Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall?

On Mon, Nov 19, 2007 at 05:50:20PM -0800, Albert T wrote:

The first idea that came to my mind was authpf. Unfortunately it does not
meet your above requirements because it requires shell access. I think
you might want to consider using authpf instead. Here is a link to the
authpf section in the OpenBSD PF FAQ.

And a link to the authpf(8) man page for OpenBSD 4.2 release.

I didn't know about AuthPF. Interesting.

But, as you point out, only shell access, right?

I have never actually set up authpf before but from the FAQ it looks
like any user that authenticates has their shell set to
/usr/sbin/authpf in /etc/passwd. So they don't get a traditional shell like ksh, csh,
or bash. Any client machine would need SSH client software installed to connect.

My remote users need to be able to access from "any Kinko's" (for
example) where there's no guarantee of Shell access, but *always* a
browser at hand.

If you want your clients to connect from "any Kinko's" you might look at
portable apps.

I saw a cool demo of portable apps about a month ago. They have a
portable version of PuTTY. Install portable PuTTY on a USB flash
drive and then keep the flash drive on your key chain. You can plug the USB flash
drive into any computer running Microsoft Windows and run PuTTY off the flash drive.

AuthPF does look like it's worth learning about.



Sean Malloy
Home Page:

Relevant Pages