On Thu, Nov 26, 2015 at 5:23 PM, Tinker <tinkr@xxxxxxxxxxxxxxx> wrote: [...] > Wait, to PF, isn't the user for all SSH connections "root" (independent of > what user you log in as)? Not since privilege separation became the default ten years or so ago: forwarded TCP connections will come from the unprivileged child sshd running as the logged-in user. > Also, how would PF know when an SSH connection became authenticated as to > trig some rule to run a script, then. authpf would just be the mechanism for ensuring that they'd sent a session request, otherwise their outgoing tcp connections coming out of sshd would get denied by PF. You could have your script as the login shell do its thing then exec authpf (or authpf-noip) at the end. > The object is to get a complete set of registrations of all logins on all > servers, at auth time, sent by the registration script to the central > database. > > (If the auth time requirement was not there, adding the script as a "pipe" > line in syslog.conf could have worked, but I think because it's quite > indirect it's unpreferable, also not sure if you can get the client IP > there.) OK, thanks. It feels like there should be some way to get a bsdauth module to do this, but I've never tried anything like this before. I can't find an obvious equivalent to a PAM session module, I'm not even sure there is one. I'll think about it a bit more. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev