Skip to main content

Demonstrate the Policy Enforcement
ENTERPRISE

This section explains how to demonstrate the policy enforcement into the frontend hosts.

  • SSH in as ops.
  • SSH in as Dave.
  • SSH in as Alice.
  • SSH in as bob.

Use the following instructions to achieve the specified task.

SSH in as ops

To demonstrate the policy enforcement, you must SSH in as ops into the frontend host using the following command:

ssh -p 2222 ops@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Now, you will be prompted for the secret and Jira ticket. The values for secret and Jira ticket prompts are not important for this first demonstration.

Your OPA policy will allow the SSH because ops is an admin.

The following shows the output for the SSH command.

$ ssh -p 2222 ops@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
Welcome to the OPA-PAM demonstration.
Please enter your secret:
Please enter your Jira ticket:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.9.184-linuxkit x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Tue Oct 15 15:25:07 2019 from 172.18.0.1
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

$ exit

SSH in as Dave

To demonstrate the policy enforcement, you must SSH in as Dave into the frontend host using the following command:

ssh -p 2222 dave@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Now, you will be prompted for the secret and Jira ticket. The values for secret and Jira ticket prompts are not important for this demonstration.

Your OPA policy will allow the SSH because Dave is in the dev group.

The following shows the output for the SSH command.

$ ssh -p 2222 dave@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
Welcome to the OPA-PAM demonstration.
Please enter your secret:
Please enter your Jira ticket:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.9.184-linuxkit x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

$ exit

SSH in as Alice

To demonstrate the policy enforcement, you must SSH in as Alice into the frontend host using the following command:

ssh -p 2222 alice@localhost   -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Now, you will be prompted for the secret and Jira ticket.

  • For the secret, hit ENTER.
  • For the Jira ticket, enter jira-654.

Your OPA policy will allow the SSH because Alice is the owner of the Jira ticket jira-654 and that ticket is for the frontend server running at port number 2222 with host_id 1234.

The following shows the output for the SSH command.

$ ssh -p 2222 alice@localhost   -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
Welcome to the OPA-PAM demonstration.
Please enter your secret:
Please enter your Jira ticket: `jira-654`
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.9.184-linuxkit x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

$ exit

SSH in as bob

To demonstrate the policy enforcement, you must SSH in as bob into the frontend host using the following command:

ssh -p 2222 bob@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Now, you will be prompted for the secret and Jira ticket.

  • For the secret, hit ENTER.
  • For the Jira ticket, enter jira-654.

Your OPA policy will not allow the SSH because bob is not the owner of Jira ticket jira-654.

The following shows the output for the SSH command.

$ ssh -p 2222 bob@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
Welcome to the OPA-PAM demonstration.
Please enter your secret:
Please enter your Jira ticket: `jira-654`
Welcome to the OPA-PAM demonstration.
Please enter your secret:
Please enter your Jira ticket: `jira-654`
Welcome to the OPA-PAM demonstration.
Please enter your secret:
Please enter your Jira ticket: `jira-654`
bob@localhost: Permission denied (keyboard-interactive).

$ exit

You will see a lot of verbose logs from sudo as the PAM module goes through the motions. This is intended for you to study how the PAM module works. You can disable verbose logging by changing the log_level argument in the PAM configuration. For more details, see PAM configuration documentation.