LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-18-2009, 06:08 PM   #1
tdnnash25
Member
 
Registered: Apr 2009
Posts: 63

Rep: Reputation: 15
Perl or PHP Script that can tail /var/log/auth.log - two-factor authentication


Is there some way to write code that would accomplish what I'm about to type?

IF I see this (PAM-listfile: Refused user root for service ssh) in /var/log/auth.log, then do this.

another example....

IF I see this (Accepted password for root from) in /var/log/auth.log, then do this.


My "do this" would then be something related to PAM.


Essentially my goal is this:

If I ssh to my server from an IP address I've connected from before, then just let me in. If I ssh to my server from an IP address that I've never connected to from before, then you need to two-factor my authentication attempt.


I currently have two-factor authentication setup using PhoneFactor. My /etc/pam.d/ssh config looks like this:

# PAM configuration for the Secure Shell service
auth required pam_listfile.so item=rhost sense=allow file=/etc/ssh/ssh.allow onerr=fail
auth sufficient /lib/security/pam_radius_auth.so


The first auth required looks at a file that contains IP addresses. If your IP is in here, you will receive a phone call (the second auth required line). If you press # after receiving the phone call, you gain access to the shell.

If your IP address is not in the ssh/ssh.allow file, you still get a phone call. If you press # after receiving the phone call, you are denied access to the shell because your IP is not in the "whitelist" file.

The goal is:
If I'm in the whitelist, don't PhoneFactor me, just let me in.
If I'm not in the whitelist, PhoneFactor me, then let me in. Then somehow I'll write a script that adds the IP address I just connected from to the whitelist.

Currently, like I said. I get a PhoneFactor call no matter what. But, if my IP is not in the ssh.allow file, I'm denied.

Any suggestions on completing this task? Custom PAM module that will look at one condition and if met, pass it on? Or, if the condiition isn't met, pass it on to something else?
 
Old 06-18-2009, 08:36 PM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,280

Rep: Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032
Relevant Perl module http://search.cpan.org/~mgrabnar/Fil...0.99.3/Tail.pm
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
convert LAN IP address to Host Name when I give cmd tail -f /var/log/squid/access.log rs15 Linux - Networking 6 01-22-2012 01:45 AM
the significance and name of the 5th column of /var/log/auth.log (ubuntu server)? CoffeeKing!!! Linux - Security 4 02-05-2009 07:32 AM
What the %$#@ is pam_unix (cron:session) doing every ten minutes? (/var/log/auth.log) CoffeeKing!!! Linux - Security 3 02-05-2009 07:07 AM
/var/log/auth.log doens't have correct date and hostname (Solution) alfmarius Linux - Newbie 0 10-07-2008 06:09 AM
weird stuff in /var/log/auth.log bschiett Linux - Security 3 03-12-2005 08:29 AM


All times are GMT -5. The time now is 11:28 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration