This tutorial shows how you can use Styra, OPA, and Linux Pluggable Authentication Modules (PAM) to enforce fine-grained, host-level access controls over SSH and Sudo.
Linux-PAM can be configured to delegate authorization decisions to plugins (shared libraries). In this case, an OPA-based plugin is created and configured to authorize SSH access. The OPA-based Linux-PAM plugin used in this tutorial is available at open-policy-agent/contrib.
For this tutorial, use the following desired policy from Styra.
- Admins can SSH into any host and run Sudo commands.
- Developers can SSH into hosts with appropriate labels.
- An operator can SSH into any host that has an open JIRA ticket whose owner is the operator.
Authentication (verifying user identity) is outside the scope of OPA's responsibility. This tutorial relies on identities being statically defined. In real-world scenarios authentication can be delegated to SSH itself (authorized_keys) or other identity management systems.