[OpenAFS] Re: SFTP <-> AFS
Adam Megacz
megacz@cs.berkeley.edu
Sat, 14 Oct 2006 04:13:17 -0700
"Christopher D. Clausen" <cclausen@acm.org> writes:
>> Essentially, I'm looking for something that does for SFTP what
>> mod_waklog does for HTTP.
> Just setup Kerberized SSH and then set user shells to something that
> only allows SFTP. I assume that actually running a shell as the user
> wouldn't be a problem?
I don't have (or want) home directories, shells, or even local uids
for all those nearly-anonymous cross-realm users. Really, what I want
is far simpler (and safer, I believe) than what kerberized ssh does.
Think of mod_waklog: it setuid()s to "nobody" and grabs tickets rather
than setuid()ing to some PTS-mapped-uid and assuming that will work.
Your PAM installation can be totally broken and mod_waklog will still
work just fine.
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380