On Monday 22 January 2007 11:04, Chris Smith wrote:
> It seems like a job for authpf and ideally I would just like to add the
> authpf $user_ip to the <remote_users> table during the authenticated
> seesion (and remove it after), but it appears authpf cannot do this and
> that instead it would need to inject a whole duplicate set of redirects via
> an anchor. Is this a correct understanding?
Working through this I discovered the answer - no, there is no need to
duplicate the set rdr's. One can simply rewrite them to contain the
<authpf_users> table as such:
rdr pass on $ext_if proto tcp from { <remote_users>, <authpf_users> } to
$ex_vnc port 6713 -> $orion port 6713
The <authpf_users> table is automatically added to and subtracted via authpf
authentication. There is no need for an anchor nor any authpf rules, although
the /etc/authpf/authpf.rules (empty in this case) file still needs to exist.
> Also, as it is currently, sshd only allows access by via public
> key - "PasswordAuthentication no", with only the sysadmin (also the only
> added account) as an allowed user. At this time it appears that I would
> either have to open up sshd to passwords (I'm not enamored with this idea)
> and/or teach the remote users to set up and use key pairs (or do it for
> them).
> Is this a correct assumption or does authpf offer any kind of workaround?
No authpf workaround I can see. Basically it would appear that sshd would need
to be able to set login rules based the user's shell; instead of having just
one choice of "PasswordAuthentication no/yes", one could match the type of
authentication states allowed to a list of user shells.
Chris
