A question about LDAP Public Key authentication with openssh 9.8p1

[Brian Candler]

On 12/10/2024 13:19, Qingtao Cao wrote:
> Since there is no nss-ldap (not to mention sssd), a separate PAM 
> module has been used once the public key authentication is a success, 
> to allocate an unused uid/gid for the remote user, also creating its 
> home directory (which are all specified on the LDAP server but there 
> is no nss-ldap to fetch these configuration) so that the remote-only 
> user can login successfully.

How would the PAM module signal back to sshd which uid/gid has been 
selected to switch to?  Or are you thinking that sshd starts every 
session as root, and you're expecting the PAM session module itself to 
switch uid/gid?!

>
> But will this bring about any unexpected vulnerability?

It sounds extremely insecure to me, if it were to work at all.

If you disagree, then I think you would need to lay out, in much more 
detail, exactly how you expect PAM to handle the uid/gid switching (in 
particular, what happens in each of the "auth", "account" and "session" 
calls)

In any case, even after a user has logged in, you still need to map 
uids<->usernames and gids<->groupnames - even for simple cases like 
running "id" or "ls -l" - both for the currently logged-in user and all 
other users.  I don't think you can avoid nss_ldap or sssd.  In which 
case, just deploy it and then you don't need to mess with sshd.

That's unless you want all these external remote users to login as the 
*same* uid - in which case, you can just create an entry for this shared 
account in /etc/passwd.