[H-GEN] Re: Blocking SSH exploits

Byron Ellacott bje at apnic.net
Wed Aug 25 19:19:09 EDT 2004


Jason Parker-Burlingham wrote:
> Byron Ellacott <bje at apnic.net> writes:
>>(As an aside, PAM doesn't actually allow you to provide different
>>policies based on any sort of connection class; in the end I said that
>>OTP auth was sufficient, but if that failed then the auth required
>>both a connection from a list of known hosts as well as the correct
>>password.)
> What's the PAM magic required to check against a list of known hosts?

My pam.d/common-auth now reads, sans comments:

auth sufficient pam_opie.so
auth requisite  pam_listfile.so \
                 onerr=fail item=rhost sense=allow \
                 file=/etc/security/hosts.conf
auth required   pam_unix.so nullok_secure

The first line tries Opie, and finishes there if Opie succeeds.  Else, 
it checks /etc/security/hosts.conf for a list of hostnames via the 
pam_listfile module, and immediately fails if this test fails (ie, it 
doesn't prompt for a UNIX password for remote hosts).  Finally, UNIX 
authentication mechanisms kick in.

The hosts.conf is simply a list of hostnames, one per line.  I perhaps 
should have called it lanhosts.conf or similar.  It doesn't, alas, allow 
me to filter by IP range.  It probably wouldn't be too hard to write a 
pam_iprange module that ensured the connecting host was in a given 
range.  Maybe someone already has.

-- 
bje




More information about the General mailing list