We help IT Professionals succeed at work.

How can we configure pam.d in freebsd to allow login to non existent user?

Balbir Singh
Balbir Singh asked
How can we configure pam.d in freebsd to let a user login using ssh private/public key pair with having the user exist in /etc/passwd ( like in local system ). I meant user is not created in system but authentication can be done via public/private key of sshd. Pleas let me know if there is a way.
Watch Question

Distinguished Expert 2019

I do not think that is possible. The public key is added into aithorized_keys in a user's ~/.ssh location

Under what credentials and what home do you envision thus to be?

What are you trying to do/setup an effective backdoirc into the system?
ste5anSenior Developer

hmm, while I can imagine some scenarios, what is your use-case?

Cause when you "login" without user, then you'll just have a session to a process. But no shell or whatsoever, cause this requires a user...
you can use an external AuthorizedKeysCommand and have that command create the user on the fly.
David FavorFractional CTO
Distinguished Expert 2019

This is impossible.

And, the work around is simple.

For each user, say root for example, you can have any number of ssh keys + any combination of commands inside your authorized_keys file, so you can do this... if I understand what you're trying to accomplish...

1) Setup a key for each user.

2) When they login, if there's no COMMAND stanza associated with the key, they login with full root privilege.

3) To restrict access, set COMMAND to some restricted shell or wrapper script.
Balbir SinghSystem Administrator


you can use an external AuthorizedKeysCommand and have that command create the user on the fly.

I am able to use AuthorizedKeysCommand but user is not created on the fly. How to get it done?
Spawn the required adduser or useradd command within the script.
Balbir SinghSystem Administrator


It seems like if a user doesn't exist in the system then ssh doesn't execute AuthorizedKeysCommand and pass the authentication to PAM so we need to keep script in PAM file. Below is my PAM file

# $FreeBSD: releng/11.3/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
# PAM configuration for the "sshd" service

# auth
auth            optional       pam_exec.so              /root/add_user.sh
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

Open in new window

and content of /root/add_user.sh script

/usr/sbin/pw useradd $PAM_USER -s /usr/local/bin/bash -w none

Open in new window

now when I ssh as ssh newuser@my_host.com then a newuser gets created in the system but I do not get system access and it prompts me for the password. When I run it again then it succeed due to ssh pub/private key authentication

How to ssh as non-exist user in the first turn ( create the user and login as empty password)?
Distinguished Expert 2019

Line 8

What are you after?
hmm, my bad then i was afraid the script would not run unless the user exists... and pam runs AFTER pubkey authentication

try using either
AuthenticationMethods = keyboard-interactive, publickey
AuthenticationMethods = password, publickey
as an attempt to change the order

this should prompt for the password but allow the public key authentication to kick in AFTER pam. if that works, you would then configure pam to consider auth failed, either with a null module or by making the add user a required module and returning false within the script


side note : i am unsure what you are trying to achieve but maintaining a list of user accounts across many machines is not much of a pain. i do not like my servers depending on ldap or whatever external service ( if that is your issue ) so i simply sync keys and accounts using a shell script which runs from cron every few minutes.
Balbir SinghSystem Administrator


Thanks, I will give above a try.

My requirement is to let anyone access to a specific box so username would not matter and password is null. After login a script would be executed instead of default shell.
i guess these requirements can be achieved by having every user connect as the same user. the number of keys per user is not limited. the number of names per user id is not limited either.
Balbir SinghSystem Administrator



with a null module or by making the add user a required module and returning false within the script
I didn't get above part, what is returning false here?

I am still trying to find out if using PAM we can do following

Once the request for password authentication comes for any user ( even root ) then somehow change the USER from requested user to demo user and that user will have null password and in auth facility nullok is already provided. So what user would be able to login.

I understand the security concern of it but wondering if this can be achieved using PAM
if your pam module that creates the user is required and returns false after creating the user, sshd will consider the auth has failed and skip to the next mechanism. if the pubkey mechanism is tested after pam, this should allow to create the user on the fly AND authenticate him with an ssh key.

changing the user during the authentication process is not feasible, but you can quite easily change the root user to any other with su or sudo after authentication.

your demo stuff is not a requirement. it's a bad and uselesly complex attempt at doing whatever you are trying to do. if you just want a demo account with no password, you probably should use the demo account. if you want something that is not based on a system user, you probably should no be using ssh at all.

that said, you can use pam/nis/ldap and anything that provides a user backend to make the system believe all users actually exist and possibly map all of  them to the same id which would be your demo user.