openssh unix dev - Nov 2015 - How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

On 2015-11-26 14:16, Darren Tucker wrote:
> On Thu, Nov 26, 2015 at 4:49 PM, Tinker <tinkr at openmailbox.org>
wrote:
>> On 2015-11-26 13:33, Darren Tucker wrote:
> [...]
>>>  What is the script going to do?
> 
> You didn't answer this.
Register the login to the group's login database.
>> How would you do it using bsdauth?
>> 
>> (PAM seems very redundant to install on OBSD.)
> 
> You are using OpenBSD or something else?
OpenBSD.
> [...]
>>> This sounds a bit like what authpf[1] does.  I imagine you could 
>>> write
>>> firewall rules to block outgoing tcp connections from sshd until 
>>> after
>>> authpf runs, if that is an option for you.
>> 
>> (That sounds like a very indirect approach, in particular as it would 
>> cover
>> only some connections?)
> 
> Assuming you write the PF rules to do so you should be able to match
> local processes (using "user" rules and the $user_id authpf
macro) as
> well as connections from the IP address they're logging in as (using
> "from" rules and $user_ip macro).
Wait, to PF, isn't the user for all SSH connections "root"
(independent
of what user you log in as)?

Also, how would PF know when an SSH connection became authenticated as 
to trig some rule to run a script, then.

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5?query=pf%2econf&arch=i386
> But all of this is speculative because you still have not described
> what the objective of this exercise is.
The object is to get a complete set of registrations of all logins on 
all servers, at auth time, sent by the registration script to the 
central database.


(If the auth time requirement was not there, adding the script as a 
"pipe" line in syslog.conf could have worked, but I think because
it's
quite indirect it's unpreferable, also not sure if you can get the 
client IP there.)

On Thu, Nov 26, 2015 at 5:23 PM, Tinker <tinkr at openmailbox.org> wrote:
[...]
> Wait, to PF, isn't the user for all SSH connections "root"
(independent of
> what user you log in as)?
Not since privilege separation became the default ten years or so ago:
forwarded TCP connections will come from the unprivileged child sshd
running as the logged-in user.
> Also, how would PF know when an SSH connection became authenticated as to
> trig some rule to run a script, then.
authpf would just be the mechanism for ensuring that they'd sent a
session request, otherwise their outgoing tcp connections coming out
of sshd would get denied by PF.  You could have your script as the
login shell do its thing then exec authpf (or authpf-noip) at the end.
> The object is to get a complete set of registrations of all logins on all
> servers, at auth time, sent by the registration script to the central
> database.
>
> (If the auth time requirement was not there, adding the script as a
"pipe"
> line in syslog.conf could have worked, but I think because it's quite
> indirect it's unpreferable, also not sure if you can get the client IP
> there.)
OK, thanks.  It feels like there should be some way to get a bsdauth
module to do this, but I've never tried anything like this before. I
can't find an obvious equivalent to a PAM session module, I'm not even
sure there is one.  I'll think about it a bit more.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On 2015-11-26 15:34, Darren Tucker wrote:
> On Thu, Nov 26, 2015 at 5:23 PM, Tinker <tinkr at openmailbox.org>
wrote:
> [...]
>> Wait, to PF, isn't the user for all SSH connections
"root"
>> (independent of
>> what user you log in as)?
> 
> Not since privilege separation became the default ten years or so ago:
> forwarded TCP connections will come from the unprivileged child sshd
> running as the logged-in user.
> 
>> Also, how would PF know when an SSH connection became authenticated as 
>> to
>> trig some rule to run a script, then.
> 
> authpf would just be the mechanism for ensuring that they'd sent a
> session request, otherwise their outgoing tcp connections coming out
> of sshd would get denied by PF.  You could have your script as the
> login shell do its thing then exec authpf (or authpf-noip) at the end.
Can you give an example of the pf.conf line and shellscript, that 
appends the username and remote IP logged in to, to /tmp/logins.txt? 
E.g. echo $user $ip >> /tmp/logins.txt .


An alternative way could be:
>> The object is to get a complete set of registrations of all logins on 
>> all
>> servers, at auth time, sent by the registration script to the central
>> database.
>> 
>> (If the auth time requirement was not there, adding the script as a 
>> "pipe"
>> line in syslog.conf could have worked, but I think because it's
quite
>> indirect it's unpreferable, also not sure if you can get the client
IP
>> there.)
> 
> OK, thanks.  It feels like there should be some way to get a bsdauth
> module to do this, but I've never tried anything like this before. I
> can't find an obvious equivalent to a PAM session module, I'm not
even
> sure there is one.  I'll think about it a bit more.

login.conf has an "approve" program option, I guess actually that one 
applies for SSHD logins too?

www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/login.conf.5?query=login%2econf&sec=5