Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Login process without creating first the users #29

Open
mariusmitrofan opened this issue Sep 11, 2017 · 5 comments
Open

Login process without creating first the users #29

mariusmitrofan opened this issue Sep 11, 2017 · 5 comments

Comments

@mariusmitrofan
Copy link

mariusmitrofan commented Sep 11, 2017
edited
Loading

Hey guys,

This process works just fine if:

  • the useradd random_user command was run on the server (prior to user's attempt to log in)
  • the random_user has an entry in LDAP with a correct sshPublicKey value set up

Hooray!

However...
Is there a process for this to work without first creating the users locally?

You guys would probably save my life if there is such a thing :)

Thanks,
Marius
@mariusmitrofan
Copy link
Author

mariusmitrofan commented Sep 11, 2017
edited
Loading

This is my /etc/ssh/sshd_config file btw:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin forced-commands-only
AuthorizedKeysFile /dev/null
AuthorizedKeysCommand /usr/bin/ssh-ldap-pubkey-wrapper
AuthorizedKeysCommandUser nobody
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintLastLog yes
UsePrivilegeSeparation sandbox
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp  /usr/libexec/openssh/sftp-server
LogLevel INFO

And I'm running :

[root@ip-172-27-65-235 ec2-user]# cat /etc/*-release
NAME="Amazon Linux AMI"
VERSION="2017.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2017.03"
PRETTY_NAME="Amazon Linux AMI 2017.03"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2017.03:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"
Amazon Linux AMI release 2017.03

@maretodoric
Copy link

Nice that actually someone bothered to answer you.
Are you trying to login as that 'random_user' or some other user?

For example, if you want to login as user 'root' you just need 'root' created in LDAP and there you can add multiple ssh keys for root user.
As for trying to login as user which does not exist, no, probably not without some other external plugins MAYBE.

@mariusmitrofan
Copy link
Author

I was able to fix this on my own, but do appreciate taking your time to look into this.

Resolution: Use a sshwrapper script and ensure that the "authconfig" commands creates home folders for the users.

@mariusmitrofan
Copy link
Author

mariusmitrofan commented Nov 15, 2018
edited
Loading

Packages installed:

          - gcc
          - python27-devel
          - openldap-devel
          - python27-pip
          - openldap-clients
          - nss-pam-ldapd

Commands ran:

          - pip install python-ldap
          - authconfig --enableldap --enableldapauth --ldapserver=${LdapHostname} --ldapbasedn="ou=People,dc=${Domain},dc=com" --update
          - authconfig --enablemkhomedir --update
          - ln -sf /home /users

@jirutka
Copy link
Owner

jirutka commented Apr 27, 2019

Use a sshwrapper script and ensure that the "authconfig" commands creates home folders for the users.

What do you mean by sshwrapper script? Some script that you set as AuthorizedKeysCommand which creates the user and calls ssh-ldap-pubkey?

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jirutka @mariusmitrofan @maretodoric