JetStream integrates with PAM on Linux and macOS and the system’s built-in authentication on Windows. This allows any users with login permissions, including Active Directory or LDAP users, to store files to or retrieve files from the JetStream server. From an administration point of view, this allows the use of existing tools for user management and integration with existing infrastructure.
JetStream server does not require users to have a valid login shell, so the shell can be set to, for example,
/bin/false to prevent users from logging onto the system by other means.
On Linux, a new PAM configuration file is created:
/etc/pam.d/jetstream. This file can be further customized with PAM plugins to restrict user access to JetStream. See PAM configuration man page (external link) for help with customizing PAM.
If your Linux system is integrated with Active Directory, you may need to enable JetStream authentication in sssd. See Active Directory Integration.
JetStream Server will only integrate with system’s authentication service when it’s running as root or via
sudo (Linux, macOS), or system service (Windows). This is the default configuration when JetStream is installed.
If JetStream Server is running as unprivileged user, only that user will be able to authenticate when connecting via API or JetStream Client.
Temporary credentials can be created by using API Tokens. This allows the creation of login tokens that are time limited, and restricted to only a single directory.