We would like to request the ability for the PAM relay to allow users to log onto certain remote hosts with any account, even when the account they want to use is not configured in PAM (but exists on the remote host or in AD). Perhaps if hosts had an 'allow <usergroup or authdomain> users to logon with any account' setting.
Background:
In our environment, we have several systems which are using AD integration, and users need to log on through the PAM relay. Currently, to set that up in PAM so that they can use the relay to each system requires adding and maintaining every user in those different AD zones in PAM, and mapping those users to each system that they have access to. This basically duplicates the access control groups that are already being managed by the AD integration, and results in thousands of relationships that have to be built and maintained just so users can use the PAM relay with their AD account to the target hosts.
We would like to allow them to just log on without configuring each AD account in PAM. PAM would not necessarily need to auto-feed these credentials, since users are OK with logging in twice (once to the relay, and again to the remote host), and the AD zone may be different between the relay and the remote host anyway (so the password may be different).
An alternative we have discussed is to set up a generic PAM relay user on each remote host, where users can connect through the relay to that pamUser@remoteHost, and then su to their named account. However, then searching the audit details in PAM would be more difficult.
Users often aren't just using specific system accounts that need to be managed anymore, they're using their own accounts, so PAM will likely need to eventually support these AD integration use cases more fully to make it easier to configure. In the interim, an 'allow users to logon with any account' permission would make it easier to configure for scenarios like this.
by: David H. | over a year ago | Configuration
Comments
I had not thought about the duplicate in administration overhead the current approach mandates until reading this idea. I have the team looking at if there is any short-term option that we can do to help alleviate this issue. It is under investigation, so I cannot commit to saying hand-on-heart that we can do anything with it in the upcoming release of the product, but I will update this forum when I get feedback on what is / may be possible.
With PAM 3.7, this requirement is addressed with the 'Submit User' support of SSH relay.
Note: While it works with different combinations settings of RunUser and RunHost on the PAM policy/Rule, just a point to mention is in case the login user is the RunUser and the passwords are same then the user will not be prompted for the password for the 2nd time.