DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th January 2012
dbach dbach is offline
Port Guard
 
Join Date: Aug 2011
Posts: 23
Unhappy authpf setup

Hello:
Been reading man pages and information online and not having any luck setting up authpf. Here's what I have so far

last line in /etc/pf.conf
anchor "authpf/*"

used adduser created regular user and using chsh change from /bin/ksh to /usr/sbin/authpf, also made their class type authpf

in /etc/authpf have the following:

authpf.allow - no content

authpf.conf - no content

authpf.rules
external_if = "pcn0"
pass in quick on $external_if proto tcp from $user_ip to any
pass in quick on $external_if from $user_ip to any

When I try to login as the user with shell set to /usr/sbin/authpf it shows:
Last unsuccessful login: <date>
Last login:
Welcome to: <hostname>

Then back to login prompt.

Any guidance or suggestions would be appreciated.
Thanks,
Darryl
Reply With Quote
  #2   (View Single Post)  
Old 19th January 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
authpf.allow - no content
I don't believe this file should exist, unless you are going to fill it with a list of userids. If it exists, only the userids within are permitted to use authpf. And it exists.

AFAIK, only /etc/authpf/authpf.conf is required, and may be empty.
Reply With Quote
  #3   (View Single Post)  
Old 20th January 2012
dbach dbach is offline
Port Guard
 
Join Date: Aug 2011
Posts: 23
Default jggimi

Thanks for the response, I'll mess with it some more tomorrow at work. It seems whenever I set class for user to authpf and shell to /usr/sbin/authpf it fails the login, but probably trying to authenticate and failing then going back to login prompt. I've been looking at content in /var/log/messages to get an indication as to what the issue, but so far not overly helpful.
Darryl
Reply With Quote
  #4   (View Single Post)  
Old 30th January 2012
dbach dbach is offline
Port Guard
 
Join Date: Aug 2011
Posts: 23
Default authpf setup - need help

Running OBSD 4.9 and have been trying to setup authpf for weeks with absolutely no luck. Does anyone know of a minimalist online approach that clearly shows what content should be in which file in order for this to work?

I'd like to know what's required in each of the following files for ssh authentication with adapter pcn0:

/etc/authpf/authpf.conf
/etc/authpf/authpf.rules
/etc/authpf/authpf.allow
/etc/pf.conf

Is it best to change the character class to authpf or set the users shell to /usr/sbin/authpf?

I want this to apply to all users so I didn't create /etc/authpf/users.

If able to provide some feedback I'd REALLY appreciate it. So far http://www.openbsd.org/faq/pf/authpf.html and The Book of PF and man pages haven't got me up and running.

Darryl
Reply With Quote
  #5   (View Single Post)  
Old 30th January 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I will try and build a test environment in a lab and send you specific recommendations. It will be about five hours before I will have the time.
Reply With Quote
  #6   (View Single Post)  
Old 31st January 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I assembled a lab with three computers:

["Internet"] - ["router"] - ["user"]

The router had the following extremely simple pf.conf:
Code:
block all
pass in proto tcp from any to any port 22
anchor "authpf/*"
I created an empty /etc/authpf/authpf.conf:

# touch /etc/authpf/authpf.conf

I created the following in /etc/authpf/authpf.rules:
Code:
pass from $user_ip to any
pass from any to $user_ip
I added a user, jggimi-authpf on the router, with login class authpf, using the built-in admin script adduser(8):
Code:
# adduser
Couldn't find /etc/adduser.conf: creating a new adduser configuration file
Reading /etc/shells
Enter your default shell: csh ksh nologin sh [ksh]: 
Your default shell is: ksh -> /bin/ksh
Default login class: authpf bgpd daemon default staff 
[default]: 
Enter your default HOME partition: [/home]: 
Copy dotfiles from: /etc/skel no [/etc/skel]: 
Send welcome message?: /path/file default no [no]: 
Do not send message(s)
Prompt for passwords by default (y/n) [y]: 
Default encryption method for passwords: auto blowfish des md5 old 
[auto]: 
Use option ``-silent'' if you don't want to see all warnings and questions.

Reading /etc/shells
Check /etc/master.passwd
Check /etc/group

Ok, let's go.
Don't worry about mistakes. There will be a chance later to correct any input.
Enter username []: jggimi-authpf
Enter full name []: 
Enter shell csh ksh nologin sh [ksh]: 
Uid [1000]: 
Login group jggimi-authpf [jggimi-authpf]: 
Login group is ``jggimi-authpf''. Invite jggimi-authpf into other groups: guest no 
[no]: 
Login class authpf bgpd daemon default staff [default]: authpf
Enter password []: 
Enter password again []: 

Name:        jggimi-authpf
Password:    ****
Fullname:    jggimi-authpf
Uid:         1000
Gid:         1000 (jggimi-authpf)
Groups:      jggimi-authpf 
Login Class: authpf
HOME:        /home/jggimi-authpf
Shell:       /bin/ksh
OK? (y/n) [y]: y
Added user ``jggimi-authpf''
Copy files from /etc/skel to /home/jggimi-authpf
Add another user? (y/n) [y]: n
Goodbye!
#
From the "user" machine, non-ssh connections to the "internet" machine were blocked until I logged in to the userid:
Code:
# ssh jggimi-authpf@10.0.1.1 
jggimi-authpf@10.0.1.1's password: 
Last login: Mon Jan 30 21:56:48 2012 from 10.0.1.2

Hello jggimi-authpf. You are authenticated from host "10.0.1.2"
While that session was active, I was able to establish connections and pass non-ssh traffic to the "internet" host from the "user" machine (while using another console).

---

In a real world environment, your rules would obviously be realistic. Mine were simple, just to prove the minimum required to create an Authpf environment.
Reply With Quote
  #7   (View Single Post)  
Old 31st January 2012
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

Great post jggmi!
Reply With Quote
  #8   (View Single Post)  
Old 31st January 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Thank you, denta.

Just to clarify regarding the authpf login class -- it overrides the userid shell and motd settings:
Code:
# 
# Authpf accounts get a special motd and shell
# authpf:\
     :welcome=/etc/motd.authpf:\
     :shell=/usr/sbin/authpf:\
     :tc=default:
I didn't care about the motd setting, since I didn't use the file, but the authenticating userids needs to have the correct shell. Using the class ensures it; the override means that the jggimi-authpf userid never gets to use the ksh shell as defined in /etc/*passwd -- the adduser(8) script won't set the correct shell but it does permit choosing the correct class.
Reply With Quote
  #9   (View Single Post)  
Old 31st January 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Further hints and suggestions
  • Don't use authpf.allow unless you have a specific requirement for it. Yours was empty, and as I stated at the start of this thread, if you have this file, only userids listed within will be permitted to authenticate. If you have still have this empty file, no userid will be able to authenticate. Delete it.
  • I recommend assigning each user their own userid for authentication, and choosing an SSH authentication method that meet your security requirements for assured authentication.
  • I always recommend using public key authentication over passwords for authentication, but the choice is yours (and your auditors, if applicable).
  • SSH public key authentication can optionally use passphrases. This may be useful where two-factor authentication is required or desired.

Last edited by jggimi; 31st January 2012 at 01:11 PM.
Reply With Quote
Old 27th February 2012
dbach dbach is offline
Port Guard
 
Join Date: Aug 2011
Posts: 23
Default graphical representation of authpf use

Hello All:

I'm going to attach a basic PDF which I hope will help explain what I intended to accomplish using authpf. Based on the diagram is this the preferred method?

Thank you,
Darryl
Attached Files
File Type: pdf authpf gateway setup.pdf (17.8 KB, 197 views)
Reply With Quote
Old 27th February 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

What you show are two servers, each with publicly reachable IP addresses, and a plan to limit SSH access from one address. You can do that with a one line pass rule on Machine B, permitting only Machine A to reach Machine B's sshd(8) daemon. AuthPF is unnecessary, if what you posted is your entire topology.

In addition, with reasonable authentication methods (hint: NOT passwords), you could permit Machine B to allow SSH access from the entire Internet. I would be more concerned about attack vectors through your MTA, Web, and DNS services than SSH.

AuthPF is designed to use SSH authentication for a network gateway. It does this by altering PF rules for the authenticated user or authenticated IP address. Those rules would then permit access by the authenticated user to services that might not have any authentication of their own, such as http.
Reply With Quote
Old 27th February 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

@ Jgimmi, thank you so much !!!
Reply With Quote
Old 2nd March 2012
dbach dbach is offline
Port Guard
 
Join Date: Aug 2011
Posts: 23
Default

Thanks again Jgimmi, appreciate your feedback
Reply With Quote
Old 18th January 2013
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

Quote:
Originally Posted by jggimi View Post
Further hints and suggestions
[*]I always recommend using public key authentication over passwords for authentication, but the choice is yours (and your auditors, if applicable).

This was a great thread! Thanks jggimi

Do you have any tips on setting a file + password up? Tutorial/howto From what I read the "public" goes on the client pc's and the "private" key goes on the router
Reply With Quote
Old 19th January 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

You have that backwards.

http://www.daemonforums.org/showpost...02&postcount=3
Reply With Quote
Reply

Tags
authpf, setup

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Configuring authpf freebsd kasse FreeBSD General 0 7th February 2009 12:32 PM
Need help with NAT setup Quaxo OpenBSD Installation and Upgrading 6 27th January 2009 08:03 PM
DJ Setup tad1214 FreeBSD General 8 21st July 2008 01:50 PM
Exempting clients from AuthPF Kristijan NetBSD Security 1 12th July 2008 12:09 AM
How To Setup WPA? warriors OpenBSD General 8 15th June 2008 04:39 PM


All times are GMT. The time now is 02:27 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick