On 06/02/15 16:53, Cary FitzHugh wrote:
I've got a situation where I have a very large number of "users", one
where I can't be sure all my user accounts would fit on a single machine.
Additionally - all the users are going to do is set up reverse tunnels.
They can only auth via the authorized_keys as well. And they don't
They don't what? Execute commands?
It sounds to me as though you could perhaps give them all access to the
same unprivileged uid (similar to the way all git pushes to github go
via ssh://git@xxxxxxxxxx), and use "forced commands" in the
authorized_keys file to restrict them to setting up port-forwarding but
not terminals, command execution or whatever. Confining that
unprivileged uid to a very restrictive chroot or container would
probably also be a good idea. No PAM required, except possibly for
rlimits and chroot.
Collabora Ltd. <http://www.collabora.com/>
Pam-list mailing list