DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd September 2011
dbach dbach is offline
Port Guard
 
Join Date: Aug 2011
Posts: 23
Thanked 0 Times in 0 Posts
Question Setting up OpenBSD as a ssh gateway

I'm setting up OpenBSD machine as an ssh gateway, (so have to first gain access to this machine before you can get to mail, dns and web servers). Anyone have any suggestions for set. I've been reading a lot but I want to ensure I haven't forgot anything. Also does OpenBSD use PF in place of stand hosts.deny?

Thanks,
Darryl
Reply With Quote
  #2   (View Single Post)  
Old 23rd September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

I would use authpf(8), it was designed for just this purpose, and you should see if it meets your needs. In brief, a user authenticates with an ssh session, as long as that session is active, a set of rules associated with that user are anchored into your PF ruleset. When that session ends, so do those rules.

There was an interesting discussion in the misc@ mailing list about authpf this week regarding its limitations -- how someone on a NATted network who authenticates would authorize their entire NATted network; and some other possible "tailgating" attacks. I recommend a review of the thread, which began here:

http://marc.info/?l=openbsd-misc&m=131556113701941&w=2

While hosts.deny(5) is an available service, I don't use it, as PF does all I need without the caveats, booby traps, and other problems inherent in the hosts access control language. PF also has the ability to automatically add attackers to block lists, which I prefer.
Reply With Quote
  #3   (View Single Post)  
Old 12th January 2012
dbach dbach is offline
Port Guard
 
Join Date: Aug 2011
Posts: 23
Thanked 0 Times in 0 Posts
Default setting shell to authpf

man page says to set shell to authpf, however in /etc/shells there isn't a selection for authpf, and no such entry in /bin. Do I just add /bin/authpf to /etc/shells and it will allow to create a user with that shell, doesn't seem logical to me.

Just added /bin/authpf to /etc/shells then tried useradd and got to shell selection with the following response:
Enter your default shell: csh ksh nologin sh [ksh]: authpf
authpf: is not allowed

So not sure how to set shell to authpf.

Thanks guys

Last edited by dbach; 12th January 2012 at 02:26 PM.
Reply With Quote
  #4   (View Single Post)  
Old 12th January 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

The AuthPF shell is a pseudo-shell. The authenticating user does not get anything other than a text message on their ssh terminal session, and keyboard entry is ignored. The shells(5) configuration file need not be altered, since that is to restrict end users to a list of authorized shells when they change shells on their own.

If you have a shell user who will -also- need authentication via AuthPF, that user will need two accounts.

Please see the AuthPF chapter of the PF Users Guide.
Reply With Quote
  #5   (View Single Post)  
Old 12th January 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

I just saw your update. You are using adduser, a script which builds a configuration file the first time it is used. Check /etc/adduser.conf.
Reply With Quote
  #6   (View Single Post)  
Old 12th January 2012
dbach dbach is offline
Port Guard
 
Join Date: Aug 2011
Posts: 23
Thanked 0 Times in 0 Posts
Default /etc/adduser.conf

There is no adduser.conf in /etc, is it better to use useradd, or is this just 6 of one 1/2 dozen of another?

Thanks again,
Darryl
Reply With Quote
  #7   (View Single Post)  
Old 12th January 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Sorry, I read your update too quickly. I use adduser, rather than useradd, and pointed you to the wrong configuration file. User admin tools are a matter of personal preference. The latter tool uses a different configuration file, usermgmt.conf.

Userid management tools are a matter of personal preference. In this situation, you have yet another choice -- create a "normal" userid and then use vipw(8) to set the shell.
Reply With Quote
Reply

Tags
gateway, ssh

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD 4.6 i386 boot hangs with old gateway system - resolved comet--berkeley OpenBSD Installation and Upgrading 6 22nd July 2011 08:15 AM
Setting up an OpenBSD firewall Monkey OpenBSD Security 2 7th December 2010 10:30 AM
issues with setting up symon on openbsd badguy OpenBSD Security 12 22nd July 2009 02:21 AM
openBSD IPSEC gateway w/WINDOWS XP roadwarrior s2scott OpenBSD Security 7 13th January 2009 11:01 AM
setting up a proxy server in OpenBSD 4.3 jrake OpenBSD General 1 14th May 2008 06:43 PM


All times are GMT. The time now is 06:17 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick