Hi --
I've got a situation where I have a very large number of "users", one where I can't be sure all my user accounts would fit on a single machine.
Additionally - all the users are going to do is set up reverse tunnels. They can only auth via the authorized_keys as well. And they don't
I've looked around and a PAM module may be the ticket - hence my joining the list.
Does anyone have a suggestion / direction for how to go about doing this?
I have found a few PAM modules which let you create users on the fly - but I don't have a good way to clean them up after the fact.
My current "best guess":
* PAM module accepts any username and looks it up in a webservice for keys.
* Changes the user to a uuid, creates the .authorized-keys file and drops the keys in there.
* Somehow - knows when the ssh auth is completed, and removes the directory.
My current "ideal":
* PAM module accepts any username and looks it up in a webservice for keys.
* Puts those keys into a PAM env-var
* Changes the user to a standard , can't do anything but reverse tunnel user
* somehow.. those authorized-keys :( gets put into the ssh workflow
Hoping someone had a suggestion.
Or maybe all of this is just a big mis-use of PAM / SSH and I should just write a server in go or something that checks the keys, opens ports, etc..
Thanks for any thoughts!
Cary FitzHugh
Cary FitzHugh
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
