Menu
Specifically, running a chain of postfix, dovecot and nginx to provide a "nice" mail service to (not so many) users. All services share Pluggable authentication module (PAM) as a possible authentication method. Currently, the system's "passwd" database is being used to auth again via PAM.
AWS Identity and Access Management (IAM) is a hard requirement. Therefore, any other service (like duosecurity) is not an option. Before I start to code a PAM module, I'm asking for your experience - how would you do it? Thanks!
955
This might not be what you are looking for, but certainly qualifies as a way to use IAM as a authentication “method” for PAM:
Denis Mikhalkin's (denismo) aws-iam-ldap-bridge periodically populates the LDAP directory location with the users, groups and roles from AWS IAM, which will in turn allow to use libpam-ldap or libpam-ldapd and thereby implicitly authentication of the Linux users against AWS IAM using their AWS IAM Secret Keys as passwords.
Please note the following rather significant caveats:
While a native IAM PAM integration would be great (and also enable advanced use cases like AWS Multi-Factor Authentication (MFA)), I like the pragmatic approach to just facilitate the widely used LDAP integration instead - still I would definitely prefer a solution that ideally works with any compliant LDAP server, or at least with a stock ApacheDS distribution, in order to ease installation, maintainability and security assessments.
164
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
