Home / server / Questions / 990538
Accepted
mellow-yellow
Asked: 2019-11-05 09:00:26 +0800 CST

ssh login using public keys for users that do not (yet) exist

  • 772

In Linux (e.g., Ubuntu 18.04), how can I configure sshd to allow logins using public keys for OS users that do not yet exist?

For example:

  1. On server: /etc/ssh/sshd_config has AuthorizedKeysFile: /etc/ssh/keys/%u

  2. sudo mkdir -p /etc/ssh/keys

  3. sudo tee /etc/ssh/keys/foo <<< "$(cat id_rsa.pub)"

  4. sudo systemctl restart sshd

  5. On client: ssh foo@server

In this scenario, the server does NOT have a foo account in /etc/passwd, but I'd like to create one automatically and then use pam_mkhomedir to create its home directory -- all because the user can successfully authenticate using a public key.

My attempt:

  1. /etc/pam.d/sshd comment out @include common-auth (makes no difference since public keys reportedly bypass this anyway)

  2. /etc/pam.d/sshd comment out @include common-account (no difference)

  3. /etc/pam.d/sshd add, under #2, account required pam_permit.so (no difference)

  4. /etc/ssh/sshd_config LogLevel: DEBUG3 shows

debug1: userauth-request for user foo 
Invalid user foo from 192.168.0.8 port 62083
debug1: PAM: initializing for "foo"
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:kdI+ALYK88R6zAcoPAIyXctjCLgEkGodgieusIOay0c [preauth]
debug2: userauth_pubkey: disabled because of invalid user [preauth]
ssh

2 Answers

  1. Best Answer

    The simple answer is that you can't do this without writing your own plugin for PAM.

    Depending on your business needs, it may actually make more sense to hook the box to an LDAP backend for the user database.

    To get a little more specific, sshd is going to look to PAM to authenticate the user. If the user database doesn't have a record, the user will be set to unknown, which is going to create a nightmare of an experience for the user. Further, there is no PAM module that I'm familiar with that will take the username supplied by sshd and create a record of it in passwd.

    • 14

  2. FreeIPA together with SSSD may be the right answer to your question: keep the user database in one place (FreeIPA) and let the workstation to consult it (SSSD) for user information and create the home directories for them on the fly (pam_mkhomedir). FreeIPA even lets you to keep ssh public keys in database, you don't have to enroll them to each and every workstation.

    • 4