0

Clunky title, but wanted to be clear that it's not the same as previous variations on this question. Here are the parameters:

  • HPC cluster where users auth via LDAP
  • They may use interactive logins to certain nodes
  • We want them to be able to sftp, or scp, or something secure, to/from the fileserver where their $home lives
  • ...but they should not have ssh access to that server.

Most solutions I've seen to the variations of this question involve changing the users' shell to something restrictive. They have no local accounts, so changing their baseline shell in LDAP is not an option, as they have normal shell logins to the interactive nodes.

At the same time, the target server we want them to transfer from does allow shell logins from specific sysadmin accounts, so I can't use the option to force sftp or suchlike at the system level.

What does leave? Anything? Thanks!

Rob Munsch
  • 1

1 Answers1

0

If the users have some identifying marker (like a group membership) which indicates whether or not they should have interactive login, you could drop a file in /etc/profile.d which checks to see if the user is a member of the appropriate group. If they don’t pass the test, run the exit command.

You don’t have to use a group membership, that’s just an example. If you have a static list of acceptable users that could work too.

The idea being that the profile script only gets run as part of an interactive login, thus allowing file transfers without granting a shell.

bxm
  • 4,855