Avatar of Balbir Singh
Balbir Singh
Flag for United States of America asked on

How can we configure pam.d in freebsd to allow login to non existent user?

How can we configure pam.d in freebsd to let a user login using ssh private/public key pair with having the user exist in /etc/passwd ( like in local system ). I meant user is not created in system but authentication can be done via public/private key of sshd. Pleas let me know if there is a way.
LinuxFreeBSD

Avatar of undefined
Last Comment
skullnobrains

8/22/2022 - Mon
arnold

I do not think that is possible. The public key is added into aithorized_keys in a user's ~/.ssh location

Under what credentials and what home do you envision thus to be?

What are you trying to do/setup an effective backdoirc into the system?
ste5an

hmm, while I can imagine some scenarios, what is your use-case?

Cause when you "login" without user, then you'll just have a session to a process. But no shell or whatsoever, cause this requires a user...
skullnobrains

you can use an external AuthorizedKeysCommand and have that command create the user on the fly.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
David Favor

This is impossible.

And, the work around is simple.

For each user, say root for example, you can have any number of ssh keys + any combination of commands inside your authorized_keys file, so you can do this... if I understand what you're trying to accomplish...

1) Setup a key for each user.

2) When they login, if there's no COMMAND stanza associated with the key, they login with full root privilege.

3) To restrict access, set COMMAND to some restricted shell or wrapper script.
Balbir Singh

ASKER
@skullnobrains
you can use an external AuthorizedKeysCommand and have that command create the user on the fly.

I am able to use AuthorizedKeysCommand but user is not created on the fly. How to get it done?
skullnobrains

Spawn the required adduser or useradd command within the script.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Balbir Singh

ASKER
It seems like if a user doesn't exist in the system then ssh doesn't execute AuthorizedKeysCommand and pass the authentication to PAM so we need to keep script in PAM file. Below is my PAM file

#
# $FreeBSD: releng/11.3/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth            optional       pam_exec.so              /root/add_user.sh
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

Open in new window


and content of /root/add_user.sh script

#!/bin/sh
/usr/sbin/pw useradd $PAM_USER -s /usr/local/bin/bash -w none

Open in new window


now when I ssh as ssh newuser@my_host.com then a newuser gets created in the system but I do not get system access and it prompts me for the password. When I run it again then it succeed due to ssh pub/private key authentication

How to ssh as non-exist user in the first turn ( create the user and login as empty password)?
arnold

Line 8

What are you after?
ASKER CERTIFIED SOLUTION
skullnobrains

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Balbir Singh

ASKER
Thanks, I will give above a try.

My requirement is to let anyone access to a specific box so username would not matter and password is null. After login a script would be executed instead of default shell.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
skullnobrains

i guess these requirements can be achieved by having every user connect as the same user. the number of keys per user is not limited. the number of names per user id is not limited either.
Balbir Singh

ASKER
@skullnobrains

with a null module or by making the add user a required module and returning false within the script
I didn't get above part, what is returning false here?

I am still trying to find out if using PAM we can do following

Once the request for password authentication comes for any user ( even root ) then somehow change the USER from requested user to demo user and that user will have null password and in auth facility nullok is already provided. So what user would be able to login.

I understand the security concern of it but wondering if this can be achieved using PAM
SOLUTION
skullnobrains

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.