From owner-freebsd-questions@FreeBSD.ORG Fri Dec 16 11:49:28 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2550116A41F for ; Fri, 16 Dec 2005 11:49:28 +0000 (GMT) (envelope-from danm@prime.gushi.org) Received: from prime.gushi.org (prime.gushi.org [72.9.101.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id A678043D55 for ; Fri, 16 Dec 2005 11:49:27 +0000 (GMT) (envelope-from danm@prime.gushi.org) Received: from prime.gushi.org (danm@localhost.gushi.org [127.0.0.1]) by prime.gushi.org (8.13.5/8.13.5) with ESMTP id jBGC1aPU083807 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 16 Dec 2005 07:01:36 -0500 (EST) Received: (from danm@localhost) by prime.gushi.org (8.13.5/8.13.5/Submit) id jBGC1ZT4083806; Fri, 16 Dec 2005 07:01:35 -0500 (EST) Date: Fri, 16 Dec 2005 07:01:35 -0500 (EST) From: "Dan Mahoney, System Admin" To: questions@freebsd.org Message-ID: <20051216045350.H35923@prime.gushi.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: PAM and OPIE and su X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2005 11:49:28 -0000 Hey all, this is sort of a wierd question, but bear with me. I notice that pam_securetty has a function that allows people to have to be "secure" before it will let them do something (for example, use login as root). I've recently enabled telnetd on my system because of people trapped behind library terminals at school, or behind retarded proxies on computer labs where ssh apps are not installed. The issue, of course, is that there's still technically the possibility of someone using su(1) as a wheel user, over a session which is now insecure. What I'd like to be able to do is be able to know which sessions are ssh'd, and which sessions are telnet'd, and either require OTP for the ones which HAVE been used for telnet -- or allow normal passwords for the SSHable ones. This would probably require modifications to either telnetd or sshd, as most of the playing I've done with PS to make a proof-of-concept shows both daemons as listing their terminals as ??, as opposed to showing the terminalid's being used. If nothing else, a PAM module that can tell what method a user is in via would be useful. Any ideas? -Dan -- "She's NOT my girlfriend!" -Dan Mahoney, Quite a bit recently. --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------