[OpenAFS] SFTP <-> AFS

Christopher D. Clausen cclausen@acm.org
Fri, 13 Oct 2006 19:23:16 -0500

Adam Megacz <megacz@cs.berkeley.edu> wrote:
> Is there any advice out there on setting up SFTP access to AFS with
> cross-realm authentication?
> The idea is that you would supply user@REALMCELL as your username and
> your Kerberos password as the password.  Remote users should not be
> able to start interactive shell sessions or remotely execute commands.
> Essentially, I'm looking for something that does for SFTP what
> mod_waklog does for HTTP.  Ideally that would mean not trying to do a
> setuid() to the user's PTS id, but rather just picking up and dropping
> tokens.

Just setup Kerberized SSH and then set user shells to something that 
only allows SFTP.  I assume that actually running a shell as the user 
wouldn't be a problem?

Christopher D. Clausen