Allowing user w/out local account to log in - SSH

This is a discussion on Allowing user w/out local account to log in - SSH ; Greetings, This is probably an easy question for you experts, but I'm not one of you! We want to allow any user to remotely SSH into our server. They won't have an account on the server. We plan on using ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Allowing user w/out local account to log in

  1. Allowing user w/out local account to log in

    Greetings,

    This is probably an easy question for you experts, but I'm not one of
    you!

    We want to allow any user to remotely SSH into our server. They won't
    have an account on the server. We plan on using PAM to "redirect" all
    SSH requests to a particular command-line application. The username
    will be passed along to this application which will verify if it's OK
    to proceed.

    I have a bare-bones PAM module that supports all four services; right
    now it gives success to all of them. However, I see SSH failing out
    when an unknown user attempts to connect, even though my PAM module's
    'pam_sm_authenticate' gets called. Here's the syslog output (my
    module is outputting the last line):

    Apr 9 21:28:23 nemi-011 sshd[1467]: WARNING: /etc/ssh/moduli does not
    exist, using fixed modulus
    Apr 9 21:28:23 nemi-011 sshd[1467]: Invalid user bob from xx.xx.xx.xx
    Apr 9 21:28:23 nemi-011 sshd[1467]: pam_sm_authenticate

    So how would one allow a user that did not have a local account to get
    access?

    Thank you.

  2. Re: Allowing user w/out local account to log in

    On 10 Apr, 22:56, ltdill...@gmail.com wrote:
    > Greetings,
    >
    > This is probably an easy question for you experts, but I'm not one of
    > you!
    >
    > We want to allow any user to remotely SSH into our server. They won't
    > have an account on the server. We plan on using PAM to "redirect" all
    > SSH requests to a particular command-line application. The username
    > will be passed along to this application which will verify if it's OK
    > to proceed.
    >
    > I have a bare-bones PAM module that supports all four services; right
    > now it gives success to all of them. However, I see SSH failing out
    > when an unknown user attempts to connect, even though my PAM module's
    > 'pam_sm_authenticate' gets called. Here's the syslog output *(my
    > module is outputting the last line):
    >
    > Apr *9 21:28:23 nemi-011 sshd[1467]: WARNING: /etc/ssh/moduli does not
    > exist, using fixed modulus
    > Apr *9 21:28:23 nemi-011 sshd[1467]: Invalid user bob from xx.xx.xx.xx
    > Apr *9 21:28:23 nemi-011 sshd[1467]: pam_sm_authenticate
    >
    > So how would one allow a user that did not have a local account to get
    > access?
    >
    > Thank you.


    Why aren't you using multiple SSH keys for the same user account on
    the server? And if you only want file sharing, not shell access, I'd
    suggest using WebDAV over HTTPS instead. OpenSSH, at least, does not
    have good chroot capability built in to isolate hte users from the
    operating system.

  3. Re: Allowing user w/out local account to log in

    > Why aren't you using multiple SSH keys for the same user account on
    > the server? And if you only want file sharing, not shell access, I'd
    > suggest using WebDAV over HTTPS instead. OpenSSH, at least, does not
    > have good chroot capability built in to isolate hte users from the
    > operating system.


    Valid points, I'm sure. However, I'd just like to find out what SSH is
    really doing WRT checking out the client, and can I disable that check
    somehow. I want to let everything pass on to the application.

    Thanks.

+ Reply to Thread