ssh login using public keys for users that do not (yet) exist

The simple answer is that you can't do this without writing your own plugin for PAM.

Depending on your business needs, it may actually make more sense to hook the box to an LDAP backend for the user database.

To get a little more specific, sshd is going to look to PAM to authenticate the user. If the user database doesn't have a record, the user will be set to unknown, which is going to create a nightmare of an experience for the user. Further, there is no PAM module that I'm familiar with that will take the username supplied by sshd and create a record of it in passwd.


FreeIPA together with SSSD may be the right answer to your question: keep the user database in one place (FreeIPA) and let the workstation to consult it (SSSD) for user information and create the home directories for them on the fly (pam_mkhomedir). FreeIPA even lets you to keep ssh public keys in database, you don't have to enroll them to each and every workstation.

Tags:

Ssh

Related

AWS: Website with multiple DB instances Expected Cipher Suites not showing in packet traces - Handshake Failure How to selectively rsync folders while retaining tree structure? If two members of a RAID 1 volume have inconsistent bits, how do most RAID controller handle this? Any transparent filesystem for SunOS Too many open files (CentOS7) - already tried setting higher limits Ho to configure a service auto-restart after failure with PowerShell Perfect SSL Labs score with nginx and TLS 1.3? Can I delete access log files in nginx. Will it cause an issue Why would an IIS hosted site prompt for AD account credential if accessed through a hostname or IP, but not through servername? Is it insecure to have an ansible user with passwordless sudo? How to interpret this yum dependency error?

Recent Posts