> To:
> misc@openbsd.org
>
>
> On 9/15/19 7:31 AM, shadrock uhuru wrote:
>> hi everyone
>> i can login with authpf but unable to exit or control D out of the ssh
>> session
>> the only way out is to control C which also kills any other ordinary ssh
>> user connected to the server
>> my authpf user has authpf as its login shell and login class,
>> is this normal behaviour ?
>> shadrock
>>
> If I understand your request, you want someone to log into your system,
> which brings up authpf, and you want them to be able to do something to
> exit to a shell prompt on that server and still leave the authpf rules
> in place?
>
> That's not the way authpf was designed.
>
> The idea is that when authpf is invoked, it activates certain rules,
> presumably regarding the IP address in question, and when authpf exits,
> it removes those changes. Connect to authpf, now you can access the
> web site, or FTP or whatever it is you need, terminate authpf, and no
> one else at your IP can do those things. If you are letting these same
> users access the shell prompt, your usage is not as paranoid as authpf
> was designed to deal with, it's probably not the right tool for the job,
> or your expectations are wrong.
>
> I run a private IRC server, which is blocked on the 'net by PF, but as
> all the users are people I know in real life and friends, I trust them
> to be able to activate their own IP addresses, so I just wrote a simple
> (and surely insecure) script to add that user's IP address to the PF
> table that permits them access to the system. What this doesn't do
> (and I'm not sure how you expect to do this) is clear the connections
> when they leave. In my case, I don't care -- the odds that after Fred
> gets a new IP address that his old IP address will end up in the hands
> of someone wanting to have access to my IRC server for malicious
> reasons (and they find it!) is pretty small. But that might not be
> your use case. If you need to close those openings...you had best
> think hard about how you expect that to happen.
>
> Nick.
>
> Subject:
> Re: authpf unable to exit ssh without control C
> From:
> Nick Holland
> Date:
> 9/16/19, 12:39 PM
>
Hi Nick
i have sorted the problem with some pointers from irc.openbsd folks,
what i actually needed was to be able to login with ssh with a non
authpf user to view tcpdumps etc and then login to another ssh session
with a authpf user for testing but when i logged out the authpf user it
logged out the non authpf user aswell,
it turns out that as both logins were from my laptop i.e the same ip
address
i needed to use the authpf-noip shell for the authpf user,
now i can exit the ssh session for the authpf user without taking down
the ssh session for the non authpf user .
thanks for your time
shadrock