1 .\" $OpenBSD: authpf.8,v 1.31 2003/12/10 04:10:37 beck Exp $
2 .\" $DragonFly: src/usr.sbin/authpf/authpf.8,v 1.3 2007/07/29 17:27:45 swildner Exp $
4 .\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
14 .\" 3. The name of the author may not be used to endorse or promote products
15 .\" derived from this software without specific prior written permission.
17 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 .Nd authenticating gateway user shell
38 is a user shell for authenticating gateways.
41 rules when a user authenticates and starts a session with
43 and to undo these changes when the user's session exits.
44 It is designed for changing filter and translation rules for an individual
45 source IP address as long as a user maintains an active
48 Typical use would be for a gateway that authenticates users before
49 allowing them Internet use, or a gateway that allows different users into
52 logs the successful start and end of a session to
54 This, combined with properly set up filter rules and secure switches,
55 can be used to ensure users are held accountable for their network traffic.
58 can add filter and translation rules using the syntax described in
63 system be enabled before use.
66 is meant to be used with users who can connect via
71 retrieves the client's connecting IP address via the
73 environment variable and, after performing additional access checks,
74 reads a template file to determine what filter and translation rules
76 On session exit the same rules that were added at startup are removed.
80 process stores its rules in a separate ruleset inside a
88 name "authpf" is used, and the ruleset names equal the username and PID of the
90 processes as "username(pid)".
91 The following rules need to be added to the main ruleset
93 in order to cause evaluation of any
96 .Bd -literal -offset indent
102 .Sh FILTER AND TRANSLATION RULES
103 Filter and translation rules for
105 use the same format described in
107 The only difference is that these rules may (and probably should) use
110 which is assigned the connecting IP address whenever
113 Additionally, the macro
115 is assigned the user name.
117 Filter and nat rules will first be searched for in
118 .Pa /etc/authpf/users/$USER/
121 Per-user rules from the
122 .Pa /etc/authpf/users/$USER/
123 directory are intended to be used when non-default rules
124 are needed on an individual user basis.
125 It is important to ensure that a user can not write or change
126 these configuration files.
128 Filter and translation rules are loaded from the file
129 .Pa /etc/authpf/users/$USER/authpf.rules .
130 If this file does not exist the file
131 .Pa /etc/authpf/authpf.rules
135 file must exist in one of the above locations for
139 Translation rules are also loaded from this file.
140 The use of translation rules in an
144 Options are controlled by the
145 .Pa /etc/authpf/authpf.conf
147 If the file is empty, defaults are used for all
148 configuration options.
149 The file consists of pairs of the form
152 Currently, the allowed values are as follows:
157 name instead of "authpf".
160 On successful invocation,
162 displays a message telling the user he or she has been authenticated.
163 It will additionally display the contents of the file
164 .Pa /etc/authpf/authpf.message
165 if the file exists and is readable.
167 There exist two methods for providing additional granularity to the control
170 - it is possible to set the gateway to explicitly allow users who have
173 and deny access to only a few troublesome individuals.
174 This is done by creating a file with the banned user's login name as the
176 .Pa /etc/authpf/banned/ .
177 The contents of this file will be displayed to a banned user, thus providing
178 a method for informing the user that they have been banned, and where they can
179 go and how to get there if they want to have their service restored.
180 This is the default behaviour.
182 It is also possible to configure
184 to only allow specific users access.
185 This is done by listing their login names, one per line, in
186 .Pa /etc/authpf/authpf.allow .
187 If "*" is found on a line, then all usernames match.
190 is unable to verify the user's permission to use the gateway, it will
191 print a brief message and die.
192 It should be noted that a ban takes precedence over an allow.
194 On failure, messages will be logged to
196 for the system administrator.
197 The user does not see these, but will be told the system is unavailable due to
198 technical difficulties.
199 The contents of the file
200 .Pa /etc/authpf/authpf.problem
201 will also be displayed if the file exists and is readable.
202 .Sh CONFIGURATION ISSUES
204 maintains the changed filter rules as long as the user maintains an
206 It is important to remember however, that the existence
207 of this session means the user is authenticated.
208 Because of this, it is important to configure
210 to ensure the security of the session, and to ensure that the network
211 through which users connect is secure.
213 should be configured to use the
214 .Ar ClientAliveInterval
216 .Ar ClientAliveCountMax
217 parameters to ensure that a ssh session is terminated quickly if
218 it becomes unresponsive, or if arp or address spoofing is used to
220 Note that TCP keepalives are not sufficient for
221 this, since they are not secure.
224 will remove statetable entries that were created during a user's
226 This ensures that there will be no unauthenticated traffic
227 allowed to pass after the controlling
229 session has been closed.
232 is designed for gateway machines which typically do not have regular
233 (non-administrative) users using the machine.
234 An administrator must remember that
236 can be used to modify the filter rules through the environment in
237 which it is run, and as such could be used to modify the filter rules
238 (based on the contents of the configuration files) by regular
240 In the case where a machine has regular users using it, as well
243 as their shell, the regular users should be prevented from running
246 .Pa /etc/authpf/authpf.allow
248 .Pa /etc/authpf/banned/
252 modifies the packet filter and address translation rules, and because
253 of this it needs to be configured carefully.
255 will not run and will exit silently if the
256 .Pa /etc/authpf/authpf.conf
258 After considering the effect
260 may have on the main packet filter rules, the system administrator may
263 by creating an appropriate
264 .Pa /etc/authpf/authpf.conf
267 .Bl -tag -width "/etc/authpf/authpf.conf" -compact
268 .It Pa /etc/authpf/authpf.conf
269 .It Pa /etc/authpf/authpf.allow
270 .It Pa /etc/authpf/authpf.rules
271 .It Pa /etc/authpf/authpf.message
272 .It Pa /etc/authpf/authpf.problem
276 \- To illustrate the user-specific access control
277 mechanisms, let us consider a typical user named bob.
278 Normally, as long as bob can authenticate himself, the
280 program will load the appropriate rules.
282 .Pa /etc/authpf/banned/
284 If bob has somehow fallen from grace in the eyes of the
285 powers-that-be, they can prohibit him from using the gateway by creating
287 .Pa /etc/authpf/banned/bob
288 containing a message about why he has been banned from using the network.
289 Once bob has done suitable penance, his access may be restored by moving or
291 .Pa /etc/authpf/banned/bob .
293 Now consider a workgroup containing alice, bob, carol and dave.
295 wireless network which they would like to protect from unauthorized use.
296 To accomplish this, they create the file
297 .Pa /etc/authpf/authpf.allow
298 which lists their login ids, one per line.
299 At this point, even if eve could authenticate to
301 she would not be allowed to use the gateway.
302 Adding and removing users from
303 the work group is a simple matter of maintaining a list of allowed userids.
304 If bob once again manages to annoy the powers-that-be, they can ban him from
305 using the gateway by creating the familiar
306 .Pa /etc/authpf/banned/bob
308 Though bob is listed in the allow file, he is prevented from using
309 this gateway due to the existence of a ban file.
311 .Sy Distributed Authentication
312 \- It is often desirable to interface with a
313 distributed password system rather than forcing the sysadmins to keep a large
314 number of local password files in sync.
319 can be used to fork the right shell.
322 should have entries that look something like this:
323 .Bd -literal -offset indent
324 shell-default:shell=/bin/csh
328 :shell=/usr/sbin/authpf
341 Using a default password file, all users will get
343 as their shell except for root who will get
346 .Sy SSH Configuration
347 \- As stated earlier,
349 must be properly configured to detect and defeat network attacks.
350 To that end, the following options should be added to
352 .Bd -literal -offset indent
354 ClientAliveInterval 15
355 ClientAliveCountMax 3
358 This ensures that unresponsive or spoofed sessions are terminated within a
359 minute, since a hijacker should not be able to spoof ssh keepalive messages.
362 \- Once authenticated, the user is shown the contents of
363 .Pa /etc/authpf/authpf.message .
364 This message may be a screen-full of the appropriate use policy, the contents
367 or something as simple as the following:
368 .Bd -literal -offset indent
369 This means you will be held accountable by the powers that be
370 for traffic originating from your machine, so please play nice.
373 To tell the user where to go when the system is broken,
374 .Pa /etc/authpf/authpf.problem
375 could contain something like this:
376 .Bd -literal -offset indent
377 Sorry, there appears to be some system problem. To report this
378 problem so we can fix it, please phone 1-900-314-1597 or send
379 an email to remove@bulkmailerz.net.
382 .Sy Packet Filter Rules
383 \- In areas where this gateway is used to protect a
384 wireless network (a hub with several hundred ports), the default rule set as
385 well as the per-user rules should probably allow very few things beyond
386 encrypted protocols like
391 On a securely switched network, with plug-in jacks for visitors who are
392 given authentication accounts, you might want to allow out everything.
393 In this context, a secure switch is one that tries to prevent address table
399 # by default we allow internal clients to talk to us using
400 # ssh and use us as a dns server.
402 gateway_addr="10.0.1.1"
406 block in on $internal_if from any to any
407 pass in quick on $internal_if proto tcp from any to $gateway_addr \e
409 pass in quick on $internal_if proto udp from any to $gateway_addr \e
414 .Sy For a switched, wired net
416 .Pa /etc/authpf/authpf.rules
417 makes no real restrictions; it turns the IP address on and off, logging
423 pass in log quick on $internal_if proto tcp from $user_ip to any \e
425 pass in quick on $internal_if from $user_ip to any
428 .Sy For a wireless or shared net
430 .Pa /etc/authpf/authpf.rules
431 could be used for an insecure network (such as a public wireless network) where
432 we might need to be a bit more restrictive.
437 # rdr ftp for proxying by ftp-proxy(8)
438 rdr on $internal_if proto tcp from $user_ip to any port 21 \e
439 -> 127.0.0.1 port 8081
441 # allow out ftp, ssh, www and https only, and allow user to negotiate
442 # ipsec with the ipsec server.
443 pass in log quick on $internal_if proto tcp from $user_ip to any \e
444 port { 21, 22, 80, 443 } flags S/SA
445 pass in quick on $internal_if proto tcp from $user_ip to any \e
446 port { 21, 22, 80, 443 }
447 pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e
449 pass in quick proto esp from $user_ip to $ipsec_gw
454 .Pa /etc/authpf/authpf.rules
455 shows how to deal with NAT, using tags:
458 ext_addr = 129.128.11.10
460 # nat and tag connections...
461 nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr
462 pass in quick on $int_if from $user_ip to any
463 pass out log quick on $ext_if tagged $user_ip keep state
466 With the above rules added by
468 outbound connections corresponding to each users NAT'ed connections
469 will be logged as in the example below, where the user may be identified
470 from the ruleset name.
472 # tcpdump -n -e -ttt -i pflog0
473 Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e
474 129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e
475 16384 <mss 1460,nop,nop,sackOK> (DF)
484 program first appeared in
487 Configuration issues are tricky.
490 connection may be secured, but if the network is not secured the user may
491 expose insecure protocols to attackers on the same network, or enable other
492 attackers on the network to pretend to be the user by spoofing their IP
496 is not designed to prevent users from denying service to other users.