Re: How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2015-11-26 14:16, Darren Tucker wrote:
On Thu, Nov 26, 2015 at 4:49 PM, Tinker <tinkr@xxxxxxxxxxxxxxx> wrote:
On 2015-11-26 13:33, Darren Tucker wrote:
[...]
 What is the script going to do?

You didn't answer this.

Register the login to the group's login database.

How would you do it using bsdauth?

(PAM seems very redundant to install on OBSD.)

You are using OpenBSD or something else?

OpenBSD.

[...]
This sounds a bit like what authpf[1] does. I imagine you could write firewall rules to block outgoing tcp connections from sshd until after
authpf runs, if that is an option for you.

(That sounds like a very indirect approach, in particular as it would cover
only some connections?)

Assuming you write the PF rules to do so you should be able to match
local processes (using "user" rules and the $user_id authpf macro) as
well as connections from the IP address they're logging in as (using
"from" rules and $user_ip macro).

Wait, to PF, isn't the user for all SSH connections "root" (independent of what user you log in as)?

Also, how would PF know when an SSH connection became authenticated as to trig some rule to run a script, then.

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5?query=pf%2econf&arch=i386

But all of this is speculative because you still have not described
what the objective of this exercise is.

The object is to get a complete set of registrations of all logins on all servers, at auth time, sent by the registration script to the central database.


(If the auth time requirement was not there, adding the script as a "pipe" line in syslog.conf could have worked, but I think because it's quite indirect it's unpreferable, also not sure if you can get the client IP there.)



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux