2

I am building a script for SA's to follow when performing a certain task. That task requires adding a user to a system that can only SSH to the system (using a key) and not log in with a password. What I want to do is have the SA execute the adduser command with the appropriate flags, all at once, to create the user.

I do not want to do adduser... then usermod -L ,username. (which locks out the user completely), or set the shell to /sbin/nologin (which does the same thing as usermod -L .

I do not want the SA to manually edit /etc/passwd, either.

I am looking for a single commandline solution. I know I can write a script, but that would require the SA to download the script and run it, which is my last resort.

Andrew B
  • 32,588
  • 12
  • 93
  • 131
weismanm
  • 71
  • 4

2 Answers2

1

Regarding a one line solution, there is none. Complex logic such as this requires manipulation of the PAM stack. That said, I don't think this PAM rule would have to be too complex...so it really depends on whether you have a configuration management strategy in place to manage this PAM config for you, and not put it on the SE. If you do, this may not be too painful.

It's an often overlooked fact, but key based ssh authentication bypasses the auth stack of PAM. If you have a way of identifying people who should only be logging in via SSH keys, you can install a hook in the auth stack that fails the authentication attempt if that characteristic is seen. I suggest creating a group for this purpose as it scales better than hardcoding usernames into a PAM config.

Putting all of that together, and assuming that 65536 is the gid of the group in question:

  1. groupadd -g 65536 sshonly
  2. Add the following line to the top of your auth stack:
    auth required pam_succeed_if.so gid ne 65536
  3. useradd -u $SOMEUID -g $SOMEGID somename
  4. usermod -a -G sshonly somename
Andrew B
  • 32,588
  • 12
  • 93
  • 131
0

Actually Andrew's response is not entirely correct. While the creation of the distinct group and modifying the auth stack are both good recommendations, steps 3 and 4 can in fact be made into one line. Building on Andrew's example, here's the one-liner (and a little closer to complete):

useradd -u $SOMEUID -g $SOMEGID -G sshonly -s $SHELL -c comment -d $HOMEDIR somename

Additional flags can be added as needed for your environment. Hope this helps!

chicks
  • 3,793
  • 10
  • 27
  • 36
Taz
  • 1