On 2015-11-26 15:34, Darren Tucker wrote:
On Thu, Nov 26, 2015 at 5:23 PM, Tinker <tinkr@xxxxxxxxxxxxxxx> wrote:
[...]
Wait, to PF, isn't the user for all SSH connections "root"
(independent of
what user you log in as)?
Not since privilege separation became the default ten years or so ago:
forwarded TCP connections will come from the unprivileged child sshd
running as the logged-in user.
Also, how would PF know when an SSH connection became authenticated as
to
trig some rule to run a script, then.
authpf would just be the mechanism for ensuring that they'd sent a
session request, otherwise their outgoing tcp connections coming out
of sshd would get denied by PF. You could have your script as the
login shell do its thing then exec authpf (or authpf-noip) at the end.
Can you give an example of the pf.conf line and shellscript, that
appends the username and remote IP logged in to, to /tmp/logins.txt?
E.g. echo $user $ip >> /tmp/logins.txt .
An alternative way could be:
The object is to get a complete set of registrations of all logins on
all
servers, at auth time, sent by the registration script to the central
database.
(If the auth time requirement was not there, adding the script as a
"pipe"
line in syslog.conf could have worked, but I think because it's quite
indirect it's unpreferable, also not sure if you can get the client IP
there.)
OK, thanks. It feels like there should be some way to get a bsdauth
module to do this, but I've never tried anything like this before. I
can't find an obvious equivalent to a PAM session module, I'm not even
sure there is one. I'll think about it a bit more.
login.conf has an "approve" program option, I guess actually that one
applies for SSHD logins too?
www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/login.conf.5?query=login%2econf&sec=5
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
