Home page logo

basics logo Security Basics mailing list archives

Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall?
From: Sean Malloy <spinelli85 () gmail com>
Date: Tue, 20 Nov 2007 00:14:54 -0600

On Mon, Nov 19, 2007 at 05:50:20PM -0800, Albert T wrote:

The first idea that came to my mind was authpf. Unfortunately it does not
meet your above requirements because it requires shell access. I think
you might want to consider using authpf instead. Here is a link to the
authpf section in the OpenBSD PF FAQ.


And a link to the authpf(8) man page for OpenBSD 4.2 release.


I didn't know about AuthPF.  Interesting.

But, as you point out, only shell access, right?

I have never actually set up authpf before but from the FAQ it looks
like any user that authenticates has their shell set to
/usr/sbin/authpf in /etc/passwd. So they don't get a traditional shell like ksh, csh,
or bash. Any client machine would need SSH client software installed to connect.

My remote users need to be able to access from "any Kinko's" (for
example) where there's no guarantee of Shell access, but *always* a
browser at hand.

If you want your clients to connect from "any Kinko's" you might look at
portable apps.


I saw a cool demo of portable apps about a month ago. They have a
portable version of PuTTY. Install portable PuTTY on a USB flash
drive and then keep the flash drive on your key chain. You can plug the USB flash 
drive into any computer running Microsoft Windows and run PuTTY off the flash drive.

AuthPF does look like it's worth learning about.



Sean Malloy
Home Page: www.catgrepsort.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]