Re: authpf and ksh at the same time?

Tue, 17 May 2005 04:19:43 -0700 

Bjvrn Ketelaars wrote:
> Hello,
> 
> I want to use authpf to authenticate users before allowing them out of the
> gateway. If I understand correctly by using authpf as shell theyll lose
> their regular shell-account (e.g. ksh). Is it possible to use ksh after
> authentication by means of authpf? Or should I make 2 accounts for each
> user; one with authpf as shell and another with ksh?

As indicated, authpf is designed to be a shell, not an application, and
designed with security in mind...so you must make two users if you wish
to use authpf as intended.

However, if you meet some conditions, it isn't hard to modify authpf
into an application, which can then be backgrounded and will hold a port
open until the process is terminated.  The modification consists of
removing a few checks that authpf is really being run as a shell.  (hey,
if I could find it, I'm sure you can, too :)

I use this on a private IRC server.  The people using it are all trusted
friends I know from real life (ok, a couple exceptions, but we are
pretty sure Henning really exists).  We use it to open up this machine
to the 'net for individual people, but keeping it not much beyond being
a pingable, ssh-able box to the rest of the 'net.

The hazzard of this kind of use is that it is trivial for a user to
spoof an address and open up any port they wish.  The opened port is
also persistant -- they logout, the authpf session stays alive until the
machine is rebooted.  It has to manually be killed.  An individual user
can also open up multiple IP addresses at once.  In *my* case, these are
not only acceptable risks, but a desirable features.  However...keep
this in mind should you persue this.

Authpf simply inserts addresses into a table, you can also do this
though other means, if you wish.  However, if you let someone poke
around in their environment (i.e., log in), it might be a trick to find
a way to pick out their IP address without any ability for them to spoof
it...  If you don't completely trust your users, use authpf as intended.


Nick.

Reply via email to