在 Linux(例如 Ubuntu 18.04)中,如何配置sshd以允许尚不存在的 OS 用户使用公钥登录?
例如:
在服务器上:/etc/ssh/sshd_config 有 AuthorizedKeysFile: /etc/ssh/keys/%u
sudo mkdir -p /etc/ssh/keys
sudo tee /etc/ssh/keys/foo <<< "$(cat id_rsa.pub)"
sudo systemctl restart sshd
在客户端:ssh foo@server
In this scenario, the server does NOT have a foo account in /etc/passwd, but I'd like to create one automatically and then use pam_mkhomedir to create its home directory -- all because the user can successfully authenticate using a public key.
My attempt:
/etc/pam.d/sshd comment out @include common-auth (makes no difference since public keys reportedly bypass this anyway)
/etc/pam.d/sshd comment out @include common-account (no difference)
/etc/pam.d/sshd add, under #2, account required pam_permit.so (no difference)
/etc/ssh/sshd_config LogLevel: DEBUG3 shows
debug1: userauth-request for user foo
Invalid user foo from 192.168.0.8 port 62083
debug1: PAM: initializing for "foo"
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:kdI+ALYK88R6zAcoPAIyXctjCLgEkGodgieusIOay0c [preauth]
debug2: userauth_pubkey: disabled because of invalid user [preauth]
t3d*_*ftw 14
The simple answer is that you can't do this without writing your own plugin for PAM.
Depending on your business needs, it may actually make more sense to hook the box to an LDAP backend for the user database.
为了更具体一点,sshd将查看 PAM 来验证用户。如果用户数据库没有记录,用户将被设置为unknown,这会给用户带来体验的噩梦。此外,没有我熟悉的 PAM 模块会采用由提供的用户名sshd并在passwd.
| 归档时间: |
|
| 查看次数: |
1776 次 |
| 最近记录: |