Secure AFP issues and workarounds?

[rmleonard]

Help – I think –

I have a server (don’t we all)

I need to lock down access to and from “the outside world” and yet still have some basic functions available.
The campus VPN is not the most stable thing for mac clients… (no I don’t know the brand) and Central IT would prefer that I not run my own VPN for my Mac Clients.

So –
I can block all access to this box through our border Firewall EXCEPT for port 22 (our friend SSH)

now – I can log in and do “my stuff” and I know how to route ports and such to get all of the other goodness I need –

BUT – (and you knew that was coming)

I now need to make some other services happy for my users/clients….

I have enabled secure connections on the server side for AFP –
so far so good..

I have locked the server down so that only people with rsa or dsa keys on file can get in (or so I think)
by doing the following in the /etc/sshd_config file

Protocol 2
PermitRootLogin without-password
PasswordAuthentication no
ChallengeResponseAuthentication no

works great – for people with local accounts…. (not network users – which would be my clientele…)

I tried making an authorized_keys file in the .ssh directory for each connecting person:
/Users/uname/.ssh/authorized_keys

I have correct permissions on the file and directory for this all to work….

now – if I turn mobile accounts on (dsconfigad to enable mobile homes)
and log in at the console ( I get a local account – sort of)

I can now create the .ssh/authorized_keys file with the RSA or DSA key of the client (generated on the remote machine via ssh-keygen -t rsa)

once that is done –
where the person could not do a seccure connection with AFP now they can.

if I try a user who has not logged in voa console – nada

setting the sshd_config logging option to debug shows me all sorts of things..
it works if there is a local account

if they don’t have a local account it starts looking for authorized_keys in /.ssh
and I can’t seem to get a file in there that will pass muster on ownership and mode
>> I keep thinking there is a stickybit I can set that should help… can’t remember what it is though

using /etc/ssh_known_hosts doesn’t seem as secure as I’d like

I’d like a common authorized_key file that all users would have their keys stored in – outside their respective user spaces…

Thoughts?

[Author]

Posts