[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Creating / Removing users "on the fly"



Hi --

I've got a situation where I have a very large number of "users", one where I can't be sure all my user accounts would fit on a single machine. 

Additionally - all the users are going to do is set up reverse tunnels.  They can only auth via the authorized_keys as well.  And they don't 

I've looked around and a PAM module may be the ticket - hence my joining the list.

Does anyone have a suggestion / direction for how to go about doing this?

I have found a few PAM modules which let you create users on the fly - but I don't have a good way to clean them up after the fact.

My current "best guess":
 * PAM module accepts any username and looks it up  in a webservice for keys.
  * Changes the user to a uuid, creates the .authorized-keys file and drops the keys in there.
  * Somehow - knows when the ssh auth is completed, and removes the directory.

My current "ideal":
  * PAM module accepts any username and looks it up  in a webservice for keys.
  * Puts those keys into a PAM env-var
  * Changes the user to a standard , can't do anything but reverse tunnel user
  * somehow.. those authorized-keys :(   gets put into the ssh workflow 

Hoping someone had a suggestion.  

Or maybe all of this is just a big mis-use of PAM / SSH and I should just write a server in go or something that checks the keys, opens ports, etc..

Thanks for any thoughts!
Cary FitzHugh



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]