|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
authpf setup
Hello:
Been reading man pages and information online and not having any luck setting up authpf. Here's what I have so far last line in /etc/pf.conf anchor "authpf/*" used adduser created regular user and using chsh change from /bin/ksh to /usr/sbin/authpf, also made their class type authpf in /etc/authpf have the following: authpf.allow - no content authpf.conf - no content authpf.rules external_if = "pcn0" pass in quick on $external_if proto tcp from $user_ip to any pass in quick on $external_if from $user_ip to any When I try to login as the user with shell set to /usr/sbin/authpf it shows: Last unsuccessful login: <date> Last login: Welcome to: <hostname> Then back to login prompt. Any guidance or suggestions would be appreciated. Thanks, Darryl |
|
|||
jggimi
Thanks for the response, I'll mess with it some more tomorrow at work. It seems whenever I set class for user to authpf and shell to /usr/sbin/authpf it fails the login, but probably trying to authenticate and failing then going back to login prompt. I've been looking at content in /var/log/messages to get an indication as to what the issue, but so far not overly helpful.
Darryl |
|
|||
authpf setup - need help
Running OBSD 4.9 and have been trying to setup authpf for weeks with absolutely no luck. Does anyone know of a minimalist online approach that clearly shows what content should be in which file in order for this to work?
I'd like to know what's required in each of the following files for ssh authentication with adapter pcn0: /etc/authpf/authpf.conf /etc/authpf/authpf.rules /etc/authpf/authpf.allow /etc/pf.conf Is it best to change the character class to authpf or set the users shell to /usr/sbin/authpf? I want this to apply to all users so I didn't create /etc/authpf/users. If able to provide some feedback I'd REALLY appreciate it. So far http://www.openbsd.org/faq/pf/authpf.html and The Book of PF and man pages haven't got me up and running. Darryl |
|
||||
I assembled a lab with three computers:
["Internet"] - ["router"] - ["user"] The router had the following extremely simple pf.conf: Code:
block all pass in proto tcp from any to any port 22 anchor "authpf/*" # touch /etc/authpf/authpf.conf I created the following in /etc/authpf/authpf.rules: Code:
pass from $user_ip to any pass from any to $user_ip Code:
# adduser Couldn't find /etc/adduser.conf: creating a new adduser configuration file Reading /etc/shells Enter your default shell: csh ksh nologin sh [ksh]: Your default shell is: ksh -> /bin/ksh Default login class: authpf bgpd daemon default staff [default]: Enter your default HOME partition: [/home]: Copy dotfiles from: /etc/skel no [/etc/skel]: Send welcome message?: /path/file default no [no]: Do not send message(s) Prompt for passwords by default (y/n) [y]: Default encryption method for passwords: auto blowfish des md5 old [auto]: Use option ``-silent'' if you don't want to see all warnings and questions. Reading /etc/shells Check /etc/master.passwd Check /etc/group Ok, let's go. Don't worry about mistakes. There will be a chance later to correct any input. Enter username []: jggimi-authpf Enter full name []: Enter shell csh ksh nologin sh [ksh]: Uid [1000]: Login group jggimi-authpf [jggimi-authpf]: Login group is ``jggimi-authpf''. Invite jggimi-authpf into other groups: guest no [no]: Login class authpf bgpd daemon default staff [default]: authpf Enter password []: Enter password again []: Name: jggimi-authpf Password: **** Fullname: jggimi-authpf Uid: 1000 Gid: 1000 (jggimi-authpf) Groups: jggimi-authpf Login Class: authpf HOME: /home/jggimi-authpf Shell: /bin/ksh OK? (y/n) [y]: y Added user ``jggimi-authpf'' Copy files from /etc/skel to /home/jggimi-authpf Add another user? (y/n) [y]: n Goodbye! # Code:
# ssh jggimi-authpf@10.0.1.1 jggimi-authpf@10.0.1.1's password: Last login: Mon Jan 30 21:56:48 2012 from 10.0.1.2 Hello jggimi-authpf. You are authenticated from host "10.0.1.2" --- In a real world environment, your rules would obviously be realistic. Mine were simple, just to prove the minimum required to create an Authpf environment. |
|
|||
Great post jggmi!
|
|
||||
Thank you, denta.
Just to clarify regarding the authpf login class -- it overrides the userid shell and motd settings: Code:
# # Authpf accounts get a special motd and shell # authpf:\ :welcome=/etc/motd.authpf:\ :shell=/usr/sbin/authpf:\ :tc=default: |
|
||||
Further hints and suggestions
Last edited by jggimi; 31st January 2012 at 01:11 PM. |
|
|||
graphical representation of authpf use
Hello All:
I'm going to attach a basic PDF which I hope will help explain what I intended to accomplish using authpf. Based on the diagram is this the preferred method? Thank you, Darryl |
|
||||
What you show are two servers, each with publicly reachable IP addresses, and a plan to limit SSH access from one address. You can do that with a one line pass rule on Machine B, permitting only Machine A to reach Machine B's sshd(8) daemon. AuthPF is unnecessary, if what you posted is your entire topology.
In addition, with reasonable authentication methods (hint: NOT passwords), you could permit Machine B to allow SSH access from the entire Internet. I would be more concerned about attack vectors through your MTA, Web, and DNS services than SSH. AuthPF is designed to use SSH authentication for a network gateway. It does this by altering PF rules for the authenticated user or authenticated IP address. Those rules would then permit access by the authenticated user to services that might not have any authentication of their own, such as http. |
|
|||
@ Jgimmi, thank you so much !!!
|
|
|||
Thanks again Jgimmi, appreciate your feedback
|
|
|||
Quote:
This was a great thread! Thanks jggimi Do you have any tips on setting a file + password up? Tutorial/howto From what I read the "public" goes on the client pc's and the "private" key goes on the router |
Tags |
authpf, setup |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Configuring authpf freebsd | kasse | FreeBSD General | 0 | 7th February 2009 12:32 PM |
Need help with NAT setup | Quaxo | OpenBSD Installation and Upgrading | 6 | 27th January 2009 08:03 PM |
DJ Setup | tad1214 | FreeBSD General | 8 | 21st July 2008 01:50 PM |
Exempting clients from AuthPF | Kristijan | NetBSD Security | 1 | 12th July 2008 12:09 AM |
How To Setup WPA? | warriors | OpenBSD General | 8 | 15th June 2008 04:39 PM |