I assembled a lab with three computers:
["Internet"] - ["router"] - ["user"]
The router had the following extremely simple pf.conf:
Code:
block all
pass in proto tcp from any to any port 22
anchor "authpf/*"
I created an empty /etc/authpf/authpf.conf:
# touch /etc/authpf/authpf.conf
I created the following in /etc/authpf/authpf.rules:
Code:
pass from $user_ip to any
pass from any to $user_ip
I added a user,
jggimi-authpf on the router, with login class authpf, using the built-in admin script
adduser(8):
Code:
# adduser
Couldn't find /etc/adduser.conf: creating a new adduser configuration file
Reading /etc/shells
Enter your default shell: csh ksh nologin sh [ksh]:
Your default shell is: ksh -> /bin/ksh
Default login class: authpf bgpd daemon default staff
[default]:
Enter your default HOME partition: [/home]:
Copy dotfiles from: /etc/skel no [/etc/skel]:
Send welcome message?: /path/file default no [no]:
Do not send message(s)
Prompt for passwords by default (y/n) [y]:
Default encryption method for passwords: auto blowfish des md5 old
[auto]:
Use option ``-silent'' if you don't want to see all warnings and questions.
Reading /etc/shells
Check /etc/master.passwd
Check /etc/group
Ok, let's go.
Don't worry about mistakes. There will be a chance later to correct any input.
Enter username []: jggimi-authpf
Enter full name []:
Enter shell csh ksh nologin sh [ksh]:
Uid [1000]:
Login group jggimi-authpf [jggimi-authpf]:
Login group is ``jggimi-authpf''. Invite jggimi-authpf into other groups: guest no
[no]:
Login class authpf bgpd daemon default staff [default]: authpf
Enter password []:
Enter password again []:
Name: jggimi-authpf
Password: ****
Fullname: jggimi-authpf
Uid: 1000
Gid: 1000 (jggimi-authpf)
Groups: jggimi-authpf
Login Class: authpf
HOME: /home/jggimi-authpf
Shell: /bin/ksh
OK? (y/n) [y]: y
Added user ``jggimi-authpf''
Copy files from /etc/skel to /home/jggimi-authpf
Add another user? (y/n) [y]: n
Goodbye!
#
From the "user" machine, non-ssh connections to the "internet" machine were blocked until I logged in to the userid:
Code:
# ssh jggimi-authpf@10.0.1.1
jggimi-authpf@10.0.1.1's password:
Last login: Mon Jan 30 21:56:48 2012 from 10.0.1.2
Hello jggimi-authpf. You are authenticated from host "10.0.1.2"
While that session was active, I was able to establish connections and pass non-ssh traffic to the "internet" host from the "user" machine (while using another console).
---
In a real world environment, your rules would obviously be realistic. Mine were simple, just to prove the minimum required to create an Authpf environment.