Nicolas Williams wrote: > On Wed, Mar 05, 2008 at 08:46:36AM -0800, Edwin Goei wrote: > > >> there is a "ssh-pubkey" service name but I'm not sure what this is >> for. My list of user/login accounts are in a database and I need some >> way of hooking that into sshd. Any ideas? >> > > It's so you can have different account authorization policies for > different SSH userauth methods. >
I'm not sure I follow. I thought PAM was used for authentication and that authorization was done afterwards, outside PAM. Could you provide a more concrete example? Since home directory lookup is baked into sshd, the getpwnam(3) API would be configured via nsswitch.conf to handle the list of user logins. Any ideas on what backend such as LDAP or files to use? The ssh/SCM host would periodically poll for new committer accounts and create home directories for them and .ssh/authorized_keys. Does this approach sound right? > >> References: http://docs.sun.com/app/docs/doc/819-2240/sshd-1m. >> BTW, opensolaris.org itself provides hg over ssh but has an 8 character >> username limit. >> > > The supported maximum username length (supported vis-a-vis POSIX and > other standards) is 8 characters. The maximum username length if you're > willing to live with ls(1)/ps(1)/... column run-ons and/or truncation is > 32 characters (bytes, actually). (login(1) enforces a 32-byte limit, > and utmpx truncates at 32 bytes.) > I can live with those limitations. Thanks for enumerating them. -Edwin -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080305/074218ba/attachment.html>
