down ETCD

You will need to set password for root, enable authentication, create a read-only and read-write role for go-libnss-etcd. Below are some dead simple copy/pasta you can use. The variables you're exporting should probably be added to your .bashrc file for easy use later.

# export ETCDCTL_API=3
# etcdctl user add 'root:YOUR_ROOT_ETCD_PASSWORD_HERE'
# export ETCDCTL_USER='root:YOUR_ROOT_ETCD_PASSWORD_HERE'
# etcdctl user add nss-ro:YOUR_READ_ONLY_PASSWORD_HERE
# etcdctl user add nss-rw:YOUR_READ_WRITE_PASSWORD_HERE
# etcdctl role add nss-ro
# etcdctl role add nss-rw
# etcdctl role grant-permission nss-ro --prefix=true read /etc/passwd
# etcdctl role grant-permission nss-ro --prefix=true read /etc/group
# etcdctl role grant-permission nss-rw --prefix=true readwrite /etc/passwd
# etcdctl role grant-permission nss-rw --prefix=true readwrite /etc/group
# etcdctl role grant-permission nss-rw --prefix=true readwrite /etc/shadow
# etcdctl user grant-role nss-ro nss-ro
# etcdctl user grant-role nss-rw nss-rw

Configuration Files

For non-privileged users libnss-etcd.so.2 and nss-etcd-passwd will use /etc/nss-etcd.conf. The contents of this config file is in JSON format with the following data:

{
	"Endpoints": ["http://localhost:2379"],
	"DialTimeout": 2,
	"Username": "nss-ro",
	"Password":	"YOUR_READ_ONLY_PASSWORD_HERE",
	"MinXID": 2000
}

For privileged users like root, libnss-etcd.so.2, nss-etcd-manage, and nss-etcd-passwd will use /etc/nss-etcd-root.conf. The contents of this config file is in JSON format with the following data:

{
	"Endpoints": ["http://localhost:2379"],
	"DialTimeout": 2,
	"Username": "nss-rw",
	"Password":	"YOUR_READ_WRITE_PASSWORD_HERE",
	"MinXID": 2000
}

After you've created the config files, the next step is to set permissions on the config files with appropriate read/write access:

# chmod u=rw,g=r,o=r /etc/nss-etcd.conf
# chmod u=rw,g=,o= /etc/nss-etcd-root.conf

Installing Binaries

Copy nss-etcd-manage to /sbin/ and nss-etcd-passwd to /bin. You will need to set the sticky bit for nss-etcd-passwd to run as root so it can update the shadow entries when users want to update their passwords:

cp nss-etcd-manage /sbin/
cp nss-etcd-passwd /bin/
chown root:root /bin/nss-etcd-passwd /sbin/nss-etcd-manage
chmod u=rwx,g=rx,o=rx /bin/nss-etcd-manage
chmod u=rwxs,g=rx,o=rx /bin/nss-etcd-passwd

Installing libnss_etcd.so.2

Copy libnss_etcd.so.2 to /lib64/ or where ever your shared library directory is. Update /etc/nsswitch.conf to contain etcd like so:

passwd:     files etcd sss
shadow:     files etcd sss
group:      files etcd sss

And now the users stored in etcd should be visible to the system.

Management Tools

nss-etcd-manage is used to manage user and group entries.

To add new users to libnss-etcd:

# nss-etcd-manage user add --username="testuser" --password="password" --uid=2000 --gid=2000 --comment="Is stored in etcd." --homedir="/home/testuser" --shell="/bin/bash"

To delete existing users from libnss-etcd

# nss-etcd-manage user delete --username="testuser"

To add a new group to libnss-etcd:

# nss-etcd-manage group add --groupname="testguys" --gid=2001

To delete a group from libnss-etcd:

# nss-etcd-manage group delete --groupname="testguys"

To add a member to a group in libnss-etcd:

# nss-etcd-manage group add-member --groupname="testguys" --username="testuser"

To remove a member from a group in libnss-etcd:

# nss-etcd-manage group remove-member --groupname="testguys" --username="testuser"

nss-etcd-passwd is used to change passwords for users.

As the root user you can run the following to change a user's password. Only root can user the --username flag.

# nss-etcd-passwd --username john --password new_password

As a libnss-etcd user, you can run the following to change your own password.

# nss-etcd-passwd --password new_password

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL