Re: feature-request: trap-door

Emil 'nobs' Obermayr wrote:
[...]
> So we had another idea: using a sequence of login-names directly to the
> ssh-server. If someone gives the right sequence of accounts, the IP will be
> accepted for "real" logins for a while. If the sequence is wrong, the IP can
> be logged in syslog and locked out totally from the system by another tool
> with a firewall.
>
> This could be a nice feature for people that need to have access to their
> system from varying clients all over the internet. Additionally when a hacker
> tries to hack the ssh he could be locked out from other services as well.
>
> Is it possible to put such a feature in sshd? Could it be a patch or
> external addon?

I doubt it. It's of very limited use and it's a DoS waiting to happen.

If you're using an external authentication system such as PAM or BSDAuth
then you can implement whatever policy you want at that level.

> What do you think?

It would be trivial to implement this with some kind of external
log-watching process: create a group such as "sshallowed", then put
"AllowGroups sshallowed" into sshd_config. The exeternal process could
then add/remote the appropriate user(s) to and from that group based on
the activity in the log.

Just because it's possible doesn't make it a good idea, though.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev