Re: How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2015-11-26 13:33, Darren Tucker wrote:
On Thu, Nov 26, 2015 at 4:11 PM, Tinker <tinkr@xxxxxxxxxxxxxxx> wrote:
The goal is to get a script invoked *at login time*,

This part I follow, but having a script run is just a means to an end
not the end itself.  What is the script going to do?

so that the authentication only is known to the client after that the script invocation
has completed.

I don't quite follow the part about the "authentication being known to
the client".  You want your command to complete before allowing any
port forwards?

Yes.

Does the result of the script matter?

No.

Does that make sense as a usecase? :)

Can it be done?

I understand that it can can be done via PAM, but then PAM is not in all
environments and everyone don't like PAM.

PAM or bsdauth are the two obvious ways to do this.

How would you do it using bsdauth?

(PAM seems very redundant to install on OBSD.)

If you are always
using public-key authentication, you could possibly abuse
AuthorizedKeysCommand in sshd_config.

As in key files. Could be partially interesting to know how a passthrough script would look for it, but, if an all-encompassing way could be worked out it would be better i.e. that supports password logins too.

This sounds a bit like what authpf[1] does.  I imagine you could write
firewall rules to block outgoing tcp connections from sshd until after
authpf runs, if that is an option for you.

(That sounds like a very indirect approach, in particular as it would cover only some connections?)


[1] http://www.openbsd.org/faq/pf/authpf.html

Thanks!

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux