Feature #16590
Updated by Peter Amstutz over 4 years ago
This needs to be done via glibc NSS (Name Service Switch). This is a module that is loaded by glibc and configured systemwide, which allows customizing lookups on various fundamental system databases (in this case, passwd). If we can authenticate that a username is a valid Arvados username, then we can use sshd AuthorizedKeysCommand to look up the user's ssh public key on demand, and maybe PAM to set up the user session. h2. 1. Network Information Services For remote user database lookups, glibc supports NIS (Network Information Services, formally Sun Yellow Pages). Would involve running a NIS server. This is a really old standard sun-rpc based standard, that seems to be mostly obsolete, LDAP would be a better choice (see below). Some options to do this: h2. 2. systemd NSS module https://systemd.io/USER_GROUP_API/ "Each subsystem that needs to define users and groups on the local system is supposed to implement this API, and offer its interfaces on a Varlink AF_UNIX/SOCK_STREAM file system socket bound into the /run/systemd/userdb/ directory." So the approach would be to create a service that listens on this socket and supports the appropriate protocol, looks up users in Arvados and responds appropriately. This could also creates the home directory on demand. h2. 3. write our own module in Go https://github.com/protosam/go-libnss h2. 4. use LDAP/NSS Use existing LDAP NSS module https://wiki.debian.org/LDAP/NSS Teach arvados-controller to answer LDAP queries: https://github.com/glauth/glauth https://github.com/vjeantet/ldapserver Here's a blog that describes on how to use LDAP + NSS + AuthorizedKeysCommand + PAM to enable publickey based login and create home directories on the fly: this stuff up: https://shellpower.wordpress.com/2015/05/26/ssh-public-key-authentication-with-ldap-on-ubuntu/