Balbir Singh
asked on
How can we configure pam.d in freebsd to allow login to non existent user?
How can we configure pam.d in freebsd to let a user login using ssh private/public key pair with having the user exist in /etc/passwd ( like in local system ). I meant user is not created in system but authentication can be done via public/private key of sshd. Pleas let me know if there is a way.
hmm, while I can imagine some scenarios, what is your use-case?
Cause when you "login" without user, then you'll just have a session to a process. But no shell or whatsoever, cause this requires a user...
Cause when you "login" without user, then you'll just have a session to a process. But no shell or whatsoever, cause this requires a user...
you can use an external AuthorizedKeysCommand and have that command create the user on the fly.
This is impossible.
And, the work around is simple.
For each user, say root for example, you can have any number of ssh keys + any combination of commands inside your authorized_keys file, so you can do this... if I understand what you're trying to accomplish...
1) Setup a key for each user.
2) When they login, if there's no COMMAND stanza associated with the key, they login with full root privilege.
3) To restrict access, set COMMAND to some restricted shell or wrapper script.
And, the work around is simple.
For each user, say root for example, you can have any number of ssh keys + any combination of commands inside your authorized_keys file, so you can do this... if I understand what you're trying to accomplish...
1) Setup a key for each user.
2) When they login, if there's no COMMAND stanza associated with the key, they login with full root privilege.
3) To restrict access, set COMMAND to some restricted shell or wrapper script.
ASKER
@skullnobrains
I am able to use AuthorizedKeysCommand but user is not created on the fly. How to get it done?
you can use an external AuthorizedKeysCommand and have that command create the user on the fly.
I am able to use AuthorizedKeysCommand but user is not created on the fly. How to get it done?
Spawn the required adduser or useradd command within the script.
ASKER
It seems like if a user doesn't exist in the system then ssh doesn't execute AuthorizedKeysCommand and pass the authentication to PAM so we need to keep script in PAM file. Below is my PAM file
and content of /root/add_user.sh script
now when I ssh as ssh newuser@my_host.com then a newuser gets created in the system but I do not get system access and it prompts me for the password. When I run it again then it succeed due to ssh pub/private key authentication
How to ssh as non-exist user in the first turn ( create the user and login as empty password)?
#
# $FreeBSD: releng/11.3/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth optional pam_exec.so /root/add_user.sh
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
and content of /root/add_user.sh script
#!/bin/sh
/usr/sbin/pw useradd $PAM_USER -s /usr/local/bin/bash -w none
now when I ssh as ssh newuser@my_host.com then a newuser gets created in the system but I do not get system access and it prompts me for the password. When I run it again then it succeed due to ssh pub/private key authentication
How to ssh as non-exist user in the first turn ( create the user and login as empty password)?
Line 8
What are you after?
What are you after?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, I will give above a try.
My requirement is to let anyone access to a specific box so username would not matter and password is null. After login a script would be executed instead of default shell.
My requirement is to let anyone access to a specific box so username would not matter and password is null. After login a script would be executed instead of default shell.
i guess these requirements can be achieved by having every user connect as the same user. the number of keys per user is not limited. the number of names per user id is not limited either.
ASKER
@skullnobrains
I am still trying to find out if using PAM we can do following
Once the request for password authentication comes for any user ( even root ) then somehow change the USER from requested user to demo user and that user will have null password and in auth facility nullok is already provided. So what user would be able to login.
I understand the security concern of it but wondering if this can be achieved using PAM
with a null module or by making the add user a required module and returning false within the scriptI didn't get above part, what is returning false here?
I am still trying to find out if using PAM we can do following
Once the request for password authentication comes for any user ( even root ) then somehow change the USER from requested user to demo user and that user will have null password and in auth facility nullok is already provided. So what user would be able to login.
I understand the security concern of it but wondering if this can be achieved using PAM
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Under what credentials and what home do you envision thus to be?
What are you trying to do/setup an effective backdoirc into the system?