BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Using sftp without a shell account
- Subject: [Discuss] Using sftp without a shell account
- From: bill at horne.net (Bill Horne)
- Date: Fri, 02 Jan 2015 14:34:51 -0500
- In-reply-to: <c2ir3vh84qq.fsf@perdition.linnaean.org>
- References: <54A0B535.10507@horne.net> <20141229201653.GS11641@dragontoe.org> <54A2BDEB.9010907@horne.net> <c2ir3vh84qq.fsf@perdition.linnaean.org>
On 12/30/2014 11:46 AM, Daniel Hagerty wrote: > Bill Horne<bill at horne.net> writes: >> I don't see an nsswitch.conf file on the machine. > os-x isn't nss based. Apple does their own thing here, and it's > been different from release to release. See if "dscl" is still there; > it is/was the direct introspection tool for all things going through > their nss-alike. "Dscl" is present, but I followed your next suggestion first ... > Also, double check that the unix basics really do what > you expect with: > > perl -MData::Dumper -e 'print Dumper([getpwnam("billhorne")])' > > for both local and ldap sourced users. You should get something that > looks like the fields of a V7 passwd file. Here's the printout: perl -MData::Dumper -e 'print Dumper([getpwnam("billhorne")])' $VAR1 = [ 'billhorne', '********', 1025, 20, 0, '', 'William Horne', '/dev/null', '/usr/bin/false', 0 ]; .... and the "billhorne" ID does NOT have access to sftp or ssh at this point. Here's the result after I entered a "test" user, by hand, using the Server program. I created the ID, and manual gave it (the user id) ftp and "file transfer" privileges. perl -MData::Dumper -e 'print Dumper([getpwnam("williamwarren")])' $VAR1 = []; noaasrs2:~ administrator$ perl -MData::Dumper -e 'print Dumper([getpwnam("adamant")])' $VAR1 = [ 'adamant', '********', 1030, 20, 0, '', 'Adam Ant', '/Users/adamant', '/bin/bash', 0 ]; ... and the "adamant" ID *IS* able to access sftp, ssh, and ftp. So, I modified the "billhorne" id, by changing the "Home folder" from "None - Services Only" to "Local only", and also be deleting all the groups it was a member of, and authorizing the id for "File Sharing", "SSH", and "FTP" as a single user. $VAR1 = [ 'billhorne', '********', 1025, 20, 0, '', 'William Horne', '/Users/billhorne', '/bin/bash', 0 ]; And, now "billhorne" can use ssh and sftp. Which brings up a lot of questions, which I'd appreciate your help answering: 1. Does every Open Directory user have to have a "home" directory on the master server "/Users" branch, or can it be placed elsewhere or left on the user's workstation? 2. How would you chroot network users with local "home" directories so that they're blocked from using them, and limited to the same branch as ftp users? 3. I know that I'm not supposed to be able to change the passwords of imported users, but I seem to be unable to change the password of *ANY* user! I "cntl-click" on the uid, but I never get anything except the choices to modify the user or change what services it has access to (and an option to change mail, but this isn't a mail server). What the procedure to change the password of each type of network user? Bill
- Follow-Ups:
- [Discuss] Using sftp without a shell account
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Using sftp without a shell account
- Prev by Date: [Discuss] os x postresql startup question
- Next by Date: [Discuss] Using sftp without a shell account
- Previous by thread: [Discuss] os x postresql startup question
- Next by thread: [Discuss] Using sftp without a shell account
- Index(es):