On Sun, May 07, 2006 at 12:39:44AM +0100, Stuart Henderson wrote:
> On 2006/05/06 11:49, S t i n g r a y wrote:
> > & as i am using a network in which i dont have control
> > over users PC & cannot use service authentication i am
> > stuck with ip & mac filtering.
>
> Look at authpf(8), it's much _much_ safer than what you suggest
I have looked into authpf(8) before and understand how it works, but the
following excerpt from the BUGS section of the man page puzzles me
somewhat:
The authenticating ssh(1) connection may be secured, but if the
network is not secured the user may expose insecure protocols to
attackers on the same network, or enable other attackers on the
network to pretend to be the user by spoofing their IP address.
If IP spoofing is still a concern with authpf(8), what makes it an
improvement over IP filtering? I can believe it *is* an improvement,
I am just curious *how* in light of the above warning.
For example, a spoofer would have to fake the IP address of a current
legitimate user, and I expect this makes certain attacks more difficult,
but they could still easily send UDP datagrams (e.g. to poison a DNS
cache), right?
A quick googling and mailing list search gave plenty of hits for
configuring authpf, but I did not find anything specifically related to
the above.
