On 9/15/19 7:31 AM, shadrock uhuru wrote: > hi everyone > i can login with authpf but unable to exit or control D out of the ssh > session > the only way out is to control C which also kills any other ordinary ssh > user connected to the server > my authpf user has authpf as its login shell and login class, > is this normal behaviour ? > shadrock >
If I understand your request, you want someone to log into your system, which brings up authpf, and you want them to be able to do something to exit to a shell prompt on that server and still leave the authpf rules in place? That's not the way authpf was designed. The idea is that when authpf is invoked, it activates certain rules, presumably regarding the IP address in question, and when authpf exits, it removes those changes. Connect to authpf, now you can access the web site, or FTP or whatever it is you need, terminate authpf, and no one else at your IP can do those things. If you are letting these same users access the shell prompt, your usage is not as paranoid as authpf was designed to deal with, it's probably not the right tool for the job, or your expectations are wrong. I run a private IRC server, which is blocked on the 'net by PF, but as all the users are people I know in real life and friends, I trust them to be able to activate their own IP addresses, so I just wrote a simple (and surely insecure) script to add that user's IP address to the PF table that permits them access to the system. What this doesn't do (and I'm not sure how you expect to do this) is clear the connections when they leave. In my case, I don't care -- the odds that after Fred gets a new IP address that his old IP address will end up in the hands of someone wanting to have access to my IRC server for malicious reasons (and they find it!) is pretty small. But that might not be your use case. If you need to close those openings...you had best think hard about how you expect that to happen. Nick.
