Thread: authpf setup
View Single Post
  #6   (View Single Post)  
Old 31st January 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I assembled a lab with three computers:

["Internet"] - ["router"] - ["user"]

The router had the following extremely simple pf.conf:
Code:
block all
pass in proto tcp from any to any port 22
anchor "authpf/*"
I created an empty /etc/authpf/authpf.conf:

# touch /etc/authpf/authpf.conf

I created the following in /etc/authpf/authpf.rules:
Code:
pass from $user_ip to any
pass from any to $user_ip
I added a user, jggimi-authpf on the router, with login class authpf, using the built-in admin script adduser(8):
Code:
# adduser
Couldn't find /etc/adduser.conf: creating a new adduser configuration file
Reading /etc/shells
Enter your default shell: csh ksh nologin sh [ksh]: 
Your default shell is: ksh -> /bin/ksh
Default login class: authpf bgpd daemon default staff 
[default]: 
Enter your default HOME partition: [/home]: 
Copy dotfiles from: /etc/skel no [/etc/skel]: 
Send welcome message?: /path/file default no [no]: 
Do not send message(s)
Prompt for passwords by default (y/n) [y]: 
Default encryption method for passwords: auto blowfish des md5 old 
[auto]: 
Use option ``-silent'' if you don't want to see all warnings and questions.

Reading /etc/shells
Check /etc/master.passwd
Check /etc/group

Ok, let's go.
Don't worry about mistakes. There will be a chance later to correct any input.
Enter username []: jggimi-authpf
Enter full name []: 
Enter shell csh ksh nologin sh [ksh]: 
Uid [1000]: 
Login group jggimi-authpf [jggimi-authpf]: 
Login group is ``jggimi-authpf''. Invite jggimi-authpf into other groups: guest no 
[no]: 
Login class authpf bgpd daemon default staff [default]: authpf
Enter password []: 
Enter password again []: 

Name:        jggimi-authpf
Password:    ****
Fullname:    jggimi-authpf
Uid:         1000
Gid:         1000 (jggimi-authpf)
Groups:      jggimi-authpf 
Login Class: authpf
HOME:        /home/jggimi-authpf
Shell:       /bin/ksh
OK? (y/n) [y]: y
Added user ``jggimi-authpf''
Copy files from /etc/skel to /home/jggimi-authpf
Add another user? (y/n) [y]: n
Goodbye!
#
From the "user" machine, non-ssh connections to the "internet" machine were blocked until I logged in to the userid:
Code:
# ssh jggimi-authpf@10.0.1.1 
jggimi-authpf@10.0.1.1's password: 
Last login: Mon Jan 30 21:56:48 2012 from 10.0.1.2

Hello jggimi-authpf. You are authenticated from host "10.0.1.2"
While that session was active, I was able to establish connections and pass non-ssh traffic to the "internet" host from the "user" machine (while using another console).

---

In a real world environment, your rules would obviously be realistic. Mine were simple, just to prove the minimum required to create an Authpf environment.
Reply With Quote