Creating users "on - the - fly"

Cary FitzHugh cary.fitzhugh at
Sat Feb 7 04:41:38 AEDT 2015

Hi all.

I have a situation that I wonder someone may have run into - or has a
direction I should dig / develop in.

Let's say I have a system with 1M "users".  Their public keys are
stored in a database, and I can access them via a web call.

I have a few servers which should allow those users access.

Some constraints to make it non-crazy.

The users can only reverse tunnel.  They need no state / home
directories, etc.  I've set the command in sshd_config to just echo
"Nyet".  All they do is try to connect with

ssh -R *:0:localhost:<local-port> user at server -N

(while I have you - is there any other way to know what port was
allocated, except for parsing stderr?)

Some great help was in this url:
(for anyone looking for info about reverse forwarding).

I was planning on just having the AuthorizedKeysCommand take the
username, look up the keys from the webservice, and return them. Easy!

The trouble is that the user isn't created on the machine beforehand.
But I actually don't want the user created, b/c I don't want to litter
all these servers with little user directories.    Users may be
transient as well - so littering the directories of these machines
with tons of data just causes many other problems (running out of
inodes, disk-space, etc).

Any ideas?


More information about the openssh-unix-dev mailing list