[Discuss] Using sftp without a shell account
Daniel Hagerty
hag at linnaean.org
Tue Dec 30 11:46:52 EST 2014
First off: check that the sshd on the mac isn't crashing. OS-X will
hide this because they (re)start sshd out of launchd. My sftp -vv trace
against a mac keeps going after yours stops. More generally, ssh traces
are most useful from the server side. See what you get for
"/usr/sbin/sshd -dd -p 8022" and be sure to direct the client to that
alternate port.
Bill Horne <bill at horne.net> writes:
> I don't see an nsswitch.conf file on the machine.
os-x isn't nss based. Apple does their own thing here, and it's
been different from release to release. See if "dscl" is still there;
it is/was the direct introspection tool for all things going through
their nss-alike. Also, double check that the unix basics really do what
you expect with:
perl -MData::Dumper -e 'print Dumper([getpwnam("billhorne")])'
for both local and ldap sourced users. You should get something that
looks like the fields of a V7 passwd file.
> It's a Mac Mini, with a generic OS X Yosemite installation, and OS X
> Server 4.1 installed.
>
> There are a couple of "local" users, which are just administrative
> accounts. Everyone else is a "network" user, entered in Open DIrectory
> but not in the local machine. I'm hoping that Open Directory is "close
> enough" to OpenLDAP that I can transfer knowledge.
Last time I touched os-x server, the LDAP server was openldap.
Beware that the way you are trying to solve this problem isn't a way
unix historically does well. The standard library calls (man getpwent)
for users have no notion of where the user came from, because as far as
that call is concerned, it's /etc/passwd, even when it isn't.
PAM can be argued into doing what you want. You are likely to
bleed. At least, that's what happens for me with every thought like "I
could get pam to ...".
It's unlikely that apple supplies a PAM module that does what you
want. If you're lucky, somebody wrote one. For linux. You get to port
it. Bet you a nickel you run into a show stopping bug in a part of os-x
you can't fix. (For those who like to say os-x is "just" freebsd, it's
"just" freebsd in the same that the gnu hurd is "just" bsd net 2).
You might consider the "keep it simple stupid" approach of using
ssh's AllowUser/AllowGroup settings. OS-X does not reward veering from
the path, server more so.
More information about the Discuss
mailing list