Re: Creating / Removing users "on the fly"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/02/15 16:53, Cary FitzHugh wrote:
I've got a situation where I have a very large number of "users", one
where I can't be sure all my user accounts would fit on a single machine.

Additionally - all the users are going to do is set up reverse tunnels.
They can only auth via the authorized_keys as well.  And they don't

They don't what? Execute commands?

It sounds to me as though you could perhaps give them all access to the same unprivileged uid (similar to the way all git pushes to github go via ssh://git@xxxxxxxxxx), and use "forced commands" in the authorized_keys file to restrict them to setting up port-forwarding but not terminals, command execution or whatever. Confining that unprivileged uid to a very restrictive chroot or container would probably also be a good idea. No PAM required, except possibly for rlimits and chroot.

Related:
http://askubuntu.com/questions/48129/how-to-create-a-restricted-ssh-user-for-port-forwarding

    S

--
Simon McVittie
Collabora Ltd. <http://www.collabora.com/>

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list




[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux