|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|
|||
Setting up OpenBSD as a ssh gateway
I'm setting up OpenBSD machine as an ssh gateway, (so have to first gain access to this machine before you can get to mail, dns and web servers). Anyone have any suggestions for set. I've been reading a lot but I want to ensure I haven't forgot anything. Also does OpenBSD use PF in place of stand hosts.deny?
Thanks, Darryl |
|
||||
I would use authpf(8), it was designed for just this purpose, and you should see if it meets your needs. In brief, a user authenticates with an ssh session, as long as that session is active, a set of rules associated with that user are anchored into your PF ruleset. When that session ends, so do those rules.
There was an interesting discussion in the misc@ mailing list about authpf this week regarding its limitations -- how someone on a NATted network who authenticates would authorize their entire NATted network; and some other possible "tailgating" attacks. I recommend a review of the thread, which began here: http://marc.info/?l=openbsd-misc&m=131556113701941&w=2 While hosts.deny(5) is an available service, I don't use it, as PF does all I need without the caveats, booby traps, and other problems inherent in the hosts access control language. PF also has the ability to automatically add attackers to block lists, which I prefer. |
|
|||
setting shell to authpf
man page says to set shell to authpf, however in /etc/shells there isn't a selection for authpf, and no such entry in /bin. Do I just add /bin/authpf to /etc/shells and it will allow to create a user with that shell, doesn't seem logical to me.
Just added /bin/authpf to /etc/shells then tried useradd and got to shell selection with the following response: Enter your default shell: csh ksh nologin sh [ksh]: authpf authpf: is not allowed So not sure how to set shell to authpf. Thanks guys Last edited by dbach; 12th January 2012 at 02:26 PM. |
|
||||
The AuthPF shell is a pseudo-shell. The authenticating user does not get anything other than a text message on their ssh terminal session, and keyboard entry is ignored. The shells(5) configuration file need not be altered, since that is to restrict end users to a list of authorized shells when they change shells on their own.
If you have a shell user who will -also- need authentication via AuthPF, that user will need two accounts. Please see the AuthPF chapter of the PF Users Guide. |
|
|||
/etc/adduser.conf
There is no adduser.conf in /etc, is it better to use useradd, or is this just 6 of one 1/2 dozen of another?
Thanks again, Darryl |
Tags |
gateway, ssh |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD 4.6 i386 boot hangs with old gateway system - resolved | comet--berkeley | OpenBSD Installation and Upgrading | 6 | 22nd July 2011 08:15 AM |
Setting up an OpenBSD firewall | Monkey | OpenBSD Security | 2 | 7th December 2010 10:30 AM |
issues with setting up symon on openbsd | badguy | OpenBSD Security | 12 | 22nd July 2009 02:21 AM |
openBSD IPSEC gateway w/WINDOWS XP roadwarrior | s2scott | OpenBSD Security | 7 | 13th January 2009 11:01 AM |
setting up a proxy server in OpenBSD 4.3 | jrake | OpenBSD General | 1 | 14th May 2008 06:43 PM |