[Discuss] Using sftp without a shell account

Bill Horne bill at horne.net
Fri Jan 2 14:34:51 EST 2015 

On 12/30/2014 11:46 AM, Daniel Hagerty wrote:
> Bill Horne<bill at horne.net>  writes:
>> I don't see an nsswitch.conf file on the machine.
>      os-x isn't nss based.  Apple does their own thing here, and it's
> been different from release to release.  See if "dscl" is still there;
> it is/was the direct introspection tool for all things going through
> their nss-alike.

"Dscl" is present, but I followed your next suggestion first ...

> Also, double check that the unix basics really do what
> you expect with:
>
> perl -MData::Dumper -e 'print Dumper([getpwnam("billhorne")])'
>
> for both local and ldap sourced users.  You should get something that
> looks like the fields of a V7 passwd file.

Here's the printout:

perl -MData::Dumper -e 'print Dumper([getpwnam("billhorne")])'

$VAR1 = [

'billhorne',

'********',

1025,

20,

0,

'',

'William Horne',

'/dev/null',

'/usr/bin/false',

0

];


.... and the "billhorne" ID does NOT have access to sftp or ssh at this 
point.

Here's the result after I entered a "test" user, by hand, using the 
Server program. I created the ID, and manual gave it (the user id) ftp 
and "file transfer" privileges.

perl -MData::Dumper -e 'print Dumper([getpwnam("williamwarren")])'

$VAR1 = [];

noaasrs2:~ administrator$ perl -MData::Dumper -e 'print 
Dumper([getpwnam("adamant")])'

$VAR1 = [

'adamant',

'********',

1030,

20,

0,

'',

'Adam Ant',

'/Users/adamant',

'/bin/bash',

0

];



... and the "adamant" ID *IS* able to access sftp, ssh, and ftp.

So, I modified the "billhorne" id, by changing the "Home folder" from 
"None - Services Only" to "Local only", and also be deleting all the 
groups it was a member of, and authorizing the id for "File Sharing", 
"SSH", and "FTP" as a single user.

$VAR1 = [

'billhorne',

'********',

1025,

20,

0,

'',

'William Horne',

'/Users/billhorne',

'/bin/bash',

0

];

And, now "billhorne" can use ssh and sftp.

Which brings up a lot of questions, which I'd appreciate your help 
answering:

1. Does every Open Directory user have to have a "home" directory on the 
master server "/Users" branch, or can it be placed elsewhere or left on 
the user's workstation?

2. How would you chroot network users with local "home" directories so 
that they're blocked from using them, and limited to the same branch as 
ftp users?

3. I know that I'm not supposed to be able to change the passwords of 
imported users, but I seem to be unable to change the password of *ANY* 
user! I "cntl-click" on the uid, but I never get anything except the 
choices to modify the user or change what services it has access to (and 
an option to change mail, but this isn't a mail server). What the 
procedure to change the password of each type of network user?

Bill

More information about the Discuss mailing list