scott escreveu: > RE: Also, "...new chroot functionally off ssh that > is shipping with open 4.3, will help on doing this." > > I'll look into this. It's my understanding, flawed asit may be, that > (i) sshd runs as root and (ii) there can be one instance only. (i) Yes, it runs as root (because of tty alocation, and other things). The exception is that if the UsePrivilegeSeparation (default to yes) setting is being used, the sshd will drop the privilege to the user logging in. (ii) There can be as many instances of sshd as you want. Just need to start then pointing to different config files (-f). > > Do you know if the sshd in 4.3 via chroot affords (i) sshd as a user or > group id and (ii) would multiple instances (with different user/group > ids) be possible. If these other-then-root user or group ids are > filterable in pf it might work. (i)Yes. Chroot can be set on a per user/group basis with the MatchUser/MatchGroup directive. (ii) Yes, you can use the user keyword or the group keyword on pf to filter based on user and group, respectively. The only problem is that the connection must be made from the machine. Or you should use the authpf functionality. > > If this is the favorable case, then my problem may be solvable by > running two sshd instances -- one for the outside to inside sessions and > an other handling the (inside) wifi sessions, each with the pf rules > peculiar to the desired traffic flows. > > Or am I doing the exotic "zebra" instead of plain "horse" thing? > No, this is something that can be done. But instead i would recommend some kind of captive portal (wicap) or authpf to the wifi sessions. > Thx. > > -----Original Message----- > From: Giancarlo Razzolini <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: misc@openbsd.org > Subject: Re: pf tag goes missing post sshd tcp decapsulization > Date: Mon, 03 Mar 2008 13:02:02 -0300 > Mailer: Thunderbird 1.5.0.14pre (X11/20071023) > Delivered-To: [EMAIL PROTECTED] > > Henning Brauer escreveu: >> * Giancarlo Razzolini <[EMAIL PROTECTED]> [2008-03-03 14:35]: >>> Tags are only visible while in the kernel. Once you send them to a >>> application, unless it has the ability to set a tag, the tag will be >>> lost. The ftp-proxy(8) AFAICR, since 4.1 has the ability to set a tag on >>> the packet. It would be nice if more userland applications like sshd, >>> spamd, hoststated, etc, could set tags too. >> actually, it is not ftp-proxy that sets tags. ftp-proxy dynamically >> inserts rules and makes THEM tag the packets. that concept doesn't >> translate all that well to the other usage cases you mention. >> > And, as the packets passes by the rules that ftp-proxy inserted, they > can be filtered on using the tag inserted with ftp-proxy. But it would > be really nice to have other applications being able to "see" tags and > set them too in the packets passing through them. But i don't see it > much as a limitation. I do use the user keyword or other means to filter > based on the application. Also, a very good thing is the ability to use > the authpf. I also think that the new chroot functionally off ssh that > is shipping with open 4.3, will help on doing this. > > My regards, > -- > Giancarlo Razzolini > Linux User 172199 > Red Hat Certified Engineer no:804006389722501 > Moleque Sem Conteudo Numero #002 > Slackware Current > OpenBSD Stable > Ubuntu 7.04 Feisty Fawn > Snike Tecnologia em Informatica > 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 > > [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] > >
-- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
