Creating / Removing users "on the fly"
Cary FitzHugh
cary.fitzhugh at gmail.com
Fri Feb 6 16:53:21 UTC 2015
Hi --
I've got a situation where I have a very large number of "users", one where
I can't be sure all my user accounts would fit on a single machine.
Additionally - all the users are going to do is set up reverse tunnels.
They can only auth via the authorized_keys as well. And they don't
I've looked around and a PAM module may be the ticket - hence my joining
the list.
Does anyone have a suggestion / direction for how to go about doing this?
I have found a few PAM modules which let you create users on the fly - but
I don't have a good way to clean them up after the fact.
My current "best guess":
* PAM module accepts any username and looks it up in a webservice for
keys.
* Changes the user to a uuid, creates the .authorized-keys file and drops
the keys in there.
* Somehow - knows when the ssh auth is completed, and removes the
directory.
My current "ideal":
* PAM module accepts any username and looks it up in a webservice for
keys.
* Puts those keys into a PAM env-var
* Changes the user to a standard , can't do anything but reverse tunnel
user
* somehow.. those authorized-keys :( gets put into the ssh workflow
Hoping someone had a suggestion.
Or maybe all of this is just a big mis-use of PAM / SSH and I should just
write a server in go or something that checks the keys, opens ports, etc..
Thanks for any thoughts!
Cary FitzHugh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20150206/48ad59e4/attachment.htm>
More information about the Pam-list
mailing list