Out of curiosity I'd like to come back to my initial question above:
Does
anybody have experience or further reading about NetBSD firewall and
the
PAM system? Installing the PAM-af package was easy, but it's
obviously not
working. How do I start it? I assume the relevant files are located in
/etc/pam.d/, but I'm reluctant to change the anything without deper
understanding - for fear that my attempt to fix a problem may open a
security hole.
You should be aware that you need to enable the usage of PAM within the
/etc/ssh/sshd_config (UsePAM yes|no). Sadly, the man-pages of SSH in
NetBSD do not mention this.
Here is an excerpt of a SSH-manpage I have from another system:
<snip>
UsePAM
Enables the Pluggable Authentication Module interface. If set to
``yes''
this will enable PAM authentication using
ChallengeResponseAuthentication
and PAM account and session module processing for all authentication
types.
Because PAM challenge-response authentication usually serves an
equivalent
role to password authentication, you should disable either
PasswordAuthentication or ChallengeResponseAuthentication.
If UsePAM is enabled, you will not be able to run sshd(8) as a non-root
user. The default is ``no''.
</snip>
PAM is automatically installed with NetBSD nowadays, so all you -should-
need to do is to enable it within the sshd_config, and may be edit the
/etc/pam.d/sshd-file appropriately.
How pam-af is brought to work, I cannot say. I have no experiences with
it, since I have never used it. All I can say is, it needs to be
inserted
into /etc/pam.d/sshd, probably with a line like this one:
auth required pam_af no_warn
How it can be told whether to call pf, ipf or whatever
packetfilter-cli-tool to use, I cannot say.
Information about pam-af seems a bit thin.
I hope this was helpful in regard of your original question.
(denyhosts looks a bit easier to me, since you neither need a
packetfilter
nor pam, and /etc/hosts.deny and tcpwrappers exists on your system
anyway,
and transparently so.)
- Volkmar