I have searched multiple sites and have not found a solution. Hopefully this is the right place.

Situation:
I have a Debian/Ubuntu computer lab that is used for guest access to the internet. Computers are standard workstations that are configured to boot over the network using LTSP. Currently guests are issued a temporary ID/Pass to login. For permanent storage of files, users are required to have a thumb-drive.

I would like to have it so anyone with a valid SSH account on any server can type their credentials in and be able to login to the machine for internet access. Example: I'd like to walk into the computer lab and type "username@someserver.com" and then the password and get access to a local computer session, bypassing the need for the temporary accounts.

I've mostly searched for PAM/SSH combinations or alternate login managers without success. Any advice would be greatly appreciated.

Hi

You want some sort of centralized users management.
You can use either NIS (yp) or LDAP for users directory, and NSS or PAM to instruct login and SSH where to look up the credentials.

NIS is the traditional way, inherited from Sun Solaris.
LDAP is the more modern way, and can be used as an authentication backend for other services like Web sites and databases managers.

Ask "ldap authentication" and "ssh ldap authentication" to your favorite Google, and will show you many howtos

Cheers

cendryon, thank you for your quick reply. The users that will log in are not usually from our own staff, so central authentication is not feasible at this time. I am looking for a way that any valid SSH user of any server (not just our own) to be able to sit down and be able to login. Security of the workstation is not a concern as they are read-only and reset upon reboot and the network is isolated from our main office network.

Extra Information to Clarify:

I work for a hospitality (hotel) management company. They have several hotel properties that all use the same web-based software to manage the individual hotels. Each hotel has their own server for user management and login.

The computer lab mentioned here is at the management company where new employees can come and sit through training classes to learn the software or for existing employees to come and learn about new features. Employees from the different hotels have SSH access on their server.

When an employee comes to the lab, they have to request a temp ID and password to be able to sign into the workstation. Being most of the employees that come in for training have SSH access already, we are trying to use the exisitng accounts on various hotel servers to enable login at the workstation.

I hope this better explains the reasoning behind the request. If there is an alternative method besides SSH, I'm open to hearing about it.

Hi

So you're looking for a distributed central user management

Actually, I think it depends on the hotel SSH server authentication backend.

If each hotel were to have a local LDAP server to centralize its local users, I'd look into setting up a lab LDAP to federate them, and use this LDAP federation as the backend to log in the lab's guest computers.
And for a higher grade solution, I'd look into freeradius to see if it can be used, but I'm not sure it is appropriate to your goal.

If the hotels' SSH accounts are plain local users (those in /etc/passwd created with useradd), I'm afraid the local users of host A can't be used to authenticate on host B.
If those accounts are created with some sort of user friendly program, maybe you might improve this program to add the account to the lab authentication backend. An even then, what about user password changes ?

Next, there is the hand-made solution.
Since your lab computers are Debian/Ubuntu-based, they have PAM. I'd look into PAM modules development to have a "my PAM client" used as the login backend on the lab's computers, and a "my PAM server" (even if I think it would not be a PAM module actually) on every hotel server as authentication authority.
Re-inventing the wheel, the "my PAM client" would connect to the appropriate hotel server upon login, and ask it's "my PAM server" to authenticate the given credentials.
Upon successful authentication, the "my PAM client" would open the session using actually a local user of the guest computer, with its pre-configured home directory. But I think you already do something like that with your temporary ID.

My 2 cents about your challenge

Cheers