On Fri, Sep 15, 2006 at 09:18:09AM -0500, Jacob Yocom-Piatt wrote:
> ---- Original message ----
> >Date: Fri, 15 Sep 2006 14:21:22 +0200
> >From: viq <[EMAIL PROTECTED]>
> >Subject: Re: webbased authpf ?
> >To: misc@openbsd.org
> >
> >On 9/15/06, Joachim Schipper <[EMAIL PROTECTED]> wrote:
> >> On Fri, Sep 15, 2006 at 10:27:29AM +0200, Frans Haarman wrote:
> >> > Is there someting which does "Authpf" like things, only via a website
> >> > ? So the users authenticates on the website, then the firewall rules
> >> > are loaded!
>
> when i used to have access to HPC clusters for running simulations, a similar
> method to what the OP suggested was used for authentication: provide a
> login/password over the web to get their firewall to open up a port for you to
> ssh into for 8 hours at time. the only problem i forsee with what you suggest
> is
> that apache would likely have to break its default chroot to run a script to
> update authpf files in /etc/authpf. if there is a way around breaking the
> chroot, such as having authpf look for its config files in a different
> location
> that is accessible to apache (e.g. /var/www/etc/authpf), that could work but i
> cannot speak from experience.
It would probably be best to let a daemon or cronjob outside the chroot
read it; a socket or even a simple pipe in the chroot is sufficient to
signal a daemon, or even send the whole IP address.
Of course, this does result in a two-part script, but the seperation is
likely to be a good thing from a security standpoint.
Joachim
