Re: [pfSense-discussion] authpf package
about this theme a trick can be done, that of course is not disable as it sounds the user access. PAM_file can be used for ssh connections. This feature reads from a file (i.e. in the root directory) a list of allowed users. If a user is in the list he can get in, else, he can't. It's clean solution because you only have to define who are the allowed, that of course would be less people than the not allowed ;) Another thing is use a non-standard port for ssh connections, and use pfSense synproxy features. Again is necessary to say that the ssh daemons should not be accepting RSA keys and must be forced to be interactive (avoid login scripts done in expect or so). Hope this helps!! Regards, jonathan Travis H. wrote: ssh need to be open on WAN interface and all user that have real shell could be disabled for security concern. Be careful when trying to disable users via their login shell: http://www.csh.rit.edu/~psionic/articles/ssh-security/ -- http://www.lightconsulting.com/~travis/ -- We already have enough fast, insecure systems. -- Schneier Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Re: [pfSense-discussion] authpf package
ssh need to be open on WAN interface and all user that have real shell could be disabled for security concern. Be careful when trying to disable users via their login shell: http://www.csh.rit.edu/~psionic/articles/ssh-security/ -- http://www.lightconsulting.com/~travis/ -- We already have enough fast, insecure systems. -- Schneier Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Re: [pfSense-discussion] authpf package
On 10/26/05, Scott Ullrich [EMAIL PROTECTED] wrote: Is there any way to easily hook pam/radius up to authpf? Yes, but that handles the passwords, not the fact that the user needs to have an account on the box (radius doesn't give back UID/GID and shell information). --Bill
RE: [pfSense-discussion] authpf package
Dominic, The pfSense packages are very easy to build. You'll find enough to get you started in the Developer's Docs part of the website: http://www.pfsense.org/index.php?id=30 Best, Gary -Original Message- From: D.Pageau [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 07, 2005 9:07 AM To: Pfsense Discussion Subject: [pfSense-discussion] authpf package In the past I have used openbsd authpf wich is a special shell that add dynamic rules in pf firewall. It's basically the same idea of port knocking where port are blocked by default and can be opened but it's much more powerfull. http://www.openbsd.org/faq/pf/authpf.html I'd like to get that feature in pfsense. authpf is available in freebsd port distribution /usr/ports/security/authpf. I'm looking for information on how to create package to add that feature myself or maybe someone could build that package for me. Thanks -- Dominic Pageau [EMAIL PROTECTED]
Re: [pfSense-discussion] authpf package
That doc is somewhat getting old now. Read that and then refer to: http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/pkg_config.xml?rev=1.175 http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/ Scott On 9/7/05, Gary Buckmaster [EMAIL PROTECTED] wrote: Dominic, The pfSense packages are very easy to build. You'll find enough to get you started in the Developer's Docs part of the website: http://www.pfsense.org/index.php?id=30 Best, Gary -Original Message- From: D.Pageau [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 07, 2005 9:07 AM To: Pfsense Discussion Subject: [pfSense-discussion] authpf package In the past I have used openbsd authpf wich is a special shell that add dynamic rules in pf firewall. It's basically the same idea of port knocking where port are blocked by default and can be opened but it's much more powerfull. http://www.openbsd.org/faq/pf/authpf.html I'd like to get that feature in pfsense. authpf is available in freebsd port distribution /usr/ports/security/authpf. I'm looking for information on how to create package to add that feature myself or maybe someone could build that package for me. Thanks -- Dominic Pageau [EMAIL PROTECTED]
