Tinker
2015-Nov-26 05:49 UTC
How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
On 2015-11-26 13:33, Darren Tucker wrote:> On Thu, Nov 26, 2015 at 4:11 PM, Tinker <tinkr at openmailbox.org> wrote: >> The goal is to get a script invoked *at login time*, > > This part I follow, but having a script run is just a means to an end > not the end itself. What is the script going to do? > >> so that the authentication only is known to the client after that the >> script invocation >> has completed. > > I don't quite follow the part about the "authentication being known to > the client". You want your command to complete before allowing any > port forwards?Yes.> Does the result of the script matter?No.>> Does that make sense as a usecase? :) >> >> Can it be done? >> >> I understand that it can can be done via PAM, but then PAM is not in >> all >> environments and everyone don't like PAM. > > PAM or bsdauth are the two obvious ways to do this.How would you do it using bsdauth? (PAM seems very redundant to install on OBSD.)> If you are always > using public-key authentication, you could possibly abuse > AuthorizedKeysCommand in sshd_config.As in key files. Could be partially interesting to know how a passthrough script would look for it, but, if an all-encompassing way could be worked out it would be better i.e. that supports password logins too.> This sounds a bit like what authpf[1] does. I imagine you could write > firewall rules to block outgoing tcp connections from sshd until after > authpf runs, if that is an option for you.(That sounds like a very indirect approach, in particular as it would cover only some connections?)> > [1] http://www.openbsd.org/faq/pf/authpf.htmlThanks!
Darren Tucker
2015-Nov-26 06:16 UTC
How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
On Thu, Nov 26, 2015 at 4:49 PM, Tinker <tinkr at openmailbox.org> wrote:> On 2015-11-26 13:33, Darren Tucker wrote:[...]>> What is the script going to do?You didn't answer this.> How would you do it using bsdauth? > > (PAM seems very redundant to install on OBSD.)You are using OpenBSD or something else? [...]>> This sounds a bit like what authpf[1] does. I imagine you could write >> firewall rules to block outgoing tcp connections from sshd until after >> authpf runs, if that is an option for you. > > (That sounds like a very indirect approach, in particular as it would cover > only some connections?)Assuming you write the PF rules to do so you should be able to match local processes (using "user" rules and the $user_id authpf macro) as well as connections from the IP address they're logging in as (using "from" rules and $user_ip macro). But all of this is speculative because you still have not described what the objective of this exercise is. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Tinker
2015-Nov-26 06:23 UTC
How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
On 2015-11-26 14:16, Darren Tucker wrote:> On Thu, Nov 26, 2015 at 4:49 PM, Tinker <tinkr at openmailbox.org> wrote: >> On 2015-11-26 13:33, Darren Tucker wrote: > [...] >>> What is the script going to do? > > You didn't answer this.Register the login to the group's login database.>> How would you do it using bsdauth? >> >> (PAM seems very redundant to install on OBSD.) > > You are using OpenBSD or something else?OpenBSD.> [...] >>> This sounds a bit like what authpf[1] does. I imagine you could >>> write >>> firewall rules to block outgoing tcp connections from sshd until >>> after >>> authpf runs, if that is an option for you. >> >> (That sounds like a very indirect approach, in particular as it would >> cover >> only some connections?) > > Assuming you write the PF rules to do so you should be able to match > local processes (using "user" rules and the $user_id authpf macro) as > well as connections from the IP address they're logging in as (using > "from" rules and $user_ip macro).Wait, to PF, isn't the user for all SSH connections "root" (independent of what user you log in as)? Also, how would PF know when an SSH connection became authenticated as to trig some rule to run a script, then. http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5?query=pf%2econf&arch=i386> But all of this is speculative because you still have not described > what the objective of this exercise is.The object is to get a complete set of registrations of all logins on all servers, at auth time, sent by the registration script to the central database. (If the auth time requirement was not there, adding the script as a "pipe" line in syslog.conf could have worked, but I think because it's quite indirect it's unpreferable, also not sure if you can get the client IP there.)