Project

General

Profile

Feature #16590

Updated by Peter Amstutz almost 4 years ago

This needs to be done via glibc NSS (Name Service Switch). 

 This is a module that is loaded by glibc and configured systemwide, which allows customizing lookups on various fundamental system databases (in this case, passwd). 

 If we can authenticate that a username is a valid Arvados username, then we can use sshd AuthorizedKeysCommand to look up the user's ssh public key on demand, and maybe PAM to set up the user session. 

 h2. 1. Network Information Services 

 For remote user database lookups, glibc supports NIS (Network Information Services, formally Sun Yellow Pages).    Would involve running a NIS server.    This is a really old standard sun-rpc based standard, that seems to be mostly obsolete, LDAP would be a better choice (see below). 

 Some options to do this: 

 h2. 2. systemd NSS module 

 https://systemd.io/USER_GROUP_API/ 

 "Each subsystem that needs to define users and groups on the local system is supposed to implement this API, and offer its interfaces on a Varlink AF_UNIX/SOCK_STREAM file system socket bound into the /run/systemd/userdb/ directory." 

 So the approach would be to create a service that listens on this socket and supports the appropriate protocol, looks up users in Arvados and responds appropriately.    This could also creates the home directory on demand. 

 h2. 3. write our own module in Go 

 https://github.com/protosam/go-libnss 

 h2. 4. use LDAP/NSS 

 Use existing LDAP NSS module  

 https://wiki.debian.org/LDAP/NSS 

 Teach arvados-controller to answer LDAP queries: 

 https://github.com/glauth/glauth   

 https://github.com/vjeantet/ldapserver 

 Here's a blog that describes on how to use LDAP + NSS + AuthorizedKeysCommand + PAM to enable publickey based login and create home directories on the fly: this stuff up: 

 https://shellpower.wordpress.com/2015/05/26/ssh-public-key-authentication-with-ldap-on-ubuntu/

Back