How can we configure pam.d in freebsd to allow login to non existent user?
How can we configure pam.d in freebsd to let a user login using ssh private/public key pair with having the user exist in /etc/passwd ( like in local system ). I meant user is not created in system but authentication can be done via public/private key of sshd. Pleas let me know if there is a way.
I do not think that is possible. The public key is added into aithorized_keys in a user's ~/.ssh location
Under what credentials and what home do you envision thus to be?
What are you trying to do/setup an effective backdoirc into the system?
Under what credentials and what home do you envision thus to be?
What are you trying to do/setup an effective backdoirc into the system?
hmm, while I can imagine some scenarios, what is your use-case?
Cause when you "login" without user, then you'll just have a session to a process. But no shell or whatsoever, cause this requires a user...
Cause when you "login" without user, then you'll just have a session to a process. But no shell or whatsoever, cause this requires a user...
This is impossible.
And, the work around is simple.
For each user, say root for example, you can have any number of ssh keys + any combination of commands inside your authorized_keys file, so you can do this... if I understand what you're trying to accomplish...
1) Setup a key for each user.
2) When they login, if there's no COMMAND stanza associated with the key, they login with full root privilege.
3) To restrict access, set COMMAND to some restricted shell or wrapper script.
And, the work around is simple.
For each user, say root for example, you can have any number of ssh keys + any combination of commands inside your authorized_keys file, so you can do this... if I understand what you're trying to accomplish...
1) Setup a key for each user.
2) When they login, if there's no COMMAND stanza associated with the key, they login with full root privilege.
3) To restrict access, set COMMAND to some restricted shell or wrapper script.
@skullnobrains
I am able to use AuthorizedKeysCommand but user is not created on the fly. How to get it done?
you can use an external AuthorizedKeysCommand and have that command create the user on the fly.
I am able to use AuthorizedKeysCommand but user is not created on the fly. How to get it done?
It seems like if a user doesn't exist in the system then ssh doesn't execute AuthorizedKeysCommand and pass the authentication to PAM so we need to keep script in PAM file. Below is my PAM file
and content of /root/add_user.sh script
now when I ssh as ssh newuser@my_host.com then a newuser gets created in the system but I do not get system access and it prompts me for the password. When I run it again then it succeed due to ssh pub/private key authentication
How to ssh as non-exist user in the first turn ( create the user and login as empty password)?
#
# $FreeBSD: releng/11.3/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth optional pam_exec.so /root/add_user.sh
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
and content of /root/add_user.sh script
#!/bin/sh
/usr/sbin/pw useradd $PAM_USER -s /usr/local/bin/bash -w none
now when I ssh as ssh newuser@my_host.com then a newuser gets created in the system but I do not get system access and it prompts me for the password. When I run it again then it succeed due to ssh pub/private key authentication
How to ssh as non-exist user in the first turn ( create the user and login as empty password)?
hmm, my bad then i was afraid the script would not run unless the user exists... and pam runs AFTER pubkey authentication
try using either
AuthenticationMethods = keyboard-interactive, publickey
or
AuthenticationMethods = password, publickey
as an attempt to change the order
this should prompt for the password but allow the public key authentication to kick in AFTER pam. if that works, you would then configure pam to consider auth failed, either with a null module or by making the add user a required module and returning false within the script
--
side note : i am unsure what you are trying to achieve but maintaining a list of user accounts across many machines is not much of a pain. i do not like my servers depending on ldap or whatever external service ( if that is your issue ) so i simply sync keys and accounts using a shell script which runs from cron every few minutes.
try using either
AuthenticationMethods = keyboard-interactive, publickey
or
AuthenticationMethods = password, publickey
as an attempt to change the order
this should prompt for the password but allow the public key authentication to kick in AFTER pam. if that works, you would then configure pam to consider auth failed, either with a null module or by making the add user a required module and returning false within the script
--
side note : i am unsure what you are trying to achieve but maintaining a list of user accounts across many machines is not much of a pain. i do not like my servers depending on ldap or whatever external service ( if that is your issue ) so i simply sync keys and accounts using a shell script which runs from cron every few minutes.
Thanks, I will give above a try.
My requirement is to let anyone access to a specific box so username would not matter and password is null. After login a script would be executed instead of default shell.
My requirement is to let anyone access to a specific box so username would not matter and password is null. After login a script would be executed instead of default shell.
i guess these requirements can be achieved by having every user connect as the same user. the number of keys per user is not limited. the number of names per user id is not limited either.
@skullnobrains
I am still trying to find out if using PAM we can do following
Once the request for password authentication comes for any user ( even root ) then somehow change the USER from requested user to demo user and that user will have null password and in auth facility nullok is already provided. So what user would be able to login.
I understand the security concern of it but wondering if this can be achieved using PAM
with a null module or by making the add user a required module and returning false within the scriptI didn't get above part, what is returning false here?
I am still trying to find out if using PAM we can do following
Once the request for password authentication comes for any user ( even root ) then somehow change the USER from requested user to demo user and that user will have null password and in auth facility nullok is already provided. So what user would be able to login.
I understand the security concern of it but wondering if this can be achieved using PAM
if your pam module that creates the user is required and returns false after creating the user, sshd will consider the auth has failed and skip to the next mechanism. if the pubkey mechanism is tested after pam, this should allow to create the user on the fly AND authenticate him with an ssh key.
changing the user during the authentication process is not feasible, but you can quite easily change the root user to any other with su or sudo after authentication.
your demo stuff is not a requirement. it's a bad and uselesly complex attempt at doing whatever you are trying to do. if you just want a demo account with no password, you probably should use the demo account. if you want something that is not based on a system user, you probably should no be using ssh at all.
that said, you can use pam/nis/ldap and anything that provides a user backend to make the system believe all users actually exist and possibly map all of them to the same id which would be your demo user.
changing the user during the authentication process is not feasible, but you can quite easily change the root user to any other with su or sudo after authentication.
your demo stuff is not a requirement. it's a bad and uselesly complex attempt at doing whatever you are trying to do. if you just want a demo account with no password, you probably should use the demo account. if you want something that is not based on a system user, you probably should no be using ssh at all.
that said, you can use pam/nis/ldap and anything that provides a user backend to make the system believe all users actually exist and possibly map all of them to the same id which would be your demo user.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial