On 2015-11-26 14:16, Darren Tucker wrote:
On Thu, Nov 26, 2015 at 4:49 PM, Tinker <tinkr@xxxxxxxxxxxxxxx> wrote:
On 2015-11-26 13:33, Darren Tucker wrote:
[...]
What is the script going to do?
You didn't answer this.
Register the login to the group's login database.
How would you do it using bsdauth?
(PAM seems very redundant to install on OBSD.)
You are using OpenBSD or something else?
OpenBSD.
[...]
This sounds a bit like what authpf[1] does. I imagine you could
write
firewall rules to block outgoing tcp connections from sshd until
after
authpf runs, if that is an option for you.
(That sounds like a very indirect approach, in particular as it would
cover
only some connections?)
Assuming you write the PF rules to do so you should be able to match
local processes (using "user" rules and the $user_id authpf macro) as
well as connections from the IP address they're logging in as (using
"from" rules and $user_ip macro).
Wait, to PF, isn't the user for all SSH connections "root" (independent
of what user you log in as)?
Also, how would PF know when an SSH connection became authenticated as
to trig some rule to run a script, then.
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5?query=pf%2econf&arch=i386
But all of this is speculative because you still have not described
what the objective of this exercise is.
The object is to get a complete set of registrations of all logins on
all servers, at auth time, sent by the registration script to the
central database.
(If the auth time requirement was not there, adding the script as a
"pipe" line in syslog.conf could have worked, but I think because it's
quite indirect it's unpreferable, also not sure if you can get the
client IP there.)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
