How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
tinkr at openmailbox.org
Thu Nov 26 18:55:57 AEDT 2015
On 2015-11-26 15:34, Darren Tucker wrote:
> On Thu, Nov 26, 2015 at 5:23 PM, Tinker <tinkr at openmailbox.org> wrote:
>> Wait, to PF, isn't the user for all SSH connections "root"
>> (independent of
>> what user you log in as)?
> Not since privilege separation became the default ten years or so ago:
> forwarded TCP connections will come from the unprivileged child sshd
> running as the logged-in user.
>> Also, how would PF know when an SSH connection became authenticated as
>> trig some rule to run a script, then.
> authpf would just be the mechanism for ensuring that they'd sent a
> session request, otherwise their outgoing tcp connections coming out
> of sshd would get denied by PF. You could have your script as the
> login shell do its thing then exec authpf (or authpf-noip) at the end.
Can you give an example of the pf.conf line and shellscript, that
appends the username and remote IP logged in to, to /tmp/logins.txt?
E.g. echo $user $ip >> /tmp/logins.txt .
An alternative way could be:
>> The object is to get a complete set of registrations of all logins on
>> servers, at auth time, sent by the registration script to the central
>> (If the auth time requirement was not there, adding the script as a
>> line in syslog.conf could have worked, but I think because it's quite
>> indirect it's unpreferable, also not sure if you can get the client IP
> OK, thanks. It feels like there should be some way to get a bsdauth
> module to do this, but I've never tried anything like this before. I
> can't find an obvious equivalent to a PAM session module, I'm not even
> sure there is one. I'll think about it a bit more.
login.conf has an "approve" program option, I guess actually that one
applies for SSHD logins too?
More information about the openssh-unix-dev