0

I suspect this may not be possible, but just in case anyone has any thoughts...

I have a server that users log into remotely purely to get access to a couple of resources through forwarded ports. The users authenticate using ssh keys that are stored in FreeIPA. This works really well for that purpose: there are no local users set up on the server, no one has shell access, all they can do is forward ports using: ssh -N <config'd name>.

FreeIPA also has a user password that is used for some on-premises resources—with COVID and no one coming into the office anymore, they have no way of changing that password.

Is there a way to allow users to do:

ssh -t <config'd name> "kpasswd <user>@<domain>"

or the equivalent without having a local account/home dir? I don't really want to litter up /home/ just for this one command...

Shaav
  • 1
  • The answer depends on how the forwarding user is configured. If the user shell being set to `nologin` or not. You can find out if its capable of running commands by simply running a command like this `ssh -t @ "which bash"`. The response will be **This account is currently not available.** if it's set to `nologin`. – Prav Sep 15 '20 at 21:52
  • Thanks @PraveenPremaratne! They aren't set to 'nologin', but it's also not setup to automatically create user accounts/home directories on the first login. So if I try to execute a command like the above the error is ```Could not chdir to home directory```. I was hoping maybe there was away to tell PAM that IPA-authenticated users can use /home/common/ as a home directory or something and then somehow chroot them so they can only use the one command... – Shaav Sep 17 '20 at 15:40
  • See if this thread helps you [How to limit user commands in Linux](https://stackoverflow.com/questions/21498667/how-to-limit-user-commands-in-linux) – Prav Sep 17 '20 at 18:49
  • Also, I'm bit confused as to what you're trying do. Are you trying to allow users to login to a shared user on the machine with authentication from FreeIPA? – Prav Sep 17 '20 at 18:58
  • Thanks again @PraveenPremaratne—sorry for the response delay. No, it's not a shared user. Everyone logs in with their own account which is authenticated with FreeIPA. But because they primary purpose of doing so is port forwarding, they are not set up locally on the machine with a home directory etc. on their first log in. Since that's the case, they don't even get to the point where chrooting them or limiting user commands is even relevant, because they have no home directory. I suspect that this just isn't possible... – Shaav Oct 07 '20 at 16:55

0 Answers0