Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 06-18-2009, 07:08 PM   #1
Registered: Apr 2009
Posts: 63

Rep: Reputation: 15
Perl or PHP Script that can tail /var/log/auth.log - two-factor authentication

Is there some way to write code that would accomplish what I'm about to type?

IF I see this (PAM-listfile: Refused user root for service ssh) in /var/log/auth.log, then do this.

another example....

IF I see this (Accepted password for root from) in /var/log/auth.log, then do this.

My "do this" would then be something related to PAM.

Essentially my goal is this:

If I ssh to my server from an IP address I've connected from before, then just let me in. If I ssh to my server from an IP address that I've never connected to from before, then you need to two-factor my authentication attempt.

I currently have two-factor authentication setup using PhoneFactor. My /etc/pam.d/ssh config looks like this:

# PAM configuration for the Secure Shell service
auth required item=rhost sense=allow file=/etc/ssh/ssh.allow onerr=fail
auth sufficient /lib/security/

The first auth required looks at a file that contains IP addresses. If your IP is in here, you will receive a phone call (the second auth required line). If you press # after receiving the phone call, you gain access to the shell.

If your IP address is not in the ssh/ssh.allow file, you still get a phone call. If you press # after receiving the phone call, you are denied access to the shell because your IP is not in the "whitelist" file.

The goal is:
If I'm in the whitelist, don't PhoneFactor me, just let me in.
If I'm not in the whitelist, PhoneFactor me, then let me in. Then somehow I'll write a script that adds the IP address I just connected from to the whitelist.

Currently, like I said. I get a PhoneFactor call no matter what. But, if my IP is not in the ssh.allow file, I'm denied.

Any suggestions on completing this task? Custom PAM module that will look at one condition and if met, pass it on? Or, if the condiition isn't met, pass it on to something else?
Old 06-18-2009, 09:36 PM   #2
LQ Guru
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,411

Rep: Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397
Relevant Perl module


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
convert LAN IP address to Host Name when I give cmd tail -f /var/log/squid/access.log rs15 Linux - Networking 6 01-22-2012 02:45 AM
the significance and name of the 5th column of /var/log/auth.log (ubuntu server)? CoffeeKing!!! Linux - Security 4 02-05-2009 08:32 AM
What the %$#@ is pam_unix (cron:session) doing every ten minutes? (/var/log/auth.log) CoffeeKing!!! Linux - Security 3 02-05-2009 08:07 AM
/var/log/auth.log doens't have correct date and hostname (Solution) alfmarius Linux - Newbie 0 10-07-2008 07:09 AM
weird stuff in /var/log/auth.log bschiett Linux - Security 3 03-12-2005 09:29 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 10:16 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration