Morning everyone, I have put into place the lbnns extension https://github.com/hivewing/libnss-ato It seems to always resolve every username to the same uid, with no password. I've set the shell to bin/false, and put the home dir to /dev/null as well. And it actually seems to work! On a connection request, the AuthorzedKeysCommand script is called with the right username, letting me look up the username in my webservice, and return the list of authorized_keys. Wonderful. I spent a good bit of time banging my head on the wall, trying to figure out why I could only get one connection through the sshd server before it would crash. It would accept one connection, every other connection request would be ignored. And once that one connection was closed, sshd would exit. I was running it like so: /usr/sbin/sshd -D -e -d -d -d And life was sad. very sad. I now run it just with /usr/sbin/sshd -D and it all seems to work. I'm not sure if anyone cares that it doesn't work with the three '-d's on there. but if anyone did care, I could try to help them get a reproducible case. Thanks to everyone who helped with suggestions! Cary On Fri, Feb 6, 2015 at 3:02 PM, Daniel Kahn Gillmor <dkg@xxxxxxxxxxxxxxxxx> wrote: > On Fri 2015-02-06 14:30:13 -0500, Cary FitzHugh wrote: >> Hence - maybe a NSS User Database extension which looks for the >> public keys from a webservice (and then maybe writes them to >> /tmp/<username>. > > No, i'm suggesting that when you want to look up the user, use NSS to > find the username and map it to a numeric user ID and the other > information that is typically found in /etc/passwd. this doesn't write > anything to the local disk. > >> The AuthorzedKeysCommand could then just return the tmp/username information.. > > Then the AuthorizedKeysCommand can return the proper key material. > > --dkg _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev