{
    "info": {
        "author": "FullContact",
        "author_email": "ops+hesiod53@fullcontact.com",
        "bugtrack_url": null,
        "classifiers": [
            "Development Status :: 3 - Alpha",
            "Intended Audience :: Developers",
            "Intended Audience :: System Administrators",
            "License :: OSI Approved :: MIT License",
            "Operating System :: POSIX :: Linux",
            "Programming Language :: Python :: 2",
            "Programming Language :: Python :: 2.6",
            "Programming Language :: Python :: 2.7",
            "Topic :: System :: Systems Administration :: Authentication/Directory"
        ],
        "description": "# Hesiod + Route53\n\nThis is a system to manage UNIX users, groups, and ssh keys across an entire\nEC2 fleet using only DNS. This replaces more traditional services such as LDAP\nand Kerberos with Route53, which is much easier to manage.\n\nUser and group management is done with\n[Hesiod](https://en.wikipedia.org/wiki/Hesiod_(name_service)). This repository\nincludes a synchronization tool that configures a Route53 domain with the\nnecssary DNS entries based on a YAML file.\n\nFor ssh keys, an `AuthorizedKeysCommand` helper is included so that ssh public\nkeys can also be stored in DNS. When an ssh client tries to connect using\npublic key authentication, the helper will query DNS for the proper ssh keys,\nwhich it then provides to the OpenSSH daemon. This replaces individual\n`authorized_keys` files for each user.\n\n# Useful Tools\n\nIn addition to this library you might find the below useful.\n\nTo see how to setup your server to use Hesiod53 DNS for authentication.\n* [Ansible role](https://github.com/fullcontact/ansible-hesiod)\n\nTo create a yml dump from a Jumpcloud directory\n* [Jumpcloud](https://github.com/fullcontact/hesiod53-jumpcloud)\n\n## Route53 Sync\n\n### Installation\n\n```\nvirtualenv env\n. env/bin/activate\npip install /path/to/hesiod53\n```\n\n### Usage\n\nHighly suggested to use `--dry-run` first before actually running the command. This will show you what DNS will be altered on AWS Route53.\n\n    hesiod53 --dry-run USER_FILE\n\nTo actually commit your changes to AWS Route53 simply leave off the `--dry-run` option.\n\n    hesiod53 USER_FILE\n\nRun `hesiod53 -h` for full usage instructions.\n\nAn example user configuration file is in\n[`example_users.yml`](example_users.yml). Ensure you configure your Route53\nzone and domain correctly.\n\n## Hesiod Setup\n\n1. Install Hesiod. On Debian-like systems, this is the `hesiod` package.\n2. Configure `/etc/hesiod.conf`. An example hesiod configuration file is in\n   [`example_hesiod.conf`](example_hesiod.conf). Set lhs and rhs (left-hand\n   side and right-hand side) so that the concatenation of the two strings is\n   the domain you used in your user configuration file. Ensure that both lhs\n   and rhs start with a dot.\n3. Configure `/etc/nsswitch.conf`. For the `passwd` and `group` lines, add\n   hesiod, so that your configuration looks similar to the following:\n\n        passwd:         compat hesiod\n        group:          compat hesiod\n        shadow:         compat\n\nAt this point, if you setup everything properly, then you should be able to see\nuser information for users in DNS. `getent passwd USER` will return a\npasswd-like line showing the user information if everything is configured\ncorrectly.\n\n### Sudo Setup (Optional)\n\nIf you want your users to be able to use sudo, then it is recommended to add\nusers to groups and then grant sudo access to a group. Note that you have to\nallow sudo access without a password since users do not have passwords.\n\nExample sudo line to give group `wheel` sudo access:\n\n    %wheel ALL=(ALL) NOPASSWD:ALL\n\n## SSH Key Helper\n\n### Installation\n\nThe path of the ssh helper is critical for security. ssh will reject the use of\nany binary where the ownership is writable by anyone but root or any parent\ndirectory is writable by anyone but root. Thus, it is suggested to install to a\npath such as `/etc/ssh/authkeys.py`.\n\nIn addition, the ssh helper depends on\n[dnspython](pypi.python.org/pypi/dnspython). You can use the installation\nmethod for the sync utility with a virtualenv, or you can install the\n`python-dnspython` package on Debian-like systems.\n\n### Configuration\n\nEnsure that `/etc/hesiod.conf` is populated with your hesiod information. See\nthe Hesiod setup section, above.\n\nThen, in `sshd_config`, put the following options\n\n    AuthorizedKeysCommand /path/to/ssh/command.py\n    AuthorizedKeysCommandUser nobody\n\nThis will tell the ssh daemon to run the command to look up keys for a given\nuser *after* checking for any local keys by running the command as the user\n`nobody`.\n\n### PAM Configuration\n\nWith most default PAM setups, user authentication will not work if there is not\na shadow entry, which is not present if you are only using ssh key authentication.\n\nTo make user authentication work, ensure that the `broken_shadow` option is\npassed to `pam_unix.so` in your PAM account configuration. In Debian-like\nsystems, this can be found in `/etc/pam.d/common-account`.\n\nExample:\n\n    account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so broken_shadow",
        "description_content_type": null,
        "docs_url": null,
        "download_url": "UNKNOWN",
        "downloads": {
            "last_day": -1,
            "last_month": -1,
            "last_week": -1
        },
        "home_page": "https://github.com/fullcontact/hesiod53",
        "keywords": "ssh",
        "license": "MIT",
        "maintainer": null,
        "maintainer_email": null,
        "name": "hesiod53",
        "package_url": "https://pypi.org/project/hesiod53/",
        "platform": "UNKNOWN",
        "project_url": "https://pypi.org/project/hesiod53/",
        "project_urls": {
            "Download": "UNKNOWN",
            "Homepage": "https://github.com/fullcontact/hesiod53"
        },
        "release_url": "https://pypi.org/project/hesiod53/0.1.0/",
        "requires_dist": null,
        "requires_python": null,
        "summary": "Utilities for using hesiod with route53",
        "version": "0.1.0"
    },
    "last_serial": 2196733,
    "releases": {
        "0.1.0": [
            {
                "comment_text": "",
                "digests": {
                    "md5": "4f2706e632a575ddb3f68ef9f4e57da2",
                    "sha256": "8fce0bc80c6f5850f0729cc8ecdc90b5e24cfedd28afeefe90025c8634d0c53d"
                },
                "downloads": -1,
                "filename": "hesiod53-0.1.0.tar.gz",
                "has_sig": false,
                "md5_digest": "4f2706e632a575ddb3f68ef9f4e57da2",
                "packagetype": "sdist",
                "python_version": "source",
                "requires_python": null,
                "size": 7455,
                "upload_time": "2015-06-29T20:00:55",
                "url": "https://files.pythonhosted.org/packages/25/cd/b518e571ed23f4f25b27bd9e6b37a500b0a41897ce64da0a1b2bcff17b2d/hesiod53-0.1.0.tar.gz"
            }
        ]
    },
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "md5": "4f2706e632a575ddb3f68ef9f4e57da2",
                "sha256": "8fce0bc80c6f5850f0729cc8ecdc90b5e24cfedd28afeefe90025c8634d0c53d"
            },
            "downloads": -1,
            "filename": "hesiod53-0.1.0.tar.gz",
            "has_sig": false,
            "md5_digest": "4f2706e632a575ddb3f68ef9f4e57da2",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": null,
            "size": 7455,
            "upload_time": "2015-06-29T20:00:55",
            "url": "https://files.pythonhosted.org/packages/25/cd/b518e571ed23f4f25b27bd9e6b37a500b0a41897ce64da0a1b2bcff17b2d/hesiod53-0.1.0.tar.gz"
        }
    ]
}