On 12/10/2024 13:19, Qingtao Cao wrote:
Since there is no nss-ldap (not to mention sssd), a separate PAM
module has been used once the public key authentication is a success,
to allocate an unused uid/gid for the remote user, also creating its
home directory (which are all specified on the LDAP server but there
is no nss-ldap to fetch these configuration) so that the remote-only
user can login successfully.
How would the PAM module signal back to sshd which uid/gid has been
selected to switch to? Or are you thinking that sshd starts every
session as root, and you're expecting the PAM session module itself to
switch uid/gid?!
But will this bring about any unexpected vulnerability?
It sounds extremely insecure to me, if it were to work at all.
If you disagree, then I think you would need to lay out, in much more
detail, exactly how you expect PAM to handle the uid/gid switching (in
particular, what happens in each of the "auth", "account" and "session"
calls)
In any case, even after a user has logged in, you still need to map
uids<->usernames and gids<->groupnames - even for simple cases like
running "id" or "ls -l" - both for the currently logged-in user and all
other users. I don't think you can avoid nss_ldap or sssd. In which
case, just deploy it and then you don't need to mess with sshd.
That's unless you want all these external remote users to login as the
*same* uid - in which case, you can just create an entry for this shared
account in /etc/passwd.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev