BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Using sftp without a shell account
- Subject: [Discuss] Using sftp without a shell account
- From: hag at linnaean.org (Daniel Hagerty)
- Date: Tue, 30 Dec 2014 11:46:52 -0500
- In-reply-to: <54A2BDEB.9010907@horne.net> (Bill Horne's message of "Tue, 30 Dec 2014 09:59:55 -0500")
- References: <54A0B535.10507@horne.net> <20141229201653.GS11641@dragontoe.org> <54A2BDEB.9010907@horne.net>
First off: check that the sshd on the mac isn't crashing. OS-X will hide this because they (re)start sshd out of launchd. My sftp -vv trace against a mac keeps going after yours stops. More generally, ssh traces are most useful from the server side. See what you get for "/usr/sbin/sshd -dd -p 8022" and be sure to direct the client to that alternate port. Bill Horne <bill at horne.net> writes: > I don't see an nsswitch.conf file on the machine. os-x isn't nss based. Apple does their own thing here, and it's been different from release to release. See if "dscl" is still there; it is/was the direct introspection tool for all things going through their nss-alike. Also, double check that the unix basics really do what you expect with: perl -MData::Dumper -e 'print Dumper([getpwnam("billhorne")])' for both local and ldap sourced users. You should get something that looks like the fields of a V7 passwd file. > It's a Mac Mini, with a generic OS X Yosemite installation, and OS X > Server 4.1 installed. > > There are a couple of "local" users, which are just administrative > accounts. Everyone else is a "network" user, entered in Open DIrectory > but not in the local machine. I'm hoping that Open Directory is "close > enough" to OpenLDAP that I can transfer knowledge. Last time I touched os-x server, the LDAP server was openldap. Beware that the way you are trying to solve this problem isn't a way unix historically does well. The standard library calls (man getpwent) for users have no notion of where the user came from, because as far as that call is concerned, it's /etc/passwd, even when it isn't. PAM can be argued into doing what you want. You are likely to bleed. At least, that's what happens for me with every thought like "I could get pam to ...". It's unlikely that apple supplies a PAM module that does what you want. If you're lucky, somebody wrote one. For linux. You get to port it. Bet you a nickel you run into a show stopping bug in a part of os-x you can't fix. (For those who like to say os-x is "just" freebsd, it's "just" freebsd in the same that the gnu hurd is "just" bsd net 2). You might consider the "keep it simple stupid" approach of using ssh's AllowUser/AllowGroup settings. OS-X does not reward veering from the path, server more so.
- References:
- [Discuss] Using sftp without a shell account
- From: bill at horne.net (Bill Horne)
- [Discuss] Using sftp without a shell account
- From: invalid at pizzashack.org (Derek Martin)
- [Discuss] Using sftp without a shell account
- From: bill at horne.net (Bill Horne)
- [Discuss] Using sftp without a shell account
- Prev by Date: [Discuss] Using sftp without a shell account
- Next by Date: [Discuss] Use Linux laptop as wifi router? Is that even the right solution?
- Previous by thread: [Discuss] Using sftp without a shell account
- Next by thread: [Discuss] Using sftp without a shell account
- Index(es):