On 2015-11-26 13:33, Darren Tucker wrote:
On Thu, Nov 26, 2015 at 4:11 PM, Tinker <tinkr@xxxxxxxxxxxxxxx> wrote:
The goal is to get a script invoked *at login time*,
This part I follow, but having a script run is just a means to an end
not the end itself. What is the script going to do?
so that the authentication only is known to the client after that the
script invocation
has completed.
I don't quite follow the part about the "authentication being known to
the client". You want your command to complete before allowing any
port forwards?
Yes.
Does the result of the script matter?
No.
Does that make sense as a usecase? :)
Can it be done?
I understand that it can can be done via PAM, but then PAM is not in
all
environments and everyone don't like PAM.
PAM or bsdauth are the two obvious ways to do this.
How would you do it using bsdauth?
(PAM seems very redundant to install on OBSD.)
If you are always
using public-key authentication, you could possibly abuse
AuthorizedKeysCommand in sshd_config.
As in key files. Could be partially interesting to know how a
passthrough script would look for it, but, if an all-encompassing way
could be worked out it would be better i.e. that supports password
logins too.
This sounds a bit like what authpf[1] does. I imagine you could write
firewall rules to block outgoing tcp connections from sshd until after
authpf runs, if that is an option for you.
(That sounds like a very indirect approach, in particular as it would
cover only some connections?)
[1] http://www.openbsd.org/faq/pf/authpf.html
Thanks!
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
