github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/plugins/pam/README.md

github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/plugins/pam/README.md (about)

     1  # PAM Authorization Module for Trireme 
     2  
     3  The PAM Authorization module allws the integration of Trireme with PAM Linux module. On every authorization
     4  request to the PAM module, the plugin can intercept the login or sudo attempt and activate the user 
     5  in a specific network context where access to network resources is managed through the Trireme 
     6  end-to-end authorization process. A simple use case is to give specific network access to specific 
     7  users such as the case of a jump-box in a cloud environment. 
     8  
     9  To build the module simple do:
    10  
    11  ```bash 
    12  go build -buildmode=c-shared -o pam-module.so
    13  ```
    14  
    15  This file needs to be copied to the directory of PAM modules (usually in /lib/x86_64-linux-gnu/security/). Once 
    16  installed there, you can configure the PAM module to invoke the plugin by adding the corresponding
    17  directive. For example, you can add this line to /etc/pam.d/sudo 
    18  
    19  ```
    20  session required pam_aporeto_uidm.so in 
    21  ```
    22  
    23  Once this is installed, running sudo -u <anyuser> /bin/bash will cause the PAM module to send an event
    24  to Trireme and a unique network context will be activated for this user. Based on the user
    25  information one can select the right network policy to apply to the user.
    26  
    27  You can achieve the same thing for the login shell by adding the directive to the 
    28  /etc/pam.d/login file.