Hi all. I have a situation that I wonder someone may have run into - or has a direction I should dig / develop in. Let's say I have a system with 1M "users". Their public keys are stored in a database, and I can access them via a web call. I have a few servers which should allow those users access. Some constraints to make it non-crazy. The users can only reverse tunnel. They need no state / home directories, etc. I've set the command in sshd_config to just echo "Nyet". All they do is try to connect with ssh -R *:0:localhost:<local-port> user at server -N (while I have you - is there any other way to know what port was allocated, except for parsing stderr?) Some great help was in this url: http://askubuntu.com/questions/48129/how-to-create-a-restricted-ssh-user-for-port-forwarding (for anyone looking for info about reverse forwarding). I was planning on just having the AuthorizedKeysCommand take the username, look up the keys from the webservice, and return them. Easy! The trouble is that the user isn't created on the machine beforehand. But I actually don't want the user created, b/c I don't want to litter all these servers with little user directories. Users may be transient as well - so littering the directories of these machines with tons of data just causes many other problems (running out of inodes, disk-space, etc). Any ideas? Thanks! Cary
On Fri 2015-02-06 12:41:38 -0500, Cary FitzHugh wrote:> The trouble is that the user isn't created on the machine beforehand. > But I actually don't want the user created, b/c I don't want to litter > all these servers with little user directories. Users may be > transient as well - so littering the directories of these machines > with tons of data just causes many other problems (running out of > inodes, disk-space, etc).If this is your only concern, most systems don't require that a user have a unique home directory at all. You could create a /home/nobody which is unusable by anyone, and populate the systems's user table with users (maybe via some sensible nameservice switch module) pointing at that directory as their homedir. In other words, i don't think this is an ssh problem, it can be solved directly in other parts of your OS. --dkg
I guess I didn't want to litter the users table either - it just seems "wrong" to be actually adding things to the host when it is really so transient. It feels like it should be LDAP-ish. Just ask the server for the keys and do a one-off authentication. But I've seen even LDAP creates the user directories. I see that 2.6 kernels can have some 4B users, which should last me a while. But it is a bit more work and plumbing to try to keep things in sync. I'm a bit / very idealistic though - so I guess I'll keep rooting around. I'm ok writing a PAM module if that's what I needed. But I have a feeling there's a good bit more to it. And without someone know "knows " - that can be a very long rabbit trail :) Hrm.... On Fri, Feb 6, 2015 at 12:52 PM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:> On Fri 2015-02-06 12:41:38 -0500, Cary FitzHugh wrote: >> The trouble is that the user isn't created on the machine beforehand. >> But I actually don't want the user created, b/c I don't want to litter >> all these servers with little user directories. Users may be >> transient as well - so littering the directories of these machines >> with tons of data just causes many other problems (running out of >> inodes, disk-space, etc). > > If this is your only concern, most systems don't require that a user > have a unique home directory at all. You could create a /home/nobody > which is unusable by anyone, and populate the systems's user table with > users (maybe via some sensible nameservice switch module) pointing at > that directory as their homedir. > > In other words, i don't think this is an ssh problem, it can be solved > directly in other parts of your OS. > > --dkg