Authenticating users from proprietary user databases

Christian Pfaffel-Janser christian.pfaffel-janser at siemens.com
Tue Oct 6 23:10:46 EST 2009


Yaniv Aknin wrote:

> Thank you very much for your prompt and interesting replies.
> 
> To make sure I'm perfectly clear, I'd like complete separation between the
> "CLI" users and "maintenance" users. Not every CLI user is a maintenance
> user, nor is every maintenance user a CLI user. Maintenance users are
> regular Linux users (/etc/passwd) and CLI users are defined by the users of
> the appliance, who should be 100% abstracted from the fact this is actually
> a bunch of Linux boxes. I'd like the separation to be complete enough that
> it would be possible to create a user in the CLI called, say, "root", and
> have that user be completely unrelated to Linuxes /etc/passwd UID-0 user
> root we all know.
> 
> Christian, from your suggestions, I'm indeed most interested in (3) and
> maybe (1b), but the issue which still remains is how to make the NSS plugin
> I'll use specific to the OpenSSH process (and its only child, the CLI
> executable), so that not all processes in my system would be affected by
> this change. From my cursory look at nss-extrausers, I can't see a way to
> limit it to a specific process, but please enlighten me if I'm wrong.
> 
> I'm willing to go with "override getpwnam()" method suggested by Darren
> (either statically as Darren stated or indeed with LD_PRELOAD), but I'd be
> happy to hear another suggestion, if you have any.
> 

Hi Yaniv,

how about using the PAM stack to do the work for You? You get all the
flexibility You need.

Regards,
Christian

-- 


More information about the openssh-unix-dev mailing list