What would be the use case for this? Just curious. – user1686 – 2011-08-21T10:15:50.720

1Look into Kerberos. – Gilles 'SO- stop being evil' – 2011-08-21T12:31:45.090

@gravity: simple domain login without extra infrastructure. – Basilevs – 2011-08-21T12:34:00.427

You would still have to manually add the user account to all servers, and it would become impossible to use SSH pubkey authentication if you required a password for the authorization checks (did you mean "authenticate" in your post?), and it would still require the same amount of "extra infrastructure" (one password-checking server) as Kerberos, but with more complicated and less standard configuration... – user1686 – 2011-08-21T14:45:15.220

...in conclusion, it would not be as simple as it looks. – user1686 – 2011-08-21T14:51:57.987

@grawity, why should I add user accounts on every host? PAM modules can provide POSIX user information (UID, for example) there absolutely no need to use local passwd/shadow files. – Basilevs – 2011-08-22T07:51:17.970

PAM cannot provide the complete information -- for example, any program that uses getpwnam() (which means 99.9% of them) will call NSS modules (/etc/nsswitch.conf). And every single module, other than nss_files, requires "extra infrastructure". Besides, if you want to use a "remote SSH server" for this, it's not even possible to retrieve the information reliably. Would you have to enter the SSH password every time a program requests your information? – user1686 – 2011-08-22T09:29:50.947

I can't see any problem with nss - we can just add a new source like LDAP domains do. I don't know any other domain service which doesn't require anything except existing SSH login server. Reliability of remote server is determined by connectivity, security is provided by host keys and encryption. Information repeated retrieval is a big issue indeed, I've missed that point (in terms of SSH this is easily handled with ssh-agent though). – Basilevs – 2011-08-23T12:10:04.673