6

I'm trying to set up sshd to do some funky things on a dedicated server. (Which is to say, don't worry about why I'm asking such a strange question; I'm just experimenting to see how I can abuse OpenSSH.)

I'd like to allow a user to log into the system using a made-up name. For instance:

$ ssh joeschmoe@crazysshserver.com

where there's no (UNIX) user on the system named joeschmoe.

When they connect, I'd like them to be logged in as a user which does exist, named guest, and have something in the environment set to joeschmoe so I know who they logged in as.

Is it possible to decouple the notions of UNIX-user and ssh-user?

  • is this helpful? - serverfault.com/questions/245033/… – LawrenceC Sep 5 '12 at 16:42
  • No, that's the config for ssh, the client. That would let the user type something different, but ultimately ask the server to log them in as a real user. I'm looking for a way for the client to ask to log in as a non-existent user, and have the server decide what user should own the shell that runs. – Peeja Sep 6 '12 at 3:30
  • You would have to monkey around with the systems authentication services (PAM?) to permit unknown users. Major undertaking. – Yedric Sep 17 '12 at 18:09
  • Yep. I'm fine with that. Assume I know how to write a PAM module. Is it possible? – Peeja Sep 17 '12 at 19:24
2

If you want to allow all users to login, you can skip the password check and instead create an account for them when they first attempt to login:

  1. Install libpam-script. For example:

    sudo apt-get install libpam-script

  2. In the auth section of /etc/pam.d/sshd, replace pam_unix.so with pam_script.so. Some Linux distributions will automatically make this change for you. For example, in Ubuntu 14.04, pam_script.so will be added to /etc/pam.d/common-auth which is included in /etc/pam.d/sshd.

  3. Create /usr/share/libpam-script/pam_script_auth with the following contents:

    #!/bin/bash adduser $PAM_USER --disabled-password --quiet --gecos "" exit 0

  4. Make the script executable via:

    chmod +x /usr/share/libpam-script/pam_script_auth

  5. Be happy.

  • 1
    Won't that add them as a UNIX user? I don't want them to create a new UNIX user; I want them to be logged in as guest. – Peeja Aug 24 '14 at 14:35
2

I've been working on quite similar case. In my case I've decided to implement this as host based authentication. You just have to understand where you have to create the user and the best place is getpwnam call implemented in name services switch. In my opinion it's not possible to implement user creation in PAM, I think that SSH requires user details before it actually calls PAM modules, however, it may depend on the authentication type.

My blog post describing how to do that with hostbased authentication and login to the same username: https://funinit.wordpress.com/2018/01/29/host-based-ssh-as-sso/
Github project with NSS service library implementing getpwnam in appropriate way: https://github.com/cinek810/libnss-pool

If you want to log every one as guest, you can check the other NSS library(ato stands for all to one):https://github.com/donapieppo/libnss-ato

0

Unfortunately, it is not possible to do what the OP wants. I have been looking into the same thing recently, and what I have found is that OpenSSH will always use the username that user enters, ignoring any changes to the username that PAM may try to introduce. If that user does not exist in /etc/passwd, OpenSSH will not allow them to login, since it cannot lookup some important pieces of information (including UID, GID, and login shell).

Reference: https://www.redhat.com/archives/pam-list/2009-January/msg00004.html

One alternative is to create the user on-the-fly during the PAM authentication stage, as David described in his answer. I've tested this solution and found it to be workable. Since UIDs are typically 32-bit, you won't run out of them. However, I suppose that system performance might become slower and slower as the /etc/passwd and /etc/shadow files get longer and longer.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.