This page describes the OS Login service and how it works. For information on setting up OS Login or for step-by-step instructions, see Setting up OS Login or Setting up OS Login with 2-step verification.
Use OS Login to manage SSH access to your instances using IAM without having to create and manage individual SSH keys. OS Login maintains a consistent Linux user identity across VM instances and is the recommended way to manage many users across multiple instances or projects.
Benefits of OS Login
OS Login simplifies SSH access management by linking your Linux user account to your Google identity. Administrators can easily manage access to instances at either an instance or project level by setting IAM permissions.
OS Login provides the following benefits:
Automatic Linux account lifecycle management - You can directly tie a Linux user account to a user's Google identity so that the same Linux account information is used across all instances in the same project or organization.
Fine grained authorization using Google IAM - Project and instance-level administrators can use IAM to grant SSH access to a user's Google identity without granting a broader set of privileges. For example, you can grant a user permissions to log into the system, but not the ability to run commands such as
sudo. Google checks these permissions to determine whether a user can log into a VM instance.
Automatic permission updates - With OS Login, permissions are updated automatically when an administrator changes IAM permissions. For example, if you remove IAM permissions from a Google identity, then access to VM instances is revoked. Google checks permissions for every login attempt to prevent unwanted access.
Ability to import existing Linux accounts - Administrators can choose to optionally synchronize Linux account information from Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) that are set up on-premises. For example, you can ensure that users have the same user ID (UID) in both your Cloud and on-premises environments.
How OS Login works
Google-provided public images include utilities and components to manage VM access. When you enable OS Login, a helper script activates these components and perform the following configurations:
- Configures an OpenSSH server with the
AuthorizedKeysCommandoption. This command retrieves the SSH keys associated with the Linux user account to authenticate the login attempt.
- Configures NSS (Name Service Switch) functionality to provide the OS Login user information to the operating system.
- Adds a set of Pluggable Authentication Modules (PAM) configurations to authorize the user login. PAM configurations perform IAM permission checks for login and administrative access. These PAM configurations also perform other tasks such as setting up the Linux user account's home directory.
For more detailed information about the OS Login components, review the OS Login GitHub page.