Something I've been thinking about is the problem of giving out fwknop access with specific username and passphrase pairs; You end up with a lot of credentials floating around, and no way of really expiring that access other than by manually editing access.conf.
A simple solution would involve the following: 1. sub SPA_check_user() should check for an expired account as well as valid username, since we know when a username is being used. Log the result. 2. need a new sub to read the expiry file list and get a list of expired accounts by username - need to define $username_exp_list = path to expiry list 2.1 add an option for turning on username expiry in /etc/fwknop/fwknop.conf 2.2 modify fwknopd to recognize the username expiry option in the .conf file 3. need a daemon to check logs and add usernames to the expiry list (this should NOT be in the access.conf since we probably don't want to risk writing to that file) I'd assume that the expiry list would need to be read on the fly (not sure if this might create some overhead if reading large lists) in order to make the expiry take effect as soon as a username is expired. As a few of us discussed at defcon, there's probably a lot of interesting features that could be added to this functionality, such as a secure way to notify users of their blacklisting, or combining the fwknop blacklisting with irc k-lining, and so on. The blacklist could also enable set hours when certain profiles are enabled or disabled. -- mart ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
