Custom System Tutorials
This tutorial uses Styra, OPA, and Linux Pluggable Authentication Modules (PAM) to enforce fine-grained, host-level access controls over SSH and Sudo.
Linux-PAM can be configured to delegate authorization decisions to plugins (shared libraries). In this case, an OPA-based plugin is created and configured to authorize SSH access. The OPA-based Linux-PAM plugin used in this tutorial is available at open-policy-agent/contrib.
For this tutorial, use one of the following policies from Styra.
- Admins can SSH into any host and run Sudo commands.
- Developers can SSH into hosts with appropriate labels.
- An operator can SSH into any host that has an open Jira ticket whose owner is the operator.
Authentication (verifying user identity) is outside OPA's responsibility. This tutorial relies on identities being statically defined. In real-world scenarios, authentication can be delegated to SSH itself (authorized_keys) or other identity management systems.