Authenticating users from proprietary user databases

Yaniv Aknin yaniv at aknin.name
Tue Oct 6 23:16:10 EST 2009


Uhm, I'm not sure how that would work. I think because my users don't
"exist" in the sense the getpwnam et al won't work on them, I must either
override getpwnam or write an NSS module. Otherwise, how would sshd know
(for example) what's the UID of user foo when foo tries to log in? (same
goes for homedir, gid, etc).

Anyway, I'm already doing pretty well with LD_PRELOAD, I think I'll have a
working solution rather soon, and it wasn't even half as hard as I feared,
too.

 - Yaniv

On Tue, Oct 6, 2009 at 2:10 PM, Christian Pfaffel-Janser <
christian.pfaffel-janser at siemens.com> wrote:

> Yaniv Aknin wrote:
>
> > Thank you very much for your prompt and interesting replies.
> >
> > To make sure I'm perfectly clear, I'd like complete separation between
> the
> > "CLI" users and "maintenance" users. Not every CLI user is a maintenance
> > user, nor is every maintenance user a CLI user. Maintenance users are
> > regular Linux users (/etc/passwd) and CLI users are defined by the users
> of
> > the appliance, who should be 100% abstracted from the fact this is
> actually
> > a bunch of Linux boxes. I'd like the separation to be complete enough
> that
> > it would be possible to create a user in the CLI called, say, "root", and
> > have that user be completely unrelated to Linuxes /etc/passwd UID-0 user
> > root we all know.
> >
> > Christian, from your suggestions, I'm indeed most interested in (3) and
> > maybe (1b), but the issue which still remains is how to make the NSS
> plugin
> > I'll use specific to the OpenSSH process (and its only child, the CLI
> > executable), so that not all processes in my system would be affected by
> > this change. From my cursory look at nss-extrausers, I can't see a way to
> > limit it to a specific process, but please enlighten me if I'm wrong.
> >
> > I'm willing to go with "override getpwnam()" method suggested by Darren
> > (either statically as Darren stated or indeed with LD_PRELOAD), but I'd
> be
> > happy to hear another suggestion, if you have any.
> >
>
> Hi Yaniv,
>
> how about using the PAM stack to do the work for You? You get all the
> flexibility You need.
>
> Regards,
> Christian
>
> --
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list