From nobody Sun Apr 17 11:04:37 2022
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EDEE211DFDE0
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Sun, 17 Apr 2022 11:04:51 +0000 (UTC)
	(envelope-from freebsd@walstatt-de.de)
Received: from smtp5.goneo.de (smtp5.goneo.de [85.220.129.30])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Kh6fB5KK8z4q18
	for <freebsd-current@freebsd.org>; Sun, 17 Apr 2022 11:04:50 +0000 (UTC)
	(envelope-from freebsd@walstatt-de.de)
Received: from hub2.goneo.de (hub2.goneo.de [IPv6:2001:1640:5::8:53])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by smtp5.goneo.de (Postfix) with ESMTPS id 5876410A1E85
	for <freebsd-current@freebsd.org>; Sun, 17 Apr 2022 13:04:43 +0200 (CEST)
Received: from hub2.goneo.de (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by hub2.goneo.de (Postfix) with ESMTPS id 3503410A1E8A
	for <freebsd-current@freebsd.org>; Sun, 17 Apr 2022 13:04:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de;
	s=DKIM001; t=1650193479;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=N1/gchyGJ9Q7Al/mi9Q7yKw80zfCmCkfouC6SJjt2M8=;
	b=lUe8AR6Jf9YWzK1BYRsZLOdk2LnBE7NACpW1SDt0l+7MlpkTXhNfOMvApTQhNKIW31DLFc
	X3HU+b8udtfaWcAwmSvQuoDCL514RTWO3AriD91+0uAv0RRznV/FHA0lQiYvTwKM2XcgKo
	wThSC0R5SAwiuKIkt9z2JrGpN4Gd3FtdstKV7xYP6f5MS9nMecKC999sJQ48LcuheP1e+L
	CETFSQW12/QxgFE+b7QOyxZmNRUCgG6xfcMWAfKsGogmizhJpdqmOmOOkFs76wJpkk9UjX
	6Nd4cFK8OCBTkLKx5RmEsKvqy0K8U/5pAd80NzdXWbsjfHOF4yp8EtvfbyykbA==
Received: from hermann (dynamic-2a01-0c22-adcc-5900-e4f3-b483-6b4a-c139.c22.pool.telefonica.de [IPv6:2a01:c22:adcc:5900:e4f3:b483:6b4a:c139])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by hub2.goneo.de (Postfix) with ESMTPSA id ED27F10A1E89
	for <freebsd-current@freebsd.org>; Sun, 17 Apr 2022 13:04:38 +0200 (CEST)
Date: Sun, 17 Apr 2022 13:04:37 +0200
From: FreeBSD User <freebsd@walstatt-de.de>
To: FreeBSD CURRENT <freebsd-current@freebsd.org>
Subject: PAM: SSH: reject login when homdir does not exist?
Message-ID: <20220417130437.740721de@hermann>
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-UID: 0c22e4
X-Rspamd-UID: b38d4d
X-Rspamd-Queue-Id: 4Kh6fB5KK8z4q18
X-Spamd-Bar: ++
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=walstatt-de.de header.s=DKIM001 header.b=lUe8AR6J;
	dmarc=none;
	spf=none (mx1.freebsd.org: domain of freebsd@walstatt-de.de has no SPF policy when checking 85.220.129.30) smtp.mailfrom=freebsd@walstatt-de.de
X-Spamd-Result: default: False [2.11 / 15.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(-0.20)[walstatt-de.de:s=DKIM001];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 NEURAL_HAM_LONG(-0.99)[-0.988];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org];
	 DMARC_NA(0.00)[walstatt-de.de];
	 NEURAL_SPAM_MEDIUM(1.00)[1.000];
	 RCPT_COUNT_ONE(0.00)[1];
	 RCVD_COUNT_THREE(0.00)[4];
	 MID_RHS_NOT_FQDN(0.50)[];
	 TO_DN_ALL(0.00)[];
	 DKIM_TRACE(0.00)[walstatt-de.de:+];
	 NEURAL_SPAM_SHORT(1.00)[1.000];
	 MLMMJ_DEST(0.00)[freebsd-current];
	 R_SPF_NA(0.00)[no SPF record];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 SUBJECT_ENDS_QUESTION(1.00)[];
	 ASN(0.00)[asn:25394, ipnet:85.220.128.0/17, country:DE];
	 RCVD_TLS_ALL(0.00)[];
	 RCVD_IN_DNSWL_LOW(-0.10)[85.220.129.30:from]
X-ThisMailContainsUnwantedMimeParts: N

Hello fellows, happy Easter!

I run into a security issue this morning here and tried to look for a solution. We use
OpenLDAP for all "regular users" login on hosts and web services. Authentication is
required from some cloud/moodle services via LDAP, but some users not having any
homedirectory on any machine within the domain will still be allowed to login, even if
the home dir is not present. They get loged in onto the root of the filesystem, when
login via SSH.

Is there a way to prohibit login if homedir isn't present? Can you point me to the right
place (PAM or something, pam_env isn't available on FreeBSD)?

If this is a trivial issue and caused by lack of my personell knowledge, please excuse.

Kind regards,

O. Hartmann