Problem
Environment
- All Linux distributions
Solution
Some hardening policies applied by users at their Organization level could revert the SSH config applied by OS Login script google_oslogin_control to access instances at regular intervals on Puppet or Chef, disabling the SSH keys associated with the Linux user account to authenticate the login.
Solution
- Design your OS hardening policies to accept OS Login config as there is no security gained by locking themselves out at continuous intervals. Disabling and re-enabling the OS Login would not work in case the user environment has some configuration tools (for example, puppet, chef) reapplying the policy at continuous intervals.
Workaround
- Include a copy of the script google_oslogin_control on the machine or running it, but only if the hardening scripts are not running very frequently and there is no other workaround available to fix the OS hardening policies. However, this is not a recommended approach.
Cause
OS Login simplifies SSH access management by linking your Linux user account to your Google identity. It adds a set of Pluggable Authentication Modules (PAM) configurations to authorize the user login and needs to configure NSS (Name Service Switch) functionality to provide the OS Login user information. If any hardening policy implemented by the user is preventing OS login to access NSS and add PAM modules, then it will break the SSH access to the instances, forcing the instance to display the password prompt.