11

In Linux (e.g., Ubuntu 18.04), how can I configure sshd to allow logins using public keys for OS users that do not yet exist?

For example:

  1. On server: /etc/ssh/sshd_config has AuthorizedKeysFile: /etc/ssh/keys/%u

  2. sudo mkdir -p /etc/ssh/keys

  3. sudo tee /etc/ssh/keys/foo <<< "$(cat id_rsa.pub)"

  4. sudo systemctl restart sshd

  5. On client: ssh foo@server

In this scenario, the server does NOT have a foo account in /etc/passwd, but I'd like to create one automatically and then use pam_mkhomedir to create its home directory -- all because the user can successfully authenticate using a public key.

My attempt:

  1. /etc/pam.d/sshd comment out @include common-auth (makes no difference since public keys reportedly bypass this anyway)

  2. /etc/pam.d/sshd comment out @include common-account (no difference)

  3. /etc/pam.d/sshd add, under #2, account required pam_permit.so (no difference)

  4. /etc/ssh/sshd_config LogLevel: DEBUG3 shows

debug1: userauth-request for user foo Invalid user foo from 192.168.0.8 port 62083 debug1: PAM: initializing for "foo" debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:kdI+ALYK88R6zAcoPAIyXctjCLgEkGodgieusIOay0c [preauth] debug2: userauth_pubkey: disabled because of invalid user [preauth]
Improve this question
4
  • 1
    The user is authenticating with their private key. The server requires the public key to verify that. Since you have the public key, why not create the user at that time? Commented Nov 5, 2019 at 7:19
  • @RogerLipscombe Presumably because there is not a 1:1 mapping between public keys and users. Commented Nov 5, 2019 at 13:55
  • @JonBentley OK. I wouldn't do it that way (because of revocation, mostly), but fair enough. Commented Nov 5, 2019 at 14:25
  • You're both right. The rationale is that we need to ssh into these hosts using Active Directory (AD) to provide their /etc/group and /etc/passwd entries. If I add user bar to AD, the Linux host doesn't have an /etc/passwd entry yet--i.e., the 1:1 mapping (public key to passwd entry) does not exist yet. We need a plugin for PAM like t3ddftw mentioned in his answer. Also, we can centralize ssh revocations through AD using Allow log on locally with the Linux hosts in an Organizational Unit (OU). The keypair is pre-auth (i.e., pre-PAM), but, for us, SSSD to AD is the "glue". Commented Nov 6, 2019 at 16:21

2 Answers 2

Reset to default
14

The simple answer is that you can't do this without writing your own plugin for PAM.

Depending on your business needs, it may actually make more sense to hook the box to an LDAP backend for the user database.

To get a little more specific, sshd is going to look to PAM to authenticate the user. If the user database doesn't have a record, the user will be set to unknown, which is going to create a nightmare of an experience for the user. Further, there is no PAM module that I'm familiar with that will take the username supplied by sshd and create a record of it in passwd.

Improve this answer
5

FreeIPA together with SSSD may be the right answer to your question: keep the user database in one place (FreeIPA) and let the workstation to consult it (SSSD) for user information and create the home directories for them on the fly (pam_mkhomedir). FreeIPA even lets you to keep ssh public keys in database, you don't have to enroll them to each and every workstation.

Improve this answer
3
  • Does FreeIPA/SSSD support creating a 'composite' directory where the majority of attributes would be for example retrieved from AD while SSH keys could be stored in a different directory for the same user? I'm thinking of the meta backend for OpenLDAP as an example. Commented Nov 6, 2019 at 0:03
  • I have no idea. I know there are some provisions to bridge FreeIPA and AD but I cannot say if they can do what you are asking for. Commented Nov 6, 2019 at 17:32
  • 2
    Yes, FreeIPA allows you to store overrides for AD users in itself. Overrides include POSIX attributes, SSH public keys, certificates, etc. See access.redhat.com/documentation/en-us/red_hat_enterprise_linux/… for more details. Commented Nov 7, 2019 at 9:35

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.