Best practices for "pure" remote accounts
James Yu Wang
yuwang at cs.fsu.edu
Thu Oct 19 12:03:21 UTC 2023
Hello,
Since you only care about username, uid, gid, and loginshell (management
CLI), If you only have one appliance, then just use the /etc/passwd file
with pam_unix. If you have multiple appliances, then considering centralized
authentication and authorization like ldap with pam_sss.
James
-----Original Message-----
From: Pam-list <pam-list-bounces at redhat.com> On Behalf Of Philip Prindeville
Sent: Wednesday, October 18, 2023 1:04 PM
To: pam-list at redhat.com
Subject: Best practices for "pure" remote accounts
Hi,
I was wondering what the conventional wisdom is in the following scenario...
I'm working on a downstream distro that uses Debian/Ubuntu bases, and we
allow users to log into an appliance (or "server", if you prefer, but not
really). For now we have to go ahead and create a placekeeper account with
no password for each user for LDAP or Radius authentication to work, but I
saw some articles on stackoverflow and elsewhere talking about "authconfig"
and "nslcd", etc.
Our requirements are such that having a "seed" user that everyone gets
cloned as is fine, so they can inherit that uid, gid, and (nonexistent) home
directory as they won't be dropping into a shell but into a management CLI
instead.
We just need to be able to tell them apart by username.
And we can block access to scp/sftp if needed for that uid/gid so we don't
have to worry about them creating files since they don't have a home
directory of their own.
How is this typically solved in the most lightweight way possible?
Thanks,
-Philip
_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list