[H-GEN] Re: Blocking SSH exploits
Byron Ellacott
bje at apnic.net
Wed Aug 25 19:19:09 EDT 2004
Jason Parker-Burlingham wrote:
> Byron Ellacott <bje at apnic.net> writes:
>>(As an aside, PAM doesn't actually allow you to provide different
>>policies based on any sort of connection class; in the end I said that
>>OTP auth was sufficient, but if that failed then the auth required
>>both a connection from a list of known hosts as well as the correct
>>password.)
> What's the PAM magic required to check against a list of known hosts?
My pam.d/common-auth now reads, sans comments:
auth sufficient pam_opie.so
auth requisite pam_listfile.so \
onerr=fail item=rhost sense=allow \
file=/etc/security/hosts.conf
auth required pam_unix.so nullok_secure
The first line tries Opie, and finishes there if Opie succeeds. Else,
it checks /etc/security/hosts.conf for a list of hostnames via the
pam_listfile module, and immediately fails if this test fails (ie, it
doesn't prompt for a UNIX password for remote hosts). Finally, UNIX
authentication mechanisms kick in.
The hosts.conf is simply a list of hostnames, one per line. I perhaps
should have called it lanhosts.conf or similar. It doesn't, alas, allow
me to filter by IP range. It probably wouldn't be too hard to write a
pam_iprange module that ensured the connecting host was in a given
range. Maybe someone already has.
--
bje
More information about the General
mailing list