1

Is it possible, to achieve the proposed behavior on my FreeBSD 8.2 server:

New user ssh's into my server. He supplies as 'Login:' his student index number and a new, locked account is created with random password that is sent to his index_number@university.domain mail as authentication method. After he logs in with this password, account is fully created and activated/unlocked and the user is asked/forced to change the pass for a new one.

Halik
  • 165
  • 7
  • 2
    It's certainly possible, but do you really want to give login access to any random university person who finds your ssh port? Any reason you can't hook into an existing authentication domain directly, and optionally limit the users who have login access? – Mike Renfro May 11 '11 at 15:03
  • It's supposed to be a test and not a production server so even If something evil happens to it, I can always restore it from a vbox snapshot. Also being a student myself I can't get access to the university LDAP server beyond a simple testing account. – Halik May 11 '11 at 21:37
  • Seems like it would be possible (see the answer) but a really bad idea. Perhaps explain a bit of what you're trying to accomplish and we could point you in a "better" direction. – Chris S May 16 '11 at 00:49
  • The idea is to give an extremely easy access to any student from my university - he puts in his album number, gets a pass, logs in. Normally, it would be done by authenticating logins against LDAP server but since I cant access it, I need to figure out some other way. – Halik May 21 '11 at 19:46

2 Answers2

1

I'm not entirely sure it's possible without hacking openssh. If it's possible, then surely it requires rolling your own PAM authentication module and enter it in the chain at /etc/pam.d/sshd. If that's something you want for academic purposes it's a nice project.

However, if your goal is for students to easily make a login, then I'd say it's much easier to install www/nginx and stick a script in the cgi-bin directory that mails the password and creates the account if it don't exist yet. pw(8) has all the facilities for user account verification and automatic creation. For the students it's equally easy to create this account, if they know the URL.

Mel
  • 196
  • 2
  • Well, thanks - I'll prolly need to look at other possible solutions. So a web based auth is an option. – Halik May 21 '11 at 19:46
0

The closest easy solution is to make them initially log into a "studentsetup" account which prompts them to create or reset a Unix account/password based upon their university credentials.... and doesn't do anything else.

Just set "studentsetup" to start a shell script instead of zsh,bash,tcsh, or whatever. Give "studentsetup" some setuid-root copies of "/bin/passwd" and "/usr/bin/adduser". As in any secure shell script, be careful of quoting and shell-out issues.

A different, elegant solution is to interoperate with an NT5 (Win2k) infrastructure which likely already exists for the students. FreeBSD includes Kerberos. Config is not easy for newcomers, though.

A R
  • 69
  • 3