Solved: Re: Is it possible to switch(su) IAM user when the...

rai_kyou · 10-21-2021 05:16 PM

Hello,

I started a VM instance with Debian, and I noticed OS Login can manage SSH access using IAM.

There are two employees in the organization whose accounts are user_a@example.com and user_b@example.com .

When use the following command to connect the instance,

gcloud compute ssh instance_name

and show like this,

user_a_example_com@instance:~$
user_b_example_com@instance:~$

When trying to switch another user, I am asked to enter a password.

I checked /etc/passwd and found that user_a and user_b not exist.

Can someone please explain in detail the password management for IAM users.

glen_yu

As I mentioned, I would try it when the user has the OSLoginAdmin role as that role has sudo access. If you can't sudo -i to root and then su - user_b_example_com then you should be safe.

The users won't have a password so there should be no way that I can see that you'd be able to make that switch. And if those users only have OSLogin, then you wouldn't be able to even sudo

Can you even do a finger or id on the other user?

View solution in original post

glen_yu

Just think of OS Login like an LDAP server. When you authenticate there, it's authenticates to LDAP via PAM modules. It's the same thing here, except it authenticates to IAM via PAM modules. Hence why you won't find any of those users in /etc/passwd ...because they're not local users.

While in an LDAP scenario, you might have a user in there with a predefined username (i.e. raikyou), for IAM it's different as it's not a user directory and the "usernames" are generally e-mail addresses...and no Linux systems is going to allow a user to be named "user_a@example.com", so the way GCP deals with it is to break it down to username_domain (and replace . with _)

i.e. rai.kyou@gmail.com becomes rai_kyou_gmail_com as the user name

or jbezos@amazon.ca becomes jbezos_amazon_ca

gcloud compute ssh handles the sshkey generation (or uses .ssh/google_compute_engine if you already have one in your cloud shell home dir) and exchange.

rai_kyou

Thanks for your reply.

Hence why you won't find any of those users in /etc/passwd ...because they're not local users.

Does this mean that I can't use su to switch users between the user_a and user_b?

glen_yu

That, I'm not 100% sure about. I woudn't think so as it would be a huge security risk for one user to able to impersonate another.

One other thing is you need to have the OSLoginAdmin role in order to sudo I believe. So make sure your users have that in their role and then give it a try. As I mentioned earlier, I don't think that will work. What is your use case for being able to su to other users?

rai_kyou

That, I'm not 100% sure about. I woudn't think so as it would be a huge security risk for one user to able to impersonate another.

I also think this is a security risk.

In fact, it was the customer who asked me to prove if it could switch between two users.And I did try that, so I was asked to enter a password to switch users.

As you mentioned before, OS Login like an LDAP server, and IAM users are not local users.

Does this mean that there is no way to know the password when switching users? I need to explain this to the customer.

Thanks.

glen_yu

As I mentioned, I would try it when the user has the OSLoginAdmin role as that role has sudo access. If you can't sudo -i to root and then su - user_b_example_com then you should be safe.

The users won't have a password so there should be no way that I can see that you'd be able to make that switch. And if those users only have OSLogin, then you wouldn't be able to even sudo

Can you even do a finger or id on the other user?

rai_kyou

Like you said, I must have OSLoginAdmin role and know the root password in order to switch to root first and then switch to the other user.

Thank you very much!

Is it possible to switch(su) IAM user when the VM instance enable OS Login?