| 1 |
.\" $FreeBSD$ |
.\" $FreeBSD$ |
| 2 |
.\" $OpenBSD: authpf.8,v 1.43 2007/02/24 17:21:04 beck Exp $ |
.\" $OpenBSD: authpf.8,v 1.47 2009/01/06 03:11:50 mcbride Exp $ |
| 3 |
.\" |
.\" |
| 4 |
.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved. |
.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved. |
| 5 |
.\" |
.\" |
| 15 |
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 16 |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 17 |
.\" |
.\" |
| 18 |
.Dd March 28, 2006 |
.Dd January 6 2009 |
| 19 |
.Dt AUTHPF 8 |
.Dt AUTHPF 8 |
| 20 |
.Os |
.Os |
| 21 |
.Sh NAME |
.Sh NAME |
| 22 |
.Nm authpf |
.Nm authpf , |
| 23 |
|
.Nm authpf-noip |
| 24 |
.Nd authenticating gateway user shell |
.Nd authenticating gateway user shell |
| 25 |
.Sh SYNOPSIS |
.Sh SYNOPSIS |
| 26 |
.Nm authpf |
.Nm authpf |
| 27 |
|
.Nm authpf-noip |
| 28 |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
| 29 |
.Nm |
.Nm |
| 30 |
is a user shell for authenticating gateways. |
is a user shell for authenticating gateways. |
| 33 |
rules when a user authenticates and starts a session with |
rules when a user authenticates and starts a session with |
| 34 |
.Xr sshd 8 |
.Xr sshd 8 |
| 35 |
and to undo these changes when the user's session exits. |
and to undo these changes when the user's session exits. |
|
It is designed for changing filter and translation rules for an individual |
|
|
source IP address as long as a user maintains an active |
|
|
.Xr ssh 1 |
|
|
session. |
|
| 36 |
Typical use would be for a gateway that authenticates users before |
Typical use would be for a gateway that authenticates users before |
| 37 |
allowing them Internet use, or a gateway that allows different users into |
allowing them Internet use, or a gateway that allows different users into |
| 38 |
different places. |
different places. |
| 39 |
|
Combined with properly set up filter rules and secure switches, |
| 40 |
.Nm |
.Nm |
|
logs the successful start and end of a session to |
|
|
.Xr syslogd 8 . |
|
|
This, combined with properly set up filter rules and secure switches, |
|
| 41 |
can be used to ensure users are held accountable for their network traffic. |
can be used to ensure users are held accountable for their network traffic. |
| 42 |
.Pp |
It is meant to be used with users who can connect via |
| 43 |
.Nm |
.Xr ssh 1 |
| 44 |
can add filter and translation rules using the syntax described in |
only, and requires the |
|
.Xr pf.conf 5 . |
|
|
.Nm |
|
|
requires that the |
|
| 45 |
.Xr pf 4 |
.Xr pf 4 |
| 46 |
system be enabled and a |
subsystem to be enabled. |
| 47 |
.Xr fdescfs 5 |
.Pp |
| 48 |
file system be mounted at |
.Nm authpf-noip |
| 49 |
.Pa /dev/fd |
is a user shell |
| 50 |
before use. |
which allows multiple connections to take |
| 51 |
|
place from the same IP address. |
| 52 |
|
It is useful primarily in cases where connections are tunneled via |
| 53 |
|
the gateway system, and can be directly associated with the user name. |
| 54 |
|
It cannot ensure accountability when |
| 55 |
|
classifying connections by IP address; |
| 56 |
|
in this case the client's IP address |
| 57 |
|
is not provided to the packet filter via the |
| 58 |
|
.Ar client_ip |
| 59 |
|
macro or the |
| 60 |
|
.Ar authpf_users |
| 61 |
|
table. |
| 62 |
|
Additionally, states associated with the client IP address |
| 63 |
|
are not purged when the session is ended. |
| 64 |
|
.Pp |
| 65 |
|
To use either |
| 66 |
.Nm |
.Nm |
| 67 |
can also maintain the list of IP address of connected users |
or |
| 68 |
in the "authpf_users" |
.Nm authpf-noip , |
| 69 |
.Pa table . |
the user's shell needs to be set to |
| 70 |
|
.Pa /usr/sbin/authpf |
| 71 |
|
or |
| 72 |
|
.Pa /usr/sbin/authpf-noip . |
| 73 |
.Pp |
.Pp |
| 74 |
.Nm |
.Nm |
| 75 |
is meant to be used with users who can connect via |
uses the |
| 76 |
|
.Xr pf.conf 5 |
| 77 |
|
syntax to change filter and translation rules for an individual |
| 78 |
|
user or client IP address as long as a user maintains an active |
| 79 |
.Xr ssh 1 |
.Xr ssh 1 |
| 80 |
only. |
session, and logs the successful start and end of a session to |
| 81 |
On startup, |
.Xr syslogd 8 . |
| 82 |
.Nm |
.Nm |
| 83 |
retrieves the client's connecting IP address via the |
retrieves the client's connecting IP address via the |
| 84 |
.Ev SSH_CLIENT |
.Ev SSH_CLIENT |
| 85 |
environment variable and, after performing additional access checks, |
environment variable and, after performing additional access checks, |
| 86 |
reads a template file to determine what filter and translation rules |
reads a template file to determine what filter and translation rules |
| 87 |
(if any) to add. |
(if any) to add, and |
| 88 |
On session exit the same rules that were added at startup are removed. |
maintains the list of IP addresses of connected users in the |
| 89 |
|
.Ar authpf_users |
| 90 |
|
table. |
| 91 |
|
On session exit the same rules and table entries that were added at startup |
| 92 |
|
are removed, and all states associated with the client's IP address are purged. |
| 93 |
.Pp |
.Pp |
| 94 |
Each |
Each |
| 95 |
.Nm |
.Nm |
| 203 |
to only allow specific users access. |
to only allow specific users access. |
| 204 |
This is done by listing their login names, one per line, in |
This is done by listing their login names, one per line, in |
| 205 |
.Pa /etc/authpf/authpf.allow . |
.Pa /etc/authpf/authpf.allow . |
| 206 |
|
A group of users can also be indicated by prepending "%" to the group name, |
| 207 |
|
and all members of a login class can be indicated by prepending "@" to the |
| 208 |
|
login class name. |
| 209 |
If "*" is found on a line, then all usernames match. |
If "*" is found on a line, then all usernames match. |
| 210 |
If |
If |
| 211 |
.Nm |
.Nm |
| 318 |
wireless network which they would like to protect from unauthorized use. |
wireless network which they would like to protect from unauthorized use. |
| 319 |
To accomplish this, they create the file |
To accomplish this, they create the file |
| 320 |
.Pa /etc/authpf/authpf.allow |
.Pa /etc/authpf/authpf.allow |
| 321 |
which lists their login ids, one per line. |
which lists their login ids, group prepended with "%", or login class |
| 322 |
|
prepended with "@", one per line. |
| 323 |
At this point, even if eve could authenticate to |
At this point, even if eve could authenticate to |
| 324 |
.Xr sshd 8 , |
.Xr sshd 8 , |
| 325 |
she would not be allowed to use the gateway. |
she would not be allowed to use the gateway. |
| 523 |
anchor "authpf/*" from <authpf_users> |
anchor "authpf/*" from <authpf_users> |
| 524 |
rdr-anchor "authpf/*" from <authpf_users> |
rdr-anchor "authpf/*" from <authpf_users> |
| 525 |
.Ed |
.Ed |
| 526 |
|
.Pp |
| 527 |
|
.Sy Tunneled users |
| 528 |
|
\- normally |
| 529 |
|
.Nm |
| 530 |
|
allows only one session per client IP address. |
| 531 |
|
However in some cases, such as when connections are tunneled via |
| 532 |
|
.Xr ssh 1 |
| 533 |
|
or |
| 534 |
|
.Xr ipsec 4 , |
| 535 |
|
the connections can be authorized based on the userid of the user instead of |
| 536 |
|
the client IP address. |
| 537 |
|
In this case it is appropriate to use |
| 538 |
|
.Nm authpf-noip |
| 539 |
|
to allow multiple users behind a NAT gateway to connect. |
| 540 |
|
In the |
| 541 |
|
.Pa /etc/authpf/authpf.rules |
| 542 |
|
example below, the remote user could tunnel a remote desktop session to their |
| 543 |
|
workstation: |
| 544 |
|
.Bd -literal |
| 545 |
|
internal_if="bge0" |
| 546 |
|
workstation_ip="10.2.3.4" |
| 547 |
|
|
| 548 |
|
pass out on $internal_if from (self) to $workstation_ip port 3389 \e |
| 549 |
|
user $user_id |
| 550 |
|
.Ed |
| 551 |
.Sh FILES |
.Sh FILES |
| 552 |
.Bl -tag -width "/etc/authpf/authpf.conf" -compact |
.Bl -tag -width "/etc/authpf/authpf.conf" -compact |
| 553 |
.It Pa /etc/authpf/authpf.conf |
.It Pa /etc/authpf/authpf.conf |
| 559 |
.Sh SEE ALSO |
.Sh SEE ALSO |
| 560 |
.Xr pf 4 , |
.Xr pf 4 , |
| 561 |
.Xr pf.conf 5 , |
.Xr pf.conf 5 , |
|
.Xr fdescfs 5 , |
|
| 562 |
.Xr securelevel 7 , |
.Xr securelevel 7 , |
| 563 |
.Xr ftp-proxy 8 |
.Xr ftp-proxy 8 |
| 564 |
.Sh HISTORY |
.Sh HISTORY |
Parent Directory
| 
Revision Log
| 
Patch