0

Question: Is it possible to change ssh behaviour to check for shell access authorisation before creating home directories? Bonus points for also showing the MOTD after shell authorisation, too.

Scenario: My linux users are controlled via SSSD pointed to AD.

I have a Ubuntu SFTP server with proftpd where my users are allowed to upload. Their chrooted upload directories are determined by group membership, not username. Users are not supposed to upload files into individual user home directories. They do not, and should not, have personal home directories on this server.

Here is my problem: If a user does attempt to log into the SFTP server with SSH a local user directory is created before ssh rejects shell access.

  1. They should not have local home directories. (SFTP puts them in the correct upload directories for our automated processes to pick up the files and do the necessary work with them.)
  2. I cannot override their home directories in AD as they need them for other user servers.

I need SSH to deny access BEFORE creating any home directories. (Bonus if I can also print the MOTD after shell access has been authorised!) I cannot simply turn off home directory creation as other user groups who do have shell access will need their home directories created automatically.

Thank you!

Improve this question

1 Answer 1

Reset to default
1

Assuming you are talking about unwanted connections to OpenSSH (e.g. users reaching the wrong port), you should be able to use its AllowGroups/DenyGroups options to reject all forms authentication before it reaches the PAM stage, or even Match blocks to prevent authentication from starting.

Beyond that, OpenSSH doesn't even have a built-in option to create home directories. Instead, most such behaviors are handled by PAM. Automatic home directory creation is handled either by pam_mkhomedir or possibly built-in to pam_sss as part of the "unfied" SSSD daemon. Group membership is also generally checked by pam_sss or similar, but can be explicitly checked by pam_access or pam_succeed_if. Even the MOTD is typically printed by pam_motd.

So it should be possible to edit /etc/pam.d/sshd so that the first module called from the 'account' (authorization) stage is a pam_succeed_if user notingroup Foo followed by a pam_deny, without it ever reaching the "real" authorization modules.

The three PAM stages in order are 'auth' for password-based authentication (not called for public-key or other auth types), 'account' for authorization (i.e. access checks), and 'session' for session setup (home directory creation, MOTD printing, etc). Normally I'd expect pam_mkhomedir to be called only from the 3rd stage, well after the access checks have occured, but it's not a strict rule and weirder things have been done.

Improve this answer
2
  • (I hit enter too soon!!) As for using the AllowGroups / DenyGroups before authentication, I do need SSH to auth the users for proftpd, (unless proftpd does not use sshd to perform sftp authentication?) Does this sound right: SSH calls PAM to do all of the initial authentication and authorisation. PAM has no way to determine that a user is allowed to log in via sftp but not to a shell, a success is a success, so it creates the home directory and prints the MOTD and passes control back to sshd. Sshd tries to launch a shell and cannot and the user is rejected. Does this sound correct? Commented Nov 11, 2024 at 18:59
  • There is no single thing called "SSH". There is OpenSSH which is your "regular" SSH/SFTP server with shell access, and then ProFTPd is a completely stand-alone SSH/SFTP server (SFTP-only) which does not involve OpenSSH. Both use PAM, but independently from each other, and may call different sets of PAM modules. Commented Nov 11, 2024 at 19:04

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.