0

Clunky title, but wanted to be clear that it's not the same as previous variations on this question. Here are the parameters:

  • HPC cluster where users auth via LDAP
  • They may use interactive logins to certain nodes
  • We want them to be able to sftp, or scp, or something secure, to/from the fileserver where their $home lives
  • ...but they should not have ssh access to that server.

Most solutions I've seen to the variations of this question involve changing the users' shell to something restrictive. They have no local accounts, so changing their baseline shell in LDAP is not an option, as they have normal shell logins to the interactive nodes.

At the same time, the target server we want them to transfer from does allow shell logins from specific sysadmin accounts, so I can't use the option to force sftp or suchlike at the system level.

What does leave? Anything? Thanks!

Rob Munsch
  • 1
  • 1
  • See [Is it possible to grant users sftp access without shell access?](https://unix.stackexchange.com/q/503312/119732) or [Provide sftp read/write access to folder and subfolders, restrict all else](https://unix.stackexchange.com/q/155291/119732). – Martin Prikryl Nov 07 '19 at 07:02
  • @Martin: ok, Match looks promising in theory - but we have close to 100 LDAP users. Managing them in the sshd_config file by hand is a no-go. Match group is probably the cleanest answer. ...why did you post this as a comment? I don't think I can pick it as the correct answer. – Rob Munsch Nov 07 '19 at 22:14
  • The answer to the second question shows how to do this via group. – I have posted it as a comment, because your question is duplicate, so it should not be answered, but closed as duplicate of those questions. – Martin Prikryl Nov 08 '19 at 06:30

1 Answers1

0

If the users have some identifying marker (like a group membership) which indicates whether or not they should have interactive login, you could drop a file in /etc/profile.d which checks to see if the user is a member of the appropriate group. If they don’t pass the test, run the exit command.

You don’t have to use a group membership, that’s just an example. If you have a static list of acceptable users that could work too.

The idea being that the profile script only gets run as part of an interactive login, thus allowing file transfers without granting a shell.

bxm
  • 4,561
  • 1
  • 20
  • 21