Hi Simon, Thanks for suggesting some things. I've currently got a gitolite server running which does exactly those things. The difference is that on the git server, there are a few hundred users. On this application there could be MANY more.. Now - I haven't scaled that far yet, and don't want to over-engineer it too much. But if I can avoid the trouble later, I'd like to try. So - gitolite and those people just slap it in the authorized_keys file, and that file starts to get really long. So - I thought, ok, I'll use the SSH hook to call a script to get the authorized_keys. So that would work. But that only works if the user already exists on the system. If it doesn't - it doesn't even get as far as the SSH key authentication. Hence , the desire to try and find a way to "create" the user before I get to ssh. Someone just recenlty suggested something about https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html And maybe that will work... Not sure. This was what I saw: https://github.com/lnussel/pam_useradd And it sortof does what I wanted - it adds the user. I would not need to query for a password or anything, just get the keys from a webservice. But even in this - the user is still created in the users table... bleck. I'm digging into the NSS stuff more now.. We'll see. Thanks! Cary On Fri, Feb 6, 2015 at 1:05 PM, Simon McVittie <simon.mcvittie@xxxxxxxxxxxxxxx> wrote: > On 06/02/15 16:53, Cary FitzHugh wrote: >> >> I've got a situation where I have a very large number of "users", one >> where I can't be sure all my user accounts would fit on a single machine. >> >> Additionally - all the users are going to do is set up reverse tunnels. >> They can only auth via the authorized_keys as well. And they don't > > > They don't what? Execute commands? > > It sounds to me as though you could perhaps give them all access to the same > unprivileged uid (similar to the way all git pushes to github go via > ssh://git@xxxxxxxxxx), and use "forced commands" in the authorized_keys file > to restrict them to setting up port-forwarding but not terminals, command > execution or whatever. Confining that unprivileged uid to a very restrictive > chroot or container would probably also be a good idea. No PAM required, > except possibly for rlimits and chroot. > > Related: > http://askubuntu.com/questions/48129/how-to-create-a-restricted-ssh-user-for-port-forwarding > > S > > -- > Simon McVittie > Collabora Ltd. <http://www.collabora.com/> > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
