Re: [pfSense-discussion] authpf package
On 10/29/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote: > about this theme a trick can be done, that of course is not disable as > it sounds the user access. > > PAM_file can be used for ssh connections. This feature reads from a file > (i.e. in the root directory) a list of allowed users. > > If a user is in the list he can get in, else, he can't. It's clean > solution because you only have to define who are the allowed, that of > course would be less people than the not allowed ;) Doesn't help the authpf issue. SSH needs to allow them in to spawn authpf. --Bill
Re: [pfSense-discussion] authpf package
answering to myself, i post this trick in the past in another list. http://www.trustix.org/wiki/index.php/Restrict_SSH_per_user Hope this helps!!! jonathan Travis H. wrote: ssh need to be open on WAN interface and all user that have real shell could be disabled for security concern. Be careful when trying to disable users via their login shell: http://www.csh.rit.edu/~psionic/articles/ssh-security/ -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Re: [pfSense-discussion] authpf package
about this theme a trick can be done, that of course is not disable as it sounds the user access. PAM_file can be used for ssh connections. This feature reads from a file (i.e. in the root directory) a list of allowed users. If a user is in the list he can get in, else, he can't. It's clean solution because you only have to define who are the allowed, that of course would be less people than the not allowed ;) Another thing is use a non-standard port for ssh connections, and use pfSense synproxy features. Again is necessary to say that the ssh daemons should not be accepting RSA keys and must be forced to be interactive (avoid login scripts done in expect or so). Hope this helps!! Regards, jonathan Travis H. wrote: ssh need to be open on WAN interface and all user that have real shell could be disabled for security concern. Be careful when trying to disable users via their login shell: http://www.csh.rit.edu/~psionic/articles/ssh-security/ -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Re: [pfSense-discussion] authpf package
> ssh need to be open on WAN interface and all user that have real shell > could be disabled for security concern. Be careful when trying to disable users via their login shell: http://www.csh.rit.edu/~psionic/articles/ssh-security/ -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Re: [pfSense-discussion] authpf package
Right just like pfsense pure-ftpd package does. ssh need to be open on WAN interface and all user that have real shell could be disabled for security concern. Unfortunatly authpf is a user shell not a deamon and does not have a any authentication mecanism. On 10/26/2005 1:40 PM, Bill Marquette wrote: I'm curious how you plan on adding authentication? authpf (last I looked) requires accounts on the system running authpf as it runs as the users shell. --Bill -- Dominic Pageau <[EMAIL PROTECTED]>
Re: [pfSense-discussion] authpf package
On 10/26/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > Is there any way to easily hook pam/radius up to authpf? Yes, but that handles the passwords, not the fact that the user needs to have an account on the box (radius doesn't give back UID/GID and shell information). --Bill
Re: [pfSense-discussion] authpf package
Is there any way to easily hook pam/radius up to authpf? On 10/26/05, Bill Marquette <[EMAIL PROTECTED]> wrote: > On 10/26/05, D.Pageau <[EMAIL PROTECTED]> wrote: > > I'm currently building a new package for pfsense, authpf. > > I'm curious how you plan on adding authentication? authpf (last I > looked) requires accounts on the system running authpf as it runs as > the users shell. > > --Bill >
Re: [pfSense-discussion] authpf package
On 10/26/05, D.Pageau <[EMAIL PROTECTED]> wrote: > I'm currently building a new package for pfsense, authpf. I'm curious how you plan on adding authentication? authpf (last I looked) requires accounts on the system running authpf as it runs as the users shell. --Bill
Re: [pfSense-discussion] authpf package
On 10/26/05, D.Pageau <[EMAIL PROTECTED]> wrote: > I'm currently building a new package for pfsense, authpf. > > authpf is an authentification shell that can change pf filterrules > according to the authentificated user. Kind of port knocking, but much > more cleaner. > > http://www.openbsd.org/faq/pf/authpf.html > > authpf is not in freebsd port distribution anymore, it's now part of > freebsd distro itself but is missing in pfsense distro (remove by > freesbie ?). Yeah, looks that way. > What should I do to add that missing shell ? Do I have to create a full > freebsd package with that file and add > authpf.tbz to pkg_config.xml ? > > Look overkill to me to simply add a file. Any idea ? Yes, that does seem overkill for this file. I will modify the builder scripts to include it for future versions. Scott
[pfSense-discussion] authpf package
I'm currently building a new package for pfsense, authpf. authpf is an authentification shell that can change pf filterrules according to the authentificated user. Kind of port knocking, but much more cleaner. http://www.openbsd.org/faq/pf/authpf.html authpf is not in freebsd port distribution anymore, it's now part of freebsd distro itself but is missing in pfsense distro (remove by freesbie ?). What should I do to add that missing shell ? Do I have to create a full freebsd package with that file and add authpf.tbz to pkg_config.xml ? Look overkill to me to simply add a file. Any idea ? -- Dominic Pageau <[EMAIL PROTECTED]>
Re: [pfSense-discussion] authpf package
That doc is somewhat getting old now. Read that and then refer to: http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/pkg_config.xml?rev=1.175 http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/ Scott On 9/7/05, Gary Buckmaster <[EMAIL PROTECTED]> wrote: > Dominic, > > The pfSense packages are very easy to build. You'll find enough to get you > started in the Developer's Docs part of the website: > http://www.pfsense.org/index.php?id=30 > > Best, > > Gary > > -Original Message- > From: D.Pageau [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 07, 2005 9:07 AM > To: Pfsense Discussion > Subject: [pfSense-discussion] authpf package > > > In the past I have used openbsd authpf wich is a special shell that add > dynamic rules in pf firewall. It's basically the same idea of port > knocking where port are blocked by default and can be opened but it's > much more powerfull. > > http://www.openbsd.org/faq/pf/authpf.html > > I'd like to get that feature in pfsense. authpf is available in freebsd > port distribution /usr/ports/security/authpf. I'm looking for > information on how to create package to add that feature myself or maybe > someone could build that package for me. > > Thanks > > -- > Dominic Pageau <[EMAIL PROTECTED]> > >
RE: [pfSense-discussion] authpf package
Dominic, The pfSense packages are very easy to build. You'll find enough to get you started in the Developer's Docs part of the website: http://www.pfsense.org/index.php?id=30 Best, Gary -Original Message- From: D.Pageau [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 07, 2005 9:07 AM To: Pfsense Discussion Subject: [pfSense-discussion] authpf package In the past I have used openbsd authpf wich is a special shell that add dynamic rules in pf firewall. It's basically the same idea of port knocking where port are blocked by default and can be opened but it's much more powerfull. http://www.openbsd.org/faq/pf/authpf.html I'd like to get that feature in pfsense. authpf is available in freebsd port distribution /usr/ports/security/authpf. I'm looking for information on how to create package to add that feature myself or maybe someone could build that package for me. Thanks -- Dominic Pageau <[EMAIL PROTECTED]>
[pfSense-discussion] authpf package
In the past I have used openbsd authpf wich is a special shell that add dynamic rules in pf firewall. It's basically the same idea of port knocking where port are blocked by default and can be opened but it's much more powerfull. http://www.openbsd.org/faq/pf/authpf.html I'd like to get that feature in pfsense. authpf is available in freebsd port distribution /usr/ports/security/authpf. I'm looking for information on how to create package to add that feature myself or maybe someone could build that package for me. Thanks -- Dominic Pageau <[EMAIL PROTECTED]>