This is a mechanism for logging into a Linux computer using Amazon's IAM service.
Currently, if the user doesn't have a matching account in /etc/passwd, one will be created via potentially unsafe use of pam_exec.so.
NOTE: If the user doesn't yet exist locally, it will be created -- however, it will fail to auth until a second try at login. This is due to PAM not noticing when a user is created mid-authorization.
- pam_python (I used the version from the ubuntu repositories)
- pam_exec (to run the script to add the user when they login the first time).
- An AWS account with IAM properly set up.
- Copy
usr/share/pam-configs/pam_config_python_iaminto/usr/share/pam-configs - Ensure your IAM is set up properly (Sign-in url, user with login profile, etc)
- Edit lib/security/pam_iam.py to set the AWS credentials. I recommend using a specific set of IAM creds for this
- Copy lib/security/pam_iam.py to /lib/security
- Install the python modules
botoandpyquery. - Copy
usr/local/bin/mk-iam-userto/usr/local/bin - Run
pam-auth-updateand enable "PAM_Python Module with pam_iam.py". Save the config. - Try logging in using an IAM user's credentials