PAM and OPIE and su
Dan Mahoney, System Admin
danm at prime.gushi.org
Fri Dec 16 03:49:28 PST 2005
Hey all,
this is sort of a wierd question, but bear with me. I notice that
pam_securetty has a function that allows people to have to be "secure"
before it will let them do something (for example, use login as root).
I've recently enabled telnetd on my system because of people trapped
behind library terminals at school, or behind retarded proxies on computer
labs where ssh apps are not installed.
The issue, of course, is that there's still technically the possibility of
someone using su(1) as a wheel user, over a session which is now insecure.
What I'd like to be able to do is be able to know which sessions are
ssh'd, and which sessions are telnet'd, and either require OTP for the
ones which HAVE been used for telnet -- or allow normal passwords for the
SSHable ones.
This would probably require modifications to either telnetd or sshd, as
most of the playing I've done with PS to make a proof-of-concept shows
both daemons as listing their terminals as ??, as opposed to showing the
terminalid's being used.
If nothing else, a PAM module that can tell what method a user is in via
would be useful.
Any ideas?
-Dan
--
"She's NOT my girlfriend!"
-Dan Mahoney, Quite a bit recently.
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the freebsd-questions
mailing list