195cc27f0SJoerg Sonnenberger.\" $OpenBSD: authpf.8,v 1.31 2003/12/10 04:10:37 beck Exp $ 295cc27f0SJoerg Sonnenberger.\" 395cc27f0SJoerg Sonnenberger.\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved. 495cc27f0SJoerg Sonnenberger.\" 595cc27f0SJoerg Sonnenberger.\" Redistribution and use in source and binary forms, with or without 695cc27f0SJoerg Sonnenberger.\" modification, are permitted provided that the following conditions 795cc27f0SJoerg Sonnenberger.\" are met: 895cc27f0SJoerg Sonnenberger.\" 1. Redistributions of source code must retain the above copyright 995cc27f0SJoerg Sonnenberger.\" notice, this list of conditions and the following disclaimer. 1095cc27f0SJoerg Sonnenberger.\" 2. Redistributions in binary form must reproduce the above copyright 1195cc27f0SJoerg Sonnenberger.\" notice, this list of conditions and the following disclaimer in the 1295cc27f0SJoerg Sonnenberger.\" documentation and/or other materials provided with the distribution. 1395cc27f0SJoerg Sonnenberger.\" 3. The name of the author may not be used to endorse or promote products 1495cc27f0SJoerg Sonnenberger.\" derived from this software without specific prior written permission. 1595cc27f0SJoerg Sonnenberger.\" 1695cc27f0SJoerg Sonnenberger.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 1795cc27f0SJoerg Sonnenberger.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 1895cc27f0SJoerg Sonnenberger.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 1995cc27f0SJoerg Sonnenberger.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 2095cc27f0SJoerg Sonnenberger.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 2195cc27f0SJoerg Sonnenberger.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 2295cc27f0SJoerg Sonnenberger.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 2395cc27f0SJoerg Sonnenberger.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 2495cc27f0SJoerg Sonnenberger.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 2595cc27f0SJoerg Sonnenberger.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 2695cc27f0SJoerg Sonnenberger.\" 27*755d70b8SSascha Wildner.Dd April 21, 2018 2895cc27f0SJoerg Sonnenberger.Dt AUTHPF 8 2995cc27f0SJoerg Sonnenberger.Os 3095cc27f0SJoerg Sonnenberger.Sh NAME 3195cc27f0SJoerg Sonnenberger.Nm authpf 3295cc27f0SJoerg Sonnenberger.Nd authenticating gateway user shell 3395cc27f0SJoerg Sonnenberger.Sh SYNOPSIS 349b5a9965SSascha Wildner.Nm 3595cc27f0SJoerg Sonnenberger.Sh DESCRIPTION 3695cc27f0SJoerg Sonnenberger.Nm 3795cc27f0SJoerg Sonnenbergeris a user shell for authenticating gateways. 3895cc27f0SJoerg SonnenbergerIt is used to change 3995cc27f0SJoerg Sonnenberger.Xr pf 4 4095cc27f0SJoerg Sonnenbergerrules when a user authenticates and starts a session with 4195cc27f0SJoerg Sonnenberger.Xr sshd 8 4295cc27f0SJoerg Sonnenbergerand to undo these changes when the user's session exits. 4395cc27f0SJoerg SonnenbergerIt is designed for changing filter and translation rules for an individual 4495cc27f0SJoerg Sonnenbergersource IP address as long as a user maintains an active 4595cc27f0SJoerg Sonnenberger.Xr ssh 1 4695cc27f0SJoerg Sonnenbergersession. 4795cc27f0SJoerg SonnenbergerTypical use would be for a gateway that authenticates users before 4895cc27f0SJoerg Sonnenbergerallowing them Internet use, or a gateway that allows different users into 4995cc27f0SJoerg Sonnenbergerdifferent places. 5095cc27f0SJoerg Sonnenberger.Nm 5195cc27f0SJoerg Sonnenbergerlogs the successful start and end of a session to 5295cc27f0SJoerg Sonnenberger.Xr syslogd 8 . 5395cc27f0SJoerg SonnenbergerThis, combined with properly set up filter rules and secure switches, 5495cc27f0SJoerg Sonnenbergercan be used to ensure users are held accountable for their network traffic. 5595cc27f0SJoerg Sonnenberger.Pp 5695cc27f0SJoerg Sonnenberger.Nm 5795cc27f0SJoerg Sonnenbergercan add filter and translation rules using the syntax described in 5895cc27f0SJoerg Sonnenberger.Xr pf.conf 5 . 5995cc27f0SJoerg Sonnenberger.Nm 6095cc27f0SJoerg Sonnenbergerrequires that the 6195cc27f0SJoerg Sonnenberger.Xr pf 4 6295cc27f0SJoerg Sonnenbergersystem be enabled before use. 6395cc27f0SJoerg Sonnenberger.Pp 6495cc27f0SJoerg Sonnenberger.Nm 6595cc27f0SJoerg Sonnenbergeris meant to be used with users who can connect via 6695cc27f0SJoerg Sonnenberger.Xr ssh 1 6795cc27f0SJoerg Sonnenbergeronly. 6895cc27f0SJoerg SonnenbergerOn startup, 6995cc27f0SJoerg Sonnenberger.Nm 7095cc27f0SJoerg Sonnenbergerretrieves the client's connecting IP address via the 7195cc27f0SJoerg Sonnenberger.Ev SSH_CLIENT 7295cc27f0SJoerg Sonnenbergerenvironment variable and, after performing additional access checks, 7395cc27f0SJoerg Sonnenbergerreads a template file to determine what filter and translation rules 7495cc27f0SJoerg Sonnenberger(if any) to add. 7595cc27f0SJoerg SonnenbergerOn session exit the same rules that were added at startup are removed. 7695cc27f0SJoerg Sonnenberger.Pp 7795cc27f0SJoerg SonnenbergerEach 7895cc27f0SJoerg Sonnenberger.Nm 7995cc27f0SJoerg Sonnenbergerprocess stores its rules in a separate ruleset inside a 8095cc27f0SJoerg Sonnenberger.Xr pf 4 8195cc27f0SJoerg Sonnenberger.Pa anchor 8295cc27f0SJoerg Sonnenbergershared by all 8395cc27f0SJoerg Sonnenberger.Nm 8495cc27f0SJoerg Sonnenbergerprocesses. 8595cc27f0SJoerg SonnenbergerBy default, the 8695cc27f0SJoerg Sonnenberger.Pa anchor 8795cc27f0SJoerg Sonnenbergername "authpf" is used, and the ruleset names equal the username and PID of the 8895cc27f0SJoerg Sonnenberger.Nm 8995cc27f0SJoerg Sonnenbergerprocesses as "username(pid)". 9095cc27f0SJoerg SonnenbergerThe following rules need to be added to the main ruleset 9195cc27f0SJoerg Sonnenberger.Pa /etc/pf.conf 9295cc27f0SJoerg Sonnenbergerin order to cause evaluation of any 9395cc27f0SJoerg Sonnenberger.Nm 9495cc27f0SJoerg Sonnenbergerrules: 9595cc27f0SJoerg Sonnenberger.Bd -literal -offset indent 9695cc27f0SJoerg Sonnenbergernat-anchor authpf 9795cc27f0SJoerg Sonnenbergerrdr-anchor authpf 9895cc27f0SJoerg Sonnenbergerbinat-anchor authpf 9995cc27f0SJoerg Sonnenbergeranchor authpf 10095cc27f0SJoerg Sonnenberger.Ed 10195cc27f0SJoerg Sonnenberger.Sh FILTER AND TRANSLATION RULES 10295cc27f0SJoerg SonnenbergerFilter and translation rules for 10395cc27f0SJoerg Sonnenberger.Nm 10495cc27f0SJoerg Sonnenbergeruse the same format described in 10595cc27f0SJoerg Sonnenberger.Xr pf.conf 5 . 10695cc27f0SJoerg SonnenbergerThe only difference is that these rules may (and probably should) use 10795cc27f0SJoerg Sonnenbergerthe macro 10895cc27f0SJoerg Sonnenberger.Em user_ip , 10995cc27f0SJoerg Sonnenbergerwhich is assigned the connecting IP address whenever 11095cc27f0SJoerg Sonnenberger.Nm 11195cc27f0SJoerg Sonnenbergeris run. 11295cc27f0SJoerg SonnenbergerAdditionally, the macro 11395cc27f0SJoerg Sonnenberger.Em user_id 11495cc27f0SJoerg Sonnenbergeris assigned the user name. 11595cc27f0SJoerg Sonnenberger.Pp 11695cc27f0SJoerg SonnenbergerFilter and nat rules will first be searched for in 11795cc27f0SJoerg Sonnenberger.Pa /etc/authpf/users/$USER/ 11895cc27f0SJoerg Sonnenbergerand then in 11995cc27f0SJoerg Sonnenberger.Pa /etc/authpf/ . 12095cc27f0SJoerg SonnenbergerPer-user rules from the 12195cc27f0SJoerg Sonnenberger.Pa /etc/authpf/users/$USER/ 12295cc27f0SJoerg Sonnenbergerdirectory are intended to be used when non-default rules 12395cc27f0SJoerg Sonnenbergerare needed on an individual user basis. 12495cc27f0SJoerg SonnenbergerIt is important to ensure that a user can not write or change 12595cc27f0SJoerg Sonnenbergerthese configuration files. 12695cc27f0SJoerg Sonnenberger.Pp 12795cc27f0SJoerg SonnenbergerFilter and translation rules are loaded from the file 12895cc27f0SJoerg Sonnenberger.Pa /etc/authpf/users/$USER/authpf.rules . 12995cc27f0SJoerg SonnenbergerIf this file does not exist the file 13095cc27f0SJoerg Sonnenberger.Pa /etc/authpf/authpf.rules 13195cc27f0SJoerg Sonnenbergeris used. 13295cc27f0SJoerg SonnenbergerThe 13395cc27f0SJoerg Sonnenberger.Pa authpf.rules 13495cc27f0SJoerg Sonnenbergerfile must exist in one of the above locations for 13595cc27f0SJoerg Sonnenberger.Nm 13695cc27f0SJoerg Sonnenbergerto run. 13795cc27f0SJoerg Sonnenberger.Pp 13895cc27f0SJoerg SonnenbergerTranslation rules are also loaded from this file. 13995cc27f0SJoerg SonnenbergerThe use of translation rules in an 14095cc27f0SJoerg Sonnenberger.Pa authpf.rules 14195cc27f0SJoerg Sonnenbergerfile is optional. 14295cc27f0SJoerg Sonnenberger.Sh CONFIGURATION 14395cc27f0SJoerg SonnenbergerOptions are controlled by the 14495cc27f0SJoerg Sonnenberger.Pa /etc/authpf/authpf.conf 14595cc27f0SJoerg Sonnenbergerfile. 14695cc27f0SJoerg SonnenbergerIf the file is empty, defaults are used for all 14795cc27f0SJoerg Sonnenbergerconfiguration options. 14895cc27f0SJoerg SonnenbergerThe file consists of pairs of the form 14995cc27f0SJoerg Sonnenberger.Li name=value , 15095cc27f0SJoerg Sonnenbergerone per line. 15195cc27f0SJoerg SonnenbergerCurrently, the allowed values are as follows: 15295cc27f0SJoerg Sonnenberger.Bl -tag -width Ds 15395cc27f0SJoerg Sonnenberger.It anchor=name 15495cc27f0SJoerg SonnenbergerUse the specified 15595cc27f0SJoerg Sonnenberger.Pa anchor 15695cc27f0SJoerg Sonnenbergername instead of "authpf". 15795cc27f0SJoerg Sonnenberger.El 15895cc27f0SJoerg Sonnenberger.Sh USER MESSAGES 15995cc27f0SJoerg SonnenbergerOn successful invocation, 16095cc27f0SJoerg Sonnenberger.Nm 16195cc27f0SJoerg Sonnenbergerdisplays a message telling the user he or she has been authenticated. 16295cc27f0SJoerg SonnenbergerIt will additionally display the contents of the file 16395cc27f0SJoerg Sonnenberger.Pa /etc/authpf/authpf.message 16495cc27f0SJoerg Sonnenbergerif the file exists and is readable. 16595cc27f0SJoerg Sonnenberger.Pp 16695cc27f0SJoerg SonnenbergerThere exist two methods for providing additional granularity to the control 16795cc27f0SJoerg Sonnenbergeroffered by 16895cc27f0SJoerg Sonnenberger.Nm 16995cc27f0SJoerg Sonnenberger- it is possible to set the gateway to explicitly allow users who have 17095cc27f0SJoerg Sonnenbergerauthenticated to 17195cc27f0SJoerg Sonnenberger.Xr ssh 1 17295cc27f0SJoerg Sonnenbergerand deny access to only a few troublesome individuals. 17395cc27f0SJoerg SonnenbergerThis is done by creating a file with the banned user's login name as the 17495cc27f0SJoerg Sonnenbergerfilename in 17595cc27f0SJoerg Sonnenberger.Pa /etc/authpf/banned/ . 17695cc27f0SJoerg SonnenbergerThe contents of this file will be displayed to a banned user, thus providing 17795cc27f0SJoerg Sonnenbergera method for informing the user that they have been banned, and where they can 17895cc27f0SJoerg Sonnenbergergo and how to get there if they want to have their service restored. 17995cc27f0SJoerg SonnenbergerThis is the default behaviour. 18095cc27f0SJoerg Sonnenberger.Pp 18195cc27f0SJoerg SonnenbergerIt is also possible to configure 18295cc27f0SJoerg Sonnenberger.Nm 18395cc27f0SJoerg Sonnenbergerto only allow specific users access. 18495cc27f0SJoerg SonnenbergerThis is done by listing their login names, one per line, in 18595cc27f0SJoerg Sonnenberger.Pa /etc/authpf/authpf.allow . 18695cc27f0SJoerg SonnenbergerIf "*" is found on a line, then all usernames match. 18795cc27f0SJoerg SonnenbergerIf 18895cc27f0SJoerg Sonnenberger.Nm 18995cc27f0SJoerg Sonnenbergeris unable to verify the user's permission to use the gateway, it will 19095cc27f0SJoerg Sonnenbergerprint a brief message and die. 19195cc27f0SJoerg SonnenbergerIt should be noted that a ban takes precedence over an allow. 19295cc27f0SJoerg Sonnenberger.Pp 19395cc27f0SJoerg SonnenbergerOn failure, messages will be logged to 19495cc27f0SJoerg Sonnenberger.Xr syslogd 8 19595cc27f0SJoerg Sonnenbergerfor the system administrator. 19695cc27f0SJoerg SonnenbergerThe user does not see these, but will be told the system is unavailable due to 19795cc27f0SJoerg Sonnenbergertechnical difficulties. 19895cc27f0SJoerg SonnenbergerThe contents of the file 19995cc27f0SJoerg Sonnenberger.Pa /etc/authpf/authpf.problem 20095cc27f0SJoerg Sonnenbergerwill also be displayed if the file exists and is readable. 20195cc27f0SJoerg Sonnenberger.Sh CONFIGURATION ISSUES 20295cc27f0SJoerg Sonnenberger.Nm 20395cc27f0SJoerg Sonnenbergermaintains the changed filter rules as long as the user maintains an 20495cc27f0SJoerg Sonnenbergeractive session. 20595cc27f0SJoerg SonnenbergerIt is important to remember however, that the existence 20695cc27f0SJoerg Sonnenbergerof this session means the user is authenticated. 20795cc27f0SJoerg SonnenbergerBecause of this, it is important to configure 20895cc27f0SJoerg Sonnenberger.Xr sshd 8 20995cc27f0SJoerg Sonnenbergerto ensure the security of the session, and to ensure that the network 21095cc27f0SJoerg Sonnenbergerthrough which users connect is secure. 21195cc27f0SJoerg Sonnenberger.Xr sshd 8 21295cc27f0SJoerg Sonnenbergershould be configured to use the 21395cc27f0SJoerg Sonnenberger.Ar ClientAliveInterval 21495cc27f0SJoerg Sonnenbergerand 21595cc27f0SJoerg Sonnenberger.Ar ClientAliveCountMax 21695cc27f0SJoerg Sonnenbergerparameters to ensure that a ssh session is terminated quickly if 21795cc27f0SJoerg Sonnenbergerit becomes unresponsive, or if arp or address spoofing is used to 21895cc27f0SJoerg Sonnenbergerhijack the session. 21995cc27f0SJoerg SonnenbergerNote that TCP keepalives are not sufficient for 22095cc27f0SJoerg Sonnenbergerthis, since they are not secure. 22195cc27f0SJoerg Sonnenberger.Pp 22295cc27f0SJoerg Sonnenberger.Nm 22395cc27f0SJoerg Sonnenbergerwill remove statetable entries that were created during a user's 22495cc27f0SJoerg Sonnenbergersession. 22595cc27f0SJoerg SonnenbergerThis ensures that there will be no unauthenticated traffic 22695cc27f0SJoerg Sonnenbergerallowed to pass after the controlling 22795cc27f0SJoerg Sonnenberger.Xr ssh 1 22895cc27f0SJoerg Sonnenbergersession has been closed. 22995cc27f0SJoerg Sonnenberger.Pp 23095cc27f0SJoerg Sonnenberger.Nm 23195cc27f0SJoerg Sonnenbergeris designed for gateway machines which typically do not have regular 23295cc27f0SJoerg Sonnenberger(non-administrative) users using the machine. 23395cc27f0SJoerg SonnenbergerAn administrator must remember that 23495cc27f0SJoerg Sonnenberger.Nm 23595cc27f0SJoerg Sonnenbergercan be used to modify the filter rules through the environment in 23695cc27f0SJoerg Sonnenbergerwhich it is run, and as such could be used to modify the filter rules 23795cc27f0SJoerg Sonnenberger(based on the contents of the configuration files) by regular 23895cc27f0SJoerg Sonnenbergerusers. 23995cc27f0SJoerg SonnenbergerIn the case where a machine has regular users using it, as well 24095cc27f0SJoerg Sonnenbergeras users with 24195cc27f0SJoerg Sonnenberger.Nm 24295cc27f0SJoerg Sonnenbergeras their shell, the regular users should be prevented from running 24395cc27f0SJoerg Sonnenberger.Nm 24495cc27f0SJoerg Sonnenbergerby using the 24595cc27f0SJoerg Sonnenberger.Pa /etc/authpf/authpf.allow 24695cc27f0SJoerg Sonnenbergeror 24795cc27f0SJoerg Sonnenberger.Pa /etc/authpf/banned/ 24895cc27f0SJoerg Sonnenbergerfacilities. 24995cc27f0SJoerg Sonnenberger.Pp 25095cc27f0SJoerg Sonnenberger.Nm 25195cc27f0SJoerg Sonnenbergermodifies the packet filter and address translation rules, and because 25295cc27f0SJoerg Sonnenbergerof this it needs to be configured carefully. 25395cc27f0SJoerg Sonnenberger.Nm 25495cc27f0SJoerg Sonnenbergerwill not run and will exit silently if the 25595cc27f0SJoerg Sonnenberger.Pa /etc/authpf/authpf.conf 25695cc27f0SJoerg Sonnenbergerfile does not exist. 25795cc27f0SJoerg SonnenbergerAfter considering the effect 25895cc27f0SJoerg Sonnenberger.Nm 25995cc27f0SJoerg Sonnenbergermay have on the main packet filter rules, the system administrator may 26095cc27f0SJoerg Sonnenbergerenable 26195cc27f0SJoerg Sonnenberger.Nm 26295cc27f0SJoerg Sonnenbergerby creating an appropriate 26395cc27f0SJoerg Sonnenberger.Pa /etc/authpf/authpf.conf 26495cc27f0SJoerg Sonnenbergerfile. 26549781055SSascha Wildner.Sh FILES 26649781055SSascha Wildner.Bl -tag -width "/etc/authpf/authpf.conf" -compact 26749781055SSascha Wildner.It Pa /etc/authpf/authpf.conf 26849781055SSascha Wildner.It Pa /etc/authpf/authpf.allow 26949781055SSascha Wildner.It Pa /etc/authpf/authpf.rules 27049781055SSascha Wildner.It Pa /etc/authpf/authpf.message 27149781055SSascha Wildner.It Pa /etc/authpf/authpf.problem 27249781055SSascha Wildner.El 27395cc27f0SJoerg Sonnenberger.Sh EXAMPLES 27495cc27f0SJoerg Sonnenberger.Sy Control Files 27595cc27f0SJoerg Sonnenberger\- To illustrate the user-specific access control 27695cc27f0SJoerg Sonnenbergermechanisms, let us consider a typical user named bob. 27795cc27f0SJoerg SonnenbergerNormally, as long as bob can authenticate himself, the 27895cc27f0SJoerg Sonnenberger.Nm 27995cc27f0SJoerg Sonnenbergerprogram will load the appropriate rules. 28095cc27f0SJoerg SonnenbergerEnter the 28195cc27f0SJoerg Sonnenberger.Pa /etc/authpf/banned/ 28295cc27f0SJoerg Sonnenbergerdirectory. 28395cc27f0SJoerg SonnenbergerIf bob has somehow fallen from grace in the eyes of the 28495cc27f0SJoerg Sonnenbergerpowers-that-be, they can prohibit him from using the gateway by creating 28595cc27f0SJoerg Sonnenbergerthe file 28695cc27f0SJoerg Sonnenberger.Pa /etc/authpf/banned/bob 28795cc27f0SJoerg Sonnenbergercontaining a message about why he has been banned from using the network. 28895cc27f0SJoerg SonnenbergerOnce bob has done suitable penance, his access may be restored by moving or 28995cc27f0SJoerg Sonnenbergerremoving the file 29095cc27f0SJoerg Sonnenberger.Pa /etc/authpf/banned/bob . 29195cc27f0SJoerg Sonnenberger.Pp 29295cc27f0SJoerg SonnenbergerNow consider a workgroup containing alice, bob, carol and dave. 29395cc27f0SJoerg SonnenbergerThey have a 29495cc27f0SJoerg Sonnenbergerwireless network which they would like to protect from unauthorized use. 29595cc27f0SJoerg SonnenbergerTo accomplish this, they create the file 29695cc27f0SJoerg Sonnenberger.Pa /etc/authpf/authpf.allow 29795cc27f0SJoerg Sonnenbergerwhich lists their login ids, one per line. 29895cc27f0SJoerg SonnenbergerAt this point, even if eve could authenticate to 29995cc27f0SJoerg Sonnenberger.Xr sshd 8 , 30095cc27f0SJoerg Sonnenbergershe would not be allowed to use the gateway. 30195cc27f0SJoerg SonnenbergerAdding and removing users from 30295cc27f0SJoerg Sonnenbergerthe work group is a simple matter of maintaining a list of allowed userids. 30395cc27f0SJoerg SonnenbergerIf bob once again manages to annoy the powers-that-be, they can ban him from 30495cc27f0SJoerg Sonnenbergerusing the gateway by creating the familiar 30595cc27f0SJoerg Sonnenberger.Pa /etc/authpf/banned/bob 30695cc27f0SJoerg Sonnenbergerfile. 30795cc27f0SJoerg SonnenbergerThough bob is listed in the allow file, he is prevented from using 30895cc27f0SJoerg Sonnenbergerthis gateway due to the existence of a ban file. 30995cc27f0SJoerg Sonnenberger.Pp 31095cc27f0SJoerg Sonnenberger.Sy Distributed Authentication 31195cc27f0SJoerg Sonnenberger\- It is often desirable to interface with a 31295cc27f0SJoerg Sonnenbergerdistributed password system rather than forcing the sysadmins to keep a large 31395cc27f0SJoerg Sonnenbergernumber of local password files in sync. 31495cc27f0SJoerg SonnenbergerThe 31595cc27f0SJoerg Sonnenberger.Xr login.conf 5 31695cc27f0SJoerg Sonnenbergermechanism in 31795cc27f0SJoerg Sonnenberger.Ox 31895cc27f0SJoerg Sonnenbergercan be used to fork the right shell. 31995cc27f0SJoerg SonnenbergerTo make that happen, 32095cc27f0SJoerg Sonnenberger.Xr login.conf 5 32195cc27f0SJoerg Sonnenbergershould have entries that look something like this: 32295cc27f0SJoerg Sonnenberger.Bd -literal -offset indent 32395cc27f0SJoerg Sonnenbergershell-default:shell=/bin/csh 32495cc27f0SJoerg Sonnenberger 32595cc27f0SJoerg Sonnenbergerdefault:\e 32695cc27f0SJoerg Sonnenberger ... 32795cc27f0SJoerg Sonnenberger :shell=/usr/sbin/authpf 32895cc27f0SJoerg Sonnenberger 32995cc27f0SJoerg Sonnenbergerdaemon:\e 33095cc27f0SJoerg Sonnenberger ... 33195cc27f0SJoerg Sonnenberger :shell=/bin/csh:\e 33295cc27f0SJoerg Sonnenberger :tc=default: 33395cc27f0SJoerg Sonnenberger 33495cc27f0SJoerg Sonnenbergerstaff:\e 33595cc27f0SJoerg Sonnenberger ... 33695cc27f0SJoerg Sonnenberger :shell=/bin/csh:\e 33795cc27f0SJoerg Sonnenberger :tc=default: 33895cc27f0SJoerg Sonnenberger.Ed 33995cc27f0SJoerg Sonnenberger.Pp 34095cc27f0SJoerg SonnenbergerUsing a default password file, all users will get 34195cc27f0SJoerg Sonnenberger.Nm 34295cc27f0SJoerg Sonnenbergeras their shell except for root who will get 34395cc27f0SJoerg Sonnenberger.Pa /bin/csh . 34495cc27f0SJoerg Sonnenberger.Pp 34595cc27f0SJoerg Sonnenberger.Sy SSH Configuration 34695cc27f0SJoerg Sonnenberger\- As stated earlier, 34795cc27f0SJoerg Sonnenberger.Xr sshd 8 34895cc27f0SJoerg Sonnenbergermust be properly configured to detect and defeat network attacks. 34995cc27f0SJoerg SonnenbergerTo that end, the following options should be added to 35095cc27f0SJoerg Sonnenberger.Xr sshd_config 5 : 35195cc27f0SJoerg Sonnenberger.Bd -literal -offset indent 35295cc27f0SJoerg SonnenbergerProtocol 2 35395cc27f0SJoerg SonnenbergerClientAliveInterval 15 35495cc27f0SJoerg SonnenbergerClientAliveCountMax 3 35595cc27f0SJoerg Sonnenberger.Ed 35695cc27f0SJoerg Sonnenberger.Pp 35795cc27f0SJoerg SonnenbergerThis ensures that unresponsive or spoofed sessions are terminated within a 35895cc27f0SJoerg Sonnenbergerminute, since a hijacker should not be able to spoof ssh keepalive messages. 35995cc27f0SJoerg Sonnenberger.Pp 36095cc27f0SJoerg Sonnenberger.Sy Banners 36195cc27f0SJoerg Sonnenberger\- Once authenticated, the user is shown the contents of 36295cc27f0SJoerg Sonnenberger.Pa /etc/authpf/authpf.message . 36395cc27f0SJoerg SonnenbergerThis message may be a screen-full of the appropriate use policy, the contents 36495cc27f0SJoerg Sonnenbergerof 36595cc27f0SJoerg Sonnenberger.Pa /etc/motd 36695cc27f0SJoerg Sonnenbergeror something as simple as the following: 36795cc27f0SJoerg Sonnenberger.Bd -literal -offset indent 36895cc27f0SJoerg SonnenbergerThis means you will be held accountable by the powers that be 36995cc27f0SJoerg Sonnenbergerfor traffic originating from your machine, so please play nice. 37095cc27f0SJoerg Sonnenberger.Ed 37195cc27f0SJoerg Sonnenberger.Pp 37295cc27f0SJoerg SonnenbergerTo tell the user where to go when the system is broken, 37395cc27f0SJoerg Sonnenberger.Pa /etc/authpf/authpf.problem 37495cc27f0SJoerg Sonnenbergercould contain something like this: 37595cc27f0SJoerg Sonnenberger.Bd -literal -offset indent 37695cc27f0SJoerg SonnenbergerSorry, there appears to be some system problem. To report this 37795cc27f0SJoerg Sonnenbergerproblem so we can fix it, please phone 1-900-314-1597 or send 37895cc27f0SJoerg Sonnenbergeran email to remove@bulkmailerz.net. 37995cc27f0SJoerg Sonnenberger.Ed 38095cc27f0SJoerg Sonnenberger.Pp 38195cc27f0SJoerg Sonnenberger.Sy Packet Filter Rules 38295cc27f0SJoerg Sonnenberger\- In areas where this gateway is used to protect a 38395cc27f0SJoerg Sonnenbergerwireless network (a hub with several hundred ports), the default rule set as 38495cc27f0SJoerg Sonnenbergerwell as the per-user rules should probably allow very few things beyond 38595cc27f0SJoerg Sonnenbergerencrypted protocols like 386*755d70b8SSascha Wildner.Xr ssh 1 38795cc27f0SJoerg Sonnenbergeror 388*755d70b8SSascha Wildner.Xr ssl 8 . 38995cc27f0SJoerg SonnenbergerOn a securely switched network, with plug-in jacks for visitors who are 39095cc27f0SJoerg Sonnenbergergiven authentication accounts, you might want to allow out everything. 39195cc27f0SJoerg SonnenbergerIn this context, a secure switch is one that tries to prevent address table 39295cc27f0SJoerg Sonnenbergeroverflow attacks. 39395cc27f0SJoerg Sonnenberger.Pp 39495cc27f0SJoerg SonnenbergerExample 39595cc27f0SJoerg Sonnenberger.Pa /etc/pf.conf : 39695cc27f0SJoerg Sonnenberger.Bd -literal 39795cc27f0SJoerg Sonnenberger# by default we allow internal clients to talk to us using 39895cc27f0SJoerg Sonnenberger# ssh and use us as a dns server. 39995cc27f0SJoerg Sonnenbergerinternal_if="fxp1" 40095cc27f0SJoerg Sonnenbergergateway_addr="10.0.1.1" 40195cc27f0SJoerg Sonnenbergernat-anchor authpf 40295cc27f0SJoerg Sonnenbergerrdr-anchor authpf 40395cc27f0SJoerg Sonnenbergerbinat-anchor authpf 40495cc27f0SJoerg Sonnenbergerblock in on $internal_if from any to any 40595cc27f0SJoerg Sonnenbergerpass in quick on $internal_if proto tcp from any to $gateway_addr \e 40695cc27f0SJoerg Sonnenberger port = ssh 40795cc27f0SJoerg Sonnenbergerpass in quick on $internal_if proto udp from any to $gateway_addr \e 40895cc27f0SJoerg Sonnenberger port = domain 40995cc27f0SJoerg Sonnenbergeranchor authpf 41095cc27f0SJoerg Sonnenberger.Ed 41195cc27f0SJoerg Sonnenberger.Pp 41295cc27f0SJoerg Sonnenberger.Sy For a switched, wired net 41395cc27f0SJoerg Sonnenberger\- This example 41495cc27f0SJoerg Sonnenberger.Pa /etc/authpf/authpf.rules 41595cc27f0SJoerg Sonnenbergermakes no real restrictions; it turns the IP address on and off, logging 41695cc27f0SJoerg SonnenbergerTCP connections. 41795cc27f0SJoerg Sonnenberger.Bd -literal 41895cc27f0SJoerg Sonnenbergerexternal_if = "xl0" 41995cc27f0SJoerg Sonnenbergerinternal_if = "fxp0" 42095cc27f0SJoerg Sonnenberger 42195cc27f0SJoerg Sonnenbergerpass in log quick on $internal_if proto tcp from $user_ip to any \e 42295cc27f0SJoerg Sonnenberger keep state 42395cc27f0SJoerg Sonnenbergerpass in quick on $internal_if from $user_ip to any 42495cc27f0SJoerg Sonnenberger.Ed 425*755d70b8SSascha Wildner.\".Pp 426*755d70b8SSascha Wildner.\".Sy For a wireless or shared net 427*755d70b8SSascha Wildner.\"\- This example 428*755d70b8SSascha Wildner.\".Pa /etc/authpf/authpf.rules 429*755d70b8SSascha Wildner.\"could be used for an insecure network (such as a public wireless network) where 430*755d70b8SSascha Wildner.\"we might need to be a bit more restrictive. 431*755d70b8SSascha Wildner.\".Bd -literal 432*755d70b8SSascha Wildner.\"internal_if="fxp1" 433*755d70b8SSascha Wildner.\"ipsec_gw="10.2.3.4" 434*755d70b8SSascha Wildner.\" 435*755d70b8SSascha Wildner.\"# rdr ftp for proxying by ftp-proxy(8) 436*755d70b8SSascha Wildner.\"rdr on $internal_if proto tcp from $user_ip to any port 21 \e 437*755d70b8SSascha Wildner.\" -> 127.0.0.1 port 8081 438*755d70b8SSascha Wildner.\" 439*755d70b8SSascha Wildner.\"# allow out ftp, ssh, www and https only, and allow user to negotiate 440*755d70b8SSascha Wildner.\"# ipsec with the ipsec server. 441*755d70b8SSascha Wildner.\"pass in log quick on $internal_if proto tcp from $user_ip to any \e 442*755d70b8SSascha Wildner.\" port { 21, 22, 80, 443 } flags S/SA 443*755d70b8SSascha Wildner.\"pass in quick on $internal_if proto tcp from $user_ip to any \e 444*755d70b8SSascha Wildner.\" port { 21, 22, 80, 443 } 445*755d70b8SSascha Wildner.\"pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e 446*755d70b8SSascha Wildner.\" keep state 447*755d70b8SSascha Wildner.\"pass in quick proto esp from $user_ip to $ipsec_gw 448*755d70b8SSascha Wildner.\".Ed 44995cc27f0SJoerg Sonnenberger.Pp 45095cc27f0SJoerg Sonnenberger.Sy Dealing with NAT 45195cc27f0SJoerg Sonnenberger\- The following 45295cc27f0SJoerg Sonnenberger.Pa /etc/authpf/authpf.rules 45395cc27f0SJoerg Sonnenbergershows how to deal with NAT, using tags: 45495cc27f0SJoerg Sonnenberger.Bd -literal 45595cc27f0SJoerg Sonnenbergerext_if = "fxp1" 45695cc27f0SJoerg Sonnenbergerext_addr = 129.128.11.10 45795cc27f0SJoerg Sonnenbergerint_if = "fxp0" 45895cc27f0SJoerg Sonnenberger# nat and tag connections... 45995cc27f0SJoerg Sonnenbergernat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr 46095cc27f0SJoerg Sonnenbergerpass in quick on $int_if from $user_ip to any 46195cc27f0SJoerg Sonnenbergerpass out log quick on $ext_if tagged $user_ip keep state 46295cc27f0SJoerg Sonnenberger.Ed 46395cc27f0SJoerg Sonnenberger.Pp 46495cc27f0SJoerg SonnenbergerWith the above rules added by 46595cc27f0SJoerg Sonnenberger.Nm , 46695cc27f0SJoerg Sonnenbergeroutbound connections corresponding to each users NAT'ed connections 46795cc27f0SJoerg Sonnenbergerwill be logged as in the example below, where the user may be identified 46895cc27f0SJoerg Sonnenbergerfrom the ruleset name. 46995cc27f0SJoerg Sonnenberger.Bd -literal 47095cc27f0SJoerg Sonnenberger# tcpdump -n -e -ttt -i pflog0 47195cc27f0SJoerg SonnenbergerOct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e 47295cc27f0SJoerg Sonnenberger129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e 47395cc27f0SJoerg Sonnenberger16384 <mss 1460,nop,nop,sackOK> (DF) 47495cc27f0SJoerg Sonnenberger.Ed 47595cc27f0SJoerg Sonnenberger.Sh SEE ALSO 47695cc27f0SJoerg Sonnenberger.Xr pf 4 , 47795cc27f0SJoerg Sonnenberger.Xr pf.conf 5 , 47895cc27f0SJoerg Sonnenberger.Xr ftp-proxy 8 47995cc27f0SJoerg Sonnenberger.Sh HISTORY 48095cc27f0SJoerg SonnenbergerThe 48195cc27f0SJoerg Sonnenberger.Nm 48295cc27f0SJoerg Sonnenbergerprogram first appeared in 48395cc27f0SJoerg Sonnenberger.Ox 3.1 . 48495cc27f0SJoerg Sonnenberger.Sh BUGS 48595cc27f0SJoerg SonnenbergerConfiguration issues are tricky. 48695cc27f0SJoerg SonnenbergerThe authenticating 48795cc27f0SJoerg Sonnenberger.Xr ssh 1 48895cc27f0SJoerg Sonnenbergerconnection may be secured, but if the network is not secured the user may 48995cc27f0SJoerg Sonnenbergerexpose insecure protocols to attackers on the same network, or enable other 49095cc27f0SJoerg Sonnenbergerattackers on the network to pretend to be the user by spoofing their IP 49195cc27f0SJoerg Sonnenbergeraddress. 49295cc27f0SJoerg Sonnenberger.Pp 49395cc27f0SJoerg Sonnenberger.Nm 49495cc27f0SJoerg Sonnenbergeris not designed to prevent users from denying service to other users. 495