Skip to main content

Custom System Tutorials

This tutorial uses Styra, OPA, and Linux Pluggable Authentication Modules (PAM) to enforce fine-grained, host-level access controls over SSH and Sudo.

Linux-PAM can be configured to delegate authorization decisions to plugins (shared libraries). In this case, an OPA-based plugin is created and configured to authorize SSH access. The OPA-based Linux-PAM plugin used in this tutorial is available at open-policy-agent/contrib.

For this tutorial, use one of the following policies from Styra.

  • Admins can SSH into any host and run Sudo commands.
  • Developers can SSH into hosts with appropriate labels.
  • An operator can SSH into any host that has an open Jira ticket whose owner is the operator.
note

Authentication (verifying user identity) is outside OPA's responsibility. This tutorial relies on identities being statically defined. In real-world scenarios, authentication can be delegated to SSH itself (authorized_keys) or other identity management systems.