Skip to main content

Demonstrate the Policy Enforcement

This section explains how to demonstrate the policy enforcement into the front-end hosts.

  • SSH in as ops
  • SSH in as Dave
  • SSH in as Alice
  • SSH in as bob

Use the following instructions as policy enforcement examples.

SSH in as ops

To demonstrate the policy enforcement, you must SSH in as ops into the front-end host using the following command:

ssh -p 2222 ops@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

You will be prompted for the secret and Jira ticket. The values for secret and Jira ticket prompts are not important for this first demonstration.

Your OPA policy allows the SSH because ops is an admin.

The following shows the output for the SSH command.

$ ssh -p 2222 ops@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
Welcome to the OPA-PAM demonstration.
Please enter your secret:
Please enter your Jira ticket:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.9.184-linuxkit x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Tue Oct 15 15:25:07 2019 from 172.18.0.1
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

$ exit

SSH in as Dave

To demonstrate the policy enforcement, you must SSH in as Dave into the front-end host using the following command:

ssh -p 2222 dave@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

You will be prompted for the secret and Jira ticket. The values for secret and Jira ticket prompts are not important for this demonstration.

Your OPA policy will allow the SSH because Dave is in the dev group.

The following shows the output for the SSH command.

$ ssh -p 2222 dave@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
Welcome to the OPA-PAM demonstration.
Please enter your secret:
Please enter your Jira ticket:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.9.184-linuxkit x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

$ exit

SSH in as Alice

To demonstrate the policy enforcement, you must SSH in as Alice into the front-end host using the following command:

ssh -p 2222 alice@localhost   -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

You will be prompted for the secret and Jira ticket.

  • For the secret, press ENTER.
  • For the Jira ticket, enter jira-654.

Your OPA policy will allow the SSH because Alice is the owner of the Jira ticket jira-654 and that ticket is for the front-end server running at port number 2222 with host_id 1234.

The following shows the output for the SSH command.

$ ssh -p 2222 alice@localhost   -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
Welcome to the OPA-PAM demonstration.
Please enter your secret:
Please enter your Jira ticket: `jira-654`
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.9.184-linuxkit x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

$ exit

SSH in as bob

To demonstrate the policy enforcement, you must SSH in as bob into the front-end host using the following command:

ssh -p 2222 bob@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

You will be prompted for the secret and Jira ticket.

  • For the secret, press ENTER.
  • For the Jira ticket, enter jira-654.

Your OPA policy will not allow the SSH because bob is not the owner of Jira ticket jira-654.

The following shows the output for the SSH command.

$ ssh -p 2222 bob@localhost -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
Welcome to the OPA-PAM demonstration.
Please enter your secret:
Please enter your Jira ticket: `jira-654`
Welcome to the OPA-PAM demonstration.
Please enter your secret:
Please enter your Jira ticket: `jira-654`
Welcome to the OPA-PAM demonstration.
Please enter your secret:
Please enter your Jira ticket: `jira-654`
bob@localhost: Permission denied (keyboard-interactive).

$ exit

You will see verbose logs from sudo as the PAM module processes the request. This is intended for you to view how the PAM module works. You can disable verbose logging by changing the log_level argument in the PAM configuration. For more details, see PAM configuration documentation.