[OpenAFS] Re: SFTP <-> AFS

Adam Megacz megacz@cs.berkeley.edu
Sat, 14 Oct 2006 04:13:17 -0700

"Christopher D. Clausen" <cclausen@acm.org> writes:
>> Essentially, I'm looking for something that does for SFTP what
>> mod_waklog does for HTTP.

> Just setup Kerberized SSH and then set user shells to something that 
> only allows SFTP.  I assume that actually running a shell as the user 
> wouldn't be a problem?

I don't have (or want) home directories, shells, or even local uids
for all those nearly-anonymous cross-realm users.  Really, what I want
is far simpler (and safer, I believe) than what kerberized ssh does.

Think of mod_waklog: it setuid()s to "nobody" and grabs tickets rather
than setuid()ing to some PTS-mapped-uid and assuming that will work.
Your PAM installation can be totally broken and mod_waklog will still
work just fine.

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380