Re: How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, Nov 26, 2015 at 4:11 PM, Tinker <tinkr@xxxxxxxxxxxxxxx> wrote:
> The goal is to get a script invoked *at login time*,

This part I follow, but having a script run is just a means to an end
not the end itself.  What is the script going to do?

> so that the authentication only is known to the client after that the script invocation
> has completed.

I don't quite follow the part about the "authentication being known to
the client".  You want your command to complete before allowing any
port forwards?  Does the result of the script matter?

> Does that make sense as a usecase? :)
>
> Can it be done?
>
> I understand that it can can be done via PAM, but then PAM is not in all
> environments and everyone don't like PAM.

PAM or bsdauth are the two obvious ways to do this.  If you are always
using public-key authentication, you could possibly abuse
AuthorizedKeysCommand in sshd_config.

This sounds a bit like what authpf[1] does.  I imagine you could write
firewall rules to block outgoing tcp connections from sshd until after
authpf runs, if that is an option for you.

[1] http://www.openbsd.org/faq/pf/authpf.html

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux