Sector Authentication
(formerly named as ghteam-auth)
Using this program, you can grant login privileges on your servers to GitHub team members or outside collaborators of your repository.
Implemented with Rust.
-
Generate the ssh key pair and upload the public key to GitHub
-
Use the deb file to setup sectora to the server
- You need a developer token with the following scope
- read:org
- repo (optional)
- You need a developer token with the following scope
-
Log in to the server with your private key
See Makefile for details
- Copy executable and shared object to each path
- Put config file for this program
- Register sectora daemon to systemd and enable it
- Configure name service switch
- Configure sshd
- Configure PAM (Optional)
A setting example of ansible is available
Put sectora
& sectorad
to /usr/sbin/
.
Put libnss_sectora.so
to /usr/lib/
.
ln -s /usr/lib/libnss_sectora.so /usr/lib/libnss_sectora.so.2
The minimal setting is like as follows.
token = "YOUR_PERSONAL_TOKEN_STRING"
org = "YOUR_ORGANIZATION"
[[team]]
name = "YOUR_TEAM1"
gid = 2019 # gid for YOUR_TEAM1
[[team]]
name = "YOUR_TEAM2"
gid = 2020 # gid for YOUR_TEAM2
group = "YOUR_GROUP_NAME"
[[repo]]
name = "YOUR_REPO_NAME"
See struct Config
on structs.rs
for details.
Put /etc/systemd/system/sectora.service
[Unit]
Description=Sectora Daemon
After=network.target
[Service]
ExecStart=/usr/sbin/sectorad
Restart=always
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
then execute systemctl enable sectora && systemctl start sectora
Add the following lines to /etc/nsswitch.conf
passwd: files sectora
shadow: files sectora
group: files sectora
Add the following lines to /etc/ssh/sshd_config
.
AuthorizedKeysCommandUser root
AuthorizedKeysCommand /usr/sbin/sectora key %u
UsePAM yes
In the case of old sshd, you need to create the following shell script and put it in your PATH.
#!/bin/bash
/usr/sbin/sectora key $1
Also, sshd_config should look like this.
AuthorizedKeysCommandUser root
AuthorizedKeysCommand /usr/sbin/sectora.sh
UsePAM yes
Add the following lines to /etc/pam.d/sshd
.
account requisite pam_exec.so quiet /usr/sbin/sectora pam
auth optional pam_unix.so not_set_pass use_first_pass nodelay
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Also, comment out the following line.
# @include common-auth
To set personal settings, use $HOME/.config/sectora.toml
like this.
sh = "/path/to/login/shell"
pass = "PASSWORD_HASH_STRING"
Use mkpasswd
command to create your PASSWORD_HASH_STRING
mkpasswd -S $(head -c 4 /dev/urandom|xxd -p) -m sha-512
MIT
This program is inspired by Octopass. Thank you.