Managing SSH access using IAM

One of the biggest challenges for security teams can be controlling, managing and auditing who has access to ssh keys for logging into their Google Compute Engine (GCE) instances. I’ve seen a lot of different strategies to address this from using various password management tools, copying and pasting to custom scripts. Managing ssh keys using these traditional techniques forces a company to spend time and money to keep their keys safe. So what is a better way to manage user access at scale?

Managing ssh access at scale

OS Login is a tool that allows you to manage SSH access to GCE instances using IAM. OS Login simplifies vm access management by linking your Linux user account to a user's Google identity.

How it works

Let’s see how this works.

1. First, the infrastructure team creates a virtual machine in the assigned project via either the console, gcloud or Terraform. During creation, the team needs to make sure that they have the key-pair value of enable-oslogin=TRUE for metadata. This value you can set at the instance level or the project level if you want to enable os login for all VMs in a project.

**Note: When you set OS Login metadata, Compute Engine deletes the VM's authorized_keys files and no longer accepts connections with SSH keys that are stored in project or instance metadata.

2. Next, the administrator grants the Compute OS Login role or the Compute OS Admin Login role at the project or instance level. Now any principal granted access to the project can inherit those permissions. The admin can also grant the service account user role to allow a user to run operations as a service account.

3. Next, the principal can login via the console or the gcloud command line.

Behind the scenes, a few modules work together to authenticate each SSH login.

• Name Service Switch (NSS) Modules make OS Login user and group information available to the guest OS.

• Pluggable Authentication Module (PAM) checks if a user has necessary IAM permissions to SSH into a VM.

• Authorized keys command fetches associated SSH keys from the metadata server.

Google Cloud leverages these tools to manage your ssh keys. To learn more about OS Login, see About OS Login.

Accessing your VMs

If you are connecting to your OS Login enabled VM via the Google Cloud console, your public and private ssh keys are ephemeral. These keys are ephemeral and expire in three minutes.

If you are connecting via the gcloud CLI, your public SSH key is stored in your Google Account and your private key is stored on your local machine in a file named google_compute_engine.

If you’re a Windows user, you can also use IAP Desktop. IAP Desktop lets you manage multiple SSH and Remote Desktop sessions in parallel, uses IAP TCP forwarding to connect to VMs, and also works for VMs that don’t have a public IP address.

You can also connect via a third-party tool like PuTTY or the Secure Shell Chrome app.

When using the gcloud CLI, by default your keys don’t expire unless you configure a new key. However, you can use the TTL flag when setting your keys to set an expiration for the key.

gcloud compute os-login ssh-keys add --key-file=/home/user/.ssh/id_rsa.pub --ttl=30m

In both cases, your cloud identity provider sets your username.

If your admin hasn’t set up a username for you or if you are using a 3rd party tool to connect, Compute Engine will assign you a default user name in the following format:

USERNAME_DOMAIN_SUFFIX

Increased security

A good organization proactively improves their security to prevent potential attacks. OS Login also lets you enable two factor authentication (2FA). This is a great way to add an extra layer of security to your VMs. 2FA consists of something you know (like a password) and something you have (like a token or a phone). Even if your password is leaked, a threat actor will still need to provide an additional secret to gain access. OS Login asks you to validate your identity with your Google account's two-step verification. To take advantage of OS Login 2FA you must first set up Google 2SV. Every time you connect to a VM, OS Login will prompt you for whatever second factor you've configured in 2SV.

In addition to 2FA, you can also monitor connection OS Login connection attempts with audit logs.

Conclusion

OS Login lets your organization manage SSH access through IAM making it easier to manage sensitive information. This can ultimately save your company time and money, as well as help improve your security posture. Ready to dig deeper into OS Login? To get started with OS Login see Setting up OS Login.