[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Creating / Removing users "on the fly"



On 06/02/15 16:53, Cary FitzHugh wrote:
I've got a situation where I have a very large number of "users", one
where I can't be sure all my user accounts would fit on a single machine.

Additionally - all the users are going to do is set up reverse tunnels.
They can only auth via the authorized_keys as well.  And they don't

They don't what? Execute commands?

It sounds to me as though you could perhaps give them all access to the same unprivileged uid (similar to the way all git pushes to github go via ssh://git github com), and use "forced commands" in the authorized_keys file to restrict them to setting up port-forwarding but not terminals, command execution or whatever. Confining that unprivileged uid to a very restrictive chroot or container would probably also be a good idea. No PAM required, except possibly for rlimits and chroot.

Related:
http://askubuntu.com/questions/48129/how-to-create-a-restricted-ssh-user-for-port-forwarding

    S

--
Simon McVittie
Collabora Ltd. <http://www.collabora.com/>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]