2

Currently I've noticed when I use the OpenSSH Server with PAM and for instance RADIUS while I can get the user to authenticate successfully with PAM, I still need a local user account in /etc/passwd, e.g. added with useradd on the box.

Is there any setting in OpenSSH to say there does not need to be a local user is /etc/passwd. And instead the shell/home dir/session will be initialized through some default setting? I have been unable to locate any way to do this online.

David Mokon Bond
  • 145

1 Answers1

2

The configuration in /etc/nsswitch.conf sets the order in which users will be looked up. You can check with getent passwd $USER how your user is resolved. There is no need for a user to have a local account in order to login. Bind the passwd and group databases in /etc/nsswitch.conf to ldap, nis and/or sss and use the proper PAM module in the stack.

A use case using SSSD and freeIPA, where users, groups, login shell, sudo rules, SELinux mappings, etc, are stored in the directory managed by freeIPA. Note that SSHD uses GSSAPI to authenticate against kerberos, whose database is stored in the directory as well: 


 # cat /etc/krb5.conf
 [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
 [libdefaults]
  default_realm = DOMAIN.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
 [realms]
  DOMAIN.COM = {
   kdc = ipaserver.domain.com:88
   master_kdc = ipaserver.domain.com:88
   admin_server = ipaserver.domain.com:749
   default_domain = domain.com
   pkinit_anchors = FILE:/etc/ipa/ca.crt
 }
 [domain_realm]
  .crapsteak.org = DOMAIN.COM
  crapsteak.org = DOMAIN.COM
 [dbmodules]
   DOMAIN.COM = {
     db_library = ipadb.so
   }

# grep sss /etc/nsswitch.conf
 passwd:     files sss
 shadow:     files sss
 group:      files sss
 services:   files sss
 netgroup:   files sss
 automount:  files sss


# cat /etc/sssd/sssd.conf
 [domain/domain.com]
 cache_credentials = True
 krb5_store_password_if_offline = True
 ipa_domain = domain.com
 id_provider = ipa
 auth_provider = ipa
 access_provider = ipa
 ipa_hostname = somehost.domain.com
 chpass_provider = ipa
 ipa_server = ipaserver.domain.com
 ldap_tls_cacert = /etc/ipa/ca.crt
 [sssd]
 services = nss, pam, ssh
 config_file_version = 2
 domains = domain.com


# grep sss /etc/pam.d/{password,system}-auth-ac
 /etc/pam.d/password-auth-ac:auth        sufficient    pam_sss.so use_first_pass
 /etc/pam.d/password-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 /etc/pam.d/password-auth-ac:password    sufficient    pam_sss.so use_authtok
 /etc/pam.d/password-auth-ac:session     optional      pam_sss.so
 /etc/pam.d/system-auth-ac:auth        sufficient    pam_sss.so use_first_pass
 /etc/pam.d/system-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 /etc/pam.d/system-auth-ac:password    sufficient    pam_sss.so use_authtok
 /etc/pam.d/system-auth-ac:session     optional      pam_sss.so


# grep GSS /etc/ssh/sshd_config
 GSSAPICleanupCredentials yes
 GSSAPIAuthentication yes
dawud
  • 1,518