On Tue, Sep 10, 2024 at 08:32:05PM +0900, WATANABE Takeo wrote:
> Hi. misc@ users.
>
> I have previously consulted on the description of pf.conf.
> I have reflected on the advice I received
> at that time and can now use it normally, thank you very much.
>
> However, we have noticed that one problem has arisen.
> I used to use ‘Yubikey(FIFO2)’ to log in via SSH,
> but now I can't log in.
>
> Starting with OpenSSH 8.2,
> hardware authentication using U2F/FIDO2 devices is supported.
> We have been using one of these devices, the ‘Yubikey’,
> for key authentication using ed25519-sk.
>
> I found out that I can log in with normal public key
> cryptography authentication (ed25519) in the same pf.conf environment,
> and that I can log in with ed25519-sk key authentication if I stop pf.
>
> It occurred to me again that the pf.conf I had written might be the problem.
>
> Could you please advise and discuss my pf.conf once more so that
> it is more appropriate and I can log in with ed25519-sk key authentication?
> The current pf.con is attached.
>
> # As there was no official OpenSSH user mailing list,
> # I posted this to misc@ If anyone knows of a suitable posting address,
> # please let us know.
>
> Sincerely yours,
>
> ---
> WATANABE, Takeo
> t...@kasaneiro.jp
>
> tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
> udp_services="{ domain, ntp }"
>
> set block-policy drop
> set loginterface vio0
>
> # don't filter on loopback interface
> set skip on lo0
>
> # set up a default deny policy
> block log all
>
> # Allow packets
> pass quick on vio0 proto tcp to any port $tcp_services keep state
> pass quick on vio0 proto udp to any port $udp_services keep state
>
> # Allow ICMP Packets
> pass quick on vio0 proto icmp to any keep state
> pass quick on vio0 proto icmp6 to any keep state
Does the pf log ("tcpdump -eti vio0" while attempting to login) and ssh
-v (at least on the client, ideally on the server side too) give any
clues?
--
