About OS Login

This page describes the OS Login service and how it works. To learn how to set up OS Login, see Set up OS Login.

Use OS Login to manage SSH access to your instances using IAM without having to create and manage individual SSH keys. OS Login maintains a consistent Linux user identity across VM instances and is the recommended way to manage many users across multiple VMs or projects.

Benefits of OS Login

OS Login simplifies SSH access management by linking your Linux user account to your Google identity. Administrators can easily manage access to instances at either an instance or project level by setting IAM permissions.

OS Login provides the following benefits:

  • Automatic Linux account lifecycle management - You can directly tie a Linux user account to a user's Google identity so that the same Linux account information is used across all instances in the same project or organization.

  • Fine grained authorization using Google IAM - Project and instance-level administrators can use IAM to grant SSH access to a user's Google identity without granting a broader set of privileges. For example, you can grant a user permissions to log into the system, but not the ability to run commands such as sudo. Google checks these permissions to determine whether a user can log into a VM instance.

  • Automatic permission updates - With OS Login, permissions are updated automatically when an administrator changes IAM permissions. For example, if you remove IAM permissions from a Google identity, then access to VM instances is revoked. Google checks permissions for every login attempt to prevent unwanted access.

  • Ability to import existing Linux accounts - Administrators can choose to optionally synchronize Linux account information from Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) that are set up on-premises. For example, you can ensure that users have the same user ID (UID) in both your Cloud and on-premises environments.

  • Integration with Google Account two-step verification - You can optionally require that OS Login users validate their identity using one of the following 2-step verification methods or challenge types when connecting to VMs:

  • Integration with audit logging - OS Login provides audit logging that you can use to monitor connections to VMs for OS Login users.

How OS Login works

When OS Login is enabled, Compute Engine performs configurations on VMs and the Google accounts of OS Login users.

VM configuration

Google-provided public images include utilities and components to manage VM access. When you enable OS Login, the following components and configurations are setup on the VM:

  • Deletes the VM's authorized_keys files.
  • Configures an OpenSSH server with the AuthorizedKeysCommand option. This command retrieves the SSH keys associated with the Linux user account to authenticate the login attempt.

  • Configures NSS (Name Service Switch) functionality to provide the OS Login user information to the operating system.

  • Adds a set of Pluggable Authentication Modules (PAM) configurations to authorize the user login. PAM configurations perform IAM permission checks for login and administrative access. These PAM configurations also perform other tasks such as setting up the Linux user account's home directory.

For more information about the OS Login components, review the OS Login GitHub page.

User account configuration

OS Login configures your Google account with POSIX information, including a username, when you do any of the following:

  • Connect to an OS Login-enabled VM using the Google Cloud console
  • Connect to an OS Login-enabled VM using the gcloud CLI
  • Import a public SSH key using the gcloud CLI
  • Import a public SSH key using the OS Login API

OS Login configures POSIX accounts with the following values:

  • Username: a username in the format of USERNAME_DOMAIN_SUFFIX. If the user is from a different Google Workspace organization than the one hosting their OS Login-enabled VMs, their username is prefixed with ext_. If the user is a service account, its username is prefixed with sa_.

    Cloud Identity administrators can modify usernames and Google Workspace super administrators can change the username format to remove the domain suffix.

  • UID: a unique, randomly-generated POSIX-compliant user ID.

  • GID: a POSIX-compliant group ID that is the same as the UID.

  • Home directory: the path to the user's home directory.

Organization administrators can configure and update a user's POSIX account information. For more information, see Modify user accounts using the Directory API.

What's next