[OpenAFS] Re: SFTP <-> AFS

[Christopher D. Clausen]

Adam Megacz <megacz@cs.berkeley.edu> wrote:
> "Christopher D. Clausen" <cclausen@acm.org> writes:
>>> Essentially, I'm looking for something that does for SFTP what
>>> mod_waklog does for HTTP.
>
>> Just setup Kerberized SSH and then set user shells to something that
>> only allows SFTP.  I assume that actually running a shell as the user
>> wouldn't be a problem?
>
> I don't have (or want) home directories, shells, or even local uids
> for all those nearly-anonymous cross-realm users.  Really, what I want
> is far simpler (and safer, I believe) than what kerberized ssh does.
>
> Think of mod_waklog: it setuid()s to "nobody" and grabs tickets rather
> than setuid()ing to some PTS-mapped-uid and assuming that will work.
> Your PAM installation can be totally broken and mod_waklog will still
> work just fine.

I'm not sure if this would work or not, but in theory you could setup a 
single user with a single .k5login file that contained every principal 
that you wanted to be able to use this service, or otherwise modify the 
proper code in ssh or krb5 to allow for similar behaviour with any valid 
principal.

Do you really need SFTP?  This sounds like something best handled 
through WebDAV (possibly using mod_waklog as you mentioned.)

<<CDC