Newsroom Update
Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >
Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >
Is there a way to configure sshd to allow logins by administrators without Home folders on the server? Is there a way to specify a common directory sshd should always chdir into upon login, instead?
"Could not chdir to home directory /Users/AdminUser: No such file or directory"
Mac OS X (10.7.1)
This has little or nothing to do with sshd, just your directory. Every user has to have a home directory, however, if you're using dummy admin accounts you can just set that user's directory to some directory on disk - it doesn't really matter where - /var/tmp would be valid, for example.
Note, though, that this would preclude certain options such as private key authentication for your admin account (which may be preferably to simple passwords), so I do wonder why you're concerned about this.
My task is to set up accounts for web-only clients. None of them needs a Home directory on the server.
As administrator, I was to ssh into the server, but I don't need a Home folder there, either.
As I understand it, ssh records known hosts in my local Home folder. What settings does the sshd server put into a user's remote Home folder?
OK, I'm confused - or at least you're barking up the wrong tree.
known_hosts is used for outgoing connections. If you're not connecting to other servers as admin from this machine then there's no issue regarding known_hosts. That doesn't preclude ssh'ing into the server in any way.
As for the web-only clients, they don't need to have a home directory at all - you can set their shell to none in Workgroup Manager to prevent them from ssh'ing into the server.
What web services are you running that uses Open Directory accounts, anyway? Most web services can use their own internal user database.
i have the same question. if a member of an admin group ssh's in, u get the error and are put into the root of the drive. seems a little half baked, that.
If an authorized SSH user without a home folder attempts to log-in, this message appears in Console:
7/8/12 7:23:35.905 PM sshd: in od_record_check_homedir(): failed: 7
From Apple's Open Source, and a man page, we find that this check is controlled by the "no_check_home" option to The OpenDirectory Account Management Module.
Where does one set such an option?
if a member of an admin group ssh's in, u get the error and are put into the root of the drive. seems a little half baked, that
Half-baked, how?
Your user record points to a home directory that doesn't exist. The OS throws you a warning message informing you of that fact, then logs you in to the root directory. How is that half-baked? What should it do? Not warn you at all? that seems more half-baked to me. Indeed, a missing home directory could be indicative of many possible underlying problems, and at the very least informs the user they may be operating under an expected configuration.
Where does one set such an option?
In /etc/pam.d/<service_name> (where <service_name> is the name of the service that you want to apply the option to.
For example, if you're working with sshd, the file /etc/pam.d/sshd contains (amongst other things) this like that tells it to lookup accounts in Open Directory:
auth required pam_opendirectory.so try_first_pass
If you want this lookup to ignore the home directory then add 'no_check_home' to the options:
auth required pam_opendirectory.so try_first_pass no_check_home
However, there's no way to do this on a per-user basis - it'll either check all user's home directories or no users'.
I still cannot recommend doing this, though. I'm still at a complete loss to see what problem it is you're trying to solve here. The home directory issue doesn't prevent your admins from logging in.
For no good reason I can determine, sshd requires a user to have a complete Home directory. Server.app does not require a Home Directory, nor does Server Admin, Workgroup Admin, or Screen Sharing. Why should sshd?
sshd should allow for the specification of a working directory anywhere in the file system for ssh users to log into.
Since that feature is not present, the current sshd set-up could be considered "half-baked."
But I'm still confused.
As per the earlier post:
if a member of an admin group ssh's in, u get the error and are put into the root of the drive
What am I missing here? This clearly states that sshd does not REQUIRE a home directory. It reports an error if none is set and logs you into the root directory. What else is it supposed to do? Should it pick some random location to drop you into? I can see that being so much better.
Don't want the error message. Don't want sshd to pick a working directory at random.
Want to be able to specify whether or not to require all ssh users to have home directories, and also to specify a fallback working directory to switch to when non-home directory users log in, no error message required. These kinds of things are often found in .conf or .plist files.
count me in on that one!
Maybe you should start here:
Download the source, build your own version that works the way you want, and everything will be peachy.
To chime in on this: Though Apple might have changed this due to security reasons (disabling password-only authentication), the fact that there's no error besides an obscure "sshd: in od_record_check_homedir(): failed: 7" in system.log makes it look like a regression compared to Snow Leopard server.
I have only two users with SSH privileges, so I manually created empty home directories in /Users/Profiles. Nonetheless, there should be an option to have password-only SSH logins without a home directory.
SSH Users without Home Folders?
