Hi all. I have a situation that I wonder someone may have run into - or has a direction I should dig / develop in. Let's say I have a system with 1M "users". Their public keys are stored in a database, and I can access them via a web call. I have a few servers which should allow those users access. Some constraints to make it non-crazy. The users can only reverse tunnel. They need no state / home directories, etc. I've set the command in sshd_config to just echo "Nyet". All they do is try to connect with ssh -R *:0:localhost:<local-port> user@server -N (while I have you - is there any other way to know what port was allocated, except for parsing stderr?) Some great help was in this url: http://askubuntu.com/questions/48129/how-to-create-a-restricted-ssh-user-for-port-forwarding (for anyone looking for info about reverse forwarding). I was planning on just having the AuthorizedKeysCommand take the username, look up the keys from the webservice, and return them. Easy! The trouble is that the user isn't created on the machine beforehand. But I actually don't want the user created, b/c I don't want to litter all these servers with little user directories. Users may be transient as well - so littering the directories of these machines with tons of data just causes many other problems (running out of inodes, disk-space, etc). Any ideas? Thanks! Cary _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev