SSH Public Keys – How to Login for Users That Do Not Yet Exist

ssh

In Linux (e.g., Ubuntu 18.04), how can I configure sshd to allow logins using public keys for OS users that do not yet exist?

For example:

  1. On server: /etc/ssh/sshd_config has AuthorizedKeysFile: /etc/ssh/keys/%u

  2. sudo mkdir -p /etc/ssh/keys

  3. sudo tee /etc/ssh/keys/foo <<< "$(cat id_rsa.pub)"

  4. sudo systemctl restart sshd

  5. On client: ssh foo@server

In this scenario, the server does NOT have a foo account in /etc/passwd, but I'd like to create one automatically and then use pam_mkhomedir to create its home directory — all because the user can successfully authenticate using a public key.

My attempt:

  1. /etc/pam.d/sshd comment out @include common-auth (makes no difference since public keys reportedly bypass this anyway)

  2. /etc/pam.d/sshd comment out @include common-account (no difference)

  3. /etc/pam.d/sshd add, under #2, account required pam_permit.so (no difference)

  4. /etc/ssh/sshd_config LogLevel: DEBUG3 shows

debug1: userauth-request for user foo 
Invalid user foo from 192.168.0.8 port 62083
debug1: PAM: initializing for "foo"
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:kdI+ALYK88R6zAcoPAIyXctjCLgEkGodgieusIOay0c [preauth]
debug2: userauth_pubkey: disabled because of invalid user [preauth]

Best Answer

The simple answer is that you can't do this without writing your own plugin for PAM.

Depending on your business needs, it may actually make more sense to hook the box to an LDAP backend for the user database.

To get a little more specific, sshd is going to look to PAM to authenticate the user. If the user database doesn't have a record, the user will be set to unknown, which is going to create a nightmare of an experience for the user. Further, there is no PAM module that I'm familiar with that will take the username supplied by sshd and create a record of it in passwd.

Related Topic