xref: /openbsd/usr.sbin/authpf/authpf.8 (revision 264ca280) 
1.\" $OpenBSD: authpf.8,v 1.54 2015/11/01 21:26:48 jmc Exp $
2.\"
3.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>.  All rights reserved.
4.\"
5.\" Permission to use, copy, modify, and distribute this software for any
6.\" purpose with or without fee is hereby granted, provided that the above
7.\" copyright notice and this permission notice appear in all copies.
8.\"
9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\"
17.Dd $Mdocdate: November 1 2015 $
18.Dt AUTHPF 8
19.Os
20.Sh NAME
21.Nm authpf ,
22.Nm authpf-noip
23.Nd authenticating gateway user shell
24.Sh SYNOPSIS
25.Nm authpf
26.Nm authpf-noip
27.Sh DESCRIPTION
28.Nm
29is a user shell for authenticating gateways.
30It is used to change
31.Xr pf 4
32rules when a user authenticates and starts a session with
33.Xr sshd 8
34and to undo these changes when the user's session exits.
35Typical use would be for a gateway that authenticates users before
36allowing them Internet use, or a gateway that allows different users into
37different places.
38Combined with properly set up filter rules and secure switches,
39.Nm
40can be used to ensure users are held accountable for their network traffic.
41It is meant to be used with users who can connect via
42.Xr ssh 1
43only, and requires the
44.Xr pf 4
45subsystem to be enabled.
46.Pp
47.Nm authpf-noip
48is a user shell
49which allows multiple connections to take
50place from the same IP address.
51It is useful primarily in cases where connections are tunneled via
52the gateway system, and can be directly associated with the user name.
53It cannot ensure accountability when
54classifying connections by IP address;
55in this case the client's IP address
56is not provided to the packet filter via the
57.Ar client_ip
58macro or the
59.Ar authpf_users
60table.
61Additionally, states associated with the client IP address
62are not purged when the session is ended.
63.Pp
64To use either
65.Nm
66or
67.Nm authpf-noip ,
68the user's shell needs to be set to
69.Pa /usr/sbin/authpf
70or
71.Pa /usr/sbin/authpf-noip .
72.Pp
73.Nm
74uses the
75.Xr pf.conf 5
76syntax to change rules for an individual user or client IP address
77as long as a user maintains an active
78.Xr ssh 1
79session, and logs the successful start and end of a session to
80.Xr syslogd 8 .
81.Nm
82retrieves the client's connecting IP address via the
83.Ev SSH_CLIENT
84environment variable and, after performing additional access checks,
85reads a template file to determine what rules (if any) to add, and
86maintains the list of IP addresses of connected users in the
87.Ar authpf_users
88table.
89On session exit the same rules and table entries that were added at startup
90are removed, and all states associated with the client's IP address are purged.
91.Pp
92Each
93.Nm
94process stores its rules in a separate ruleset inside a
95.Xr pf 4
96.Pa anchor
97shared by all
98.Nm
99processes.
100By default, the
101.Pa anchor
102name "authpf" is used, and the ruleset names equal the username and PID of the
103.Nm
104processes as "username(pid)".
105The following needs to be added to the main ruleset
106.Pa /etc/pf.conf
107in order to cause evaluation of any
108.Nm
109rules:
110.Bd -literal -offset indent
111anchor "authpf/*"
112.Ed
113.Pp
114The "/*" at the end of the anchor name is required for
115.Xr pf 4
116to process the rulesets attached to the anchor by
117.Nm authpf .
118.Sh FILTER RULES
119Filter rules for
120.Nm
121use the same format described in
122.Xr pf.conf 5 .
123The only difference is that these rules may (and probably should) use
124the macro
125.Em user_ip ,
126which is assigned the connecting IP address whenever
127.Nm
128is run.
129Additionally, the macro
130.Em user_id
131is assigned the user name.
132.Pp
133Rules are stored in a file called
134.Pa authpf.rules .
135This file will first be searched for in
136.Pa /etc/authpf/users/$USER/ ,
137then in
138.Pa /etc/authpf/groups/$GROUP/
139and finally in
140.Pa /etc/authpf/ .
141Only the first found file will be used.
142.Pp
143Per-user rules from the
144.Pa /etc/authpf/users/$USER/
145directory are intended to be used when non-default rules
146are needed on an individual user basis.
147Per-group rules from the
148.Pa /etc/authpf/groups/$GROUP/
149directory are intended to be used when non-default rules
150are needed on a group basis.
151It is important to ensure that a user cannot write or change
152these configuration files.
153.Pp
154The
155.Pa authpf.rules
156file must exist in one of the above locations for
157.Nm
158to run.
159.Sh CONFIGURATION
160Options are controlled by the
161.Pa /etc/authpf/authpf.conf
162file.
163If the file is empty, defaults are used for all
164configuration options.
165The file consists of pairs of the form
166.Li name=value ,
167one per line.
168Currently, the allowed values are as follows:
169.Bl -tag -width Ds
170.It anchor=name
171Use the specified
172.Pa anchor
173name instead of "authpf".
174.It table=name
175Use the specified
176.Pa table
177name instead of "authpf_users".
178.El
179.Sh USER MESSAGES
180On successful invocation,
181.Nm
182displays a message telling the user he or she has been authenticated.
183It will additionally display the contents of the file called
184.Pa authpf.message .
185This file will first be searched for in
186.Pa /etc/authpf/users/$USER/
187and then in
188.Pa /etc/authpf/ .
189Only one of these files will be used if both are present.
190.Pp
191There exist two methods for providing additional granularity to the control
192offered by
193.Nm
194- it is possible to set the gateway to explicitly allow users who have
195authenticated to
196.Xr ssh 1
197and deny access to only a few troublesome individuals.
198This is done by creating a file with the banned user's login name as the
199filename in
200.Pa /etc/authpf/banned/ .
201The contents of this file will be displayed to a banned user, thus providing
202a method for informing the user that they have been banned, and where they can
203go and how to get there if they want to have their service restored.
204This is the default behaviour.
205.Pp
206It is also possible to configure
207.Nm
208to only allow specific users access.
209This is done by listing their login names, one per line, in
210.Pa /etc/authpf/authpf.allow .
211A group of users can also be indicated by prepending "%" to the group name,
212and all members of a login class can be indicated by prepending "@" to the
213login class name.
214If "*" is found on a line, then all usernames match.
215If
216.Nm
217is unable to verify the user's permission to use the gateway, it will
218print a brief message and die.
219It should be noted that a ban takes precedence over an allow.
220.Pp
221On failure, messages will be logged to
222.Xr syslogd 8
223for the system administrator.
224The user does not see these, but will be told the system is unavailable due to
225technical difficulties.
226The contents of the file
227.Pa /etc/authpf/authpf.problem
228will also be displayed if the file exists and is readable.
229.Sh CONFIGURATION ISSUES
230.Nm
231maintains the changed rules as long as the user maintains an active session.
232It is important to remember however, that the existence
233of this session means the user is authenticated.
234Because of this, it is important to configure
235.Xr sshd 8
236to ensure the security of the session, and to ensure that the network
237through which users connect is secure.
238.Xr sshd 8
239should be configured to use the
240.Ar ClientAliveInterval
241and
242.Ar ClientAliveCountMax
243parameters to ensure that a ssh session is terminated quickly if
244it becomes unresponsive, or if arp or address spoofing is used to
245hijack the session.
246Note that TCP keepalives are not sufficient for
247this, since they are not secure.
248Also note that the various SSH tunnelling mechanisms,
249such as
250.Ar AllowTcpForwarding
251and
252.Ar PermitTunnel ,
253should be disabled for
254.Nm
255users to prevent them from circumventing restrictions imposed by the
256packet filter ruleset.
257.Pp
258.Nm
259will remove state table entries that were created during a user's
260session.
261This ensures that there will be no unauthenticated traffic
262allowed to pass after the controlling
263.Xr ssh 1
264session has been closed.
265.Pp
266.Nm
267is designed for gateway machines which typically do not have regular
268(non-administrative) users using the machine.
269An administrator must remember that
270.Nm
271can be used to modify the
272.Xr pf 4
273rules through the environment in which it is run, and as such could be
274used to modify the rules (based on the contents of the configuration files)
275by regular users.
276In the case where a machine has regular users using it, as well
277as users with
278.Nm
279as their shell, the regular users should be prevented from running
280.Nm
281by using the
282.Pa /etc/authpf/authpf.allow
283or
284.Pa /etc/authpf/banned/
285facilities.
286.Pp
287.Nm
288modifies the packet filter rules, and because of this it needs to
289be configured carefully.
290.Nm
291will not run and will exit silently if the
292.Pa /etc/authpf/authpf.conf
293file does not exist.
294After considering the effect
295.Nm
296may have on the main packet filter rules, the system administrator may
297enable
298.Nm
299by creating an appropriate
300.Pa /etc/authpf/authpf.conf
301file.
302.Sh EXAMPLES
303.Sy Control Files
304\- To illustrate the user-specific access control
305mechanisms, let us consider a typical user named bob.
306Normally, as long as bob can authenticate himself, the
307.Nm
308program will load the appropriate rules.
309Enter the
310.Pa /etc/authpf/banned/
311directory.
312If bob has somehow fallen from grace in the eyes of the
313powers-that-be, they can prohibit him from using the gateway by creating
314the file
315.Pa /etc/authpf/banned/bob
316containing a message about why he has been banned from using the network.
317Once bob has done suitable penance, his access may be restored by moving or
318removing the file
319.Pa /etc/authpf/banned/bob .
320.Pp
321Now consider a workgroup containing alice, bob, carol and dave.
322They have a
323wireless network which they would like to protect from unauthorized use.
324To accomplish this, they create the file
325.Pa /etc/authpf/authpf.allow
326which lists their login ids, group prepended with "%", or login class
327prepended with "@", one per line.
328At this point, even if eve could authenticate to
329.Xr sshd 8 ,
330she would not be allowed to use the gateway.
331Adding and removing users from
332the work group is a simple matter of maintaining a list of allowed userids.
333If bob once again manages to annoy the powers-that-be, they can ban him from
334using the gateway by creating the familiar
335.Pa /etc/authpf/banned/bob
336file.
337Though bob is listed in the allow file, he is prevented from using
338this gateway due to the existence of a ban file.
339.Pp
340.Sy Distributed Authentication
341\- It is often desirable to interface with a
342distributed password system rather than forcing the sysadmins to keep a large
343number of local password files in sync.
344The
345.Xr login.conf 5
346mechanism in
347.Ox
348can be used to fork the right shell.
349To make that happen,
350.Xr login.conf 5
351should have entries that look something like this:
352.Bd -literal -offset indent
353shell-default:shell=/bin/csh
354
355default:\e
356	...
357	:shell=/usr/sbin/authpf
358
359daemon:\e
360	...
361	:shell=/bin/csh:\e
362	:tc=default:
363
364staff:\e
365	...
366	:shell=/bin/csh:\e
367	:tc=default:
368.Ed
369.Pp
370Using a default password file, all users will get
371.Nm
372as their shell except for root who will get
373.Pa /bin/csh .
374.Pp
375.Sy SSH Configuration
376\- As stated earlier,
377.Xr sshd 8
378must be properly configured to detect and defeat network attacks.
379To that end, the following options should be added to
380.Xr sshd_config 5 :
381.Bd -literal -offset indent
382Protocol 2
383ClientAliveInterval 15
384ClientAliveCountMax 3
385.Ed
386.Pp
387This ensures that unresponsive or spoofed sessions are terminated within a
388minute, since a hijacker should not be able to spoof ssh keepalive messages.
389.Pp
390.Sy Banners
391\- Once authenticated, the user is shown the contents of
392.Pa /etc/authpf/authpf.message .
393This message may be a screen-full of the appropriate use policy, the contents
394of
395.Pa /etc/motd
396or something as simple as the following:
397.Bd -literal -offset indent
398This means you will be held accountable by the powers that be
399for traffic originating from your machine, so please play nice.
400.Ed
401.Pp
402To tell the user where to go when the system is broken,
403.Pa /etc/authpf/authpf.problem
404could contain something like this:
405.Bd -literal -offset indent
406Sorry, there appears to be some system problem. To report this
407problem so we can fix it, please phone 1-900-314-1597 or send
408an email to remove@bulkmailerz.net.
409.Ed
410.Pp
411.Sy Packet Filter Rules
412\- In areas where this gateway is used to protect a
413wireless network (a hub with several hundred ports), the default rule set as
414well as the per-user rules should probably allow very few things beyond
415encrypted protocols like
416.Xr ssh 1 ,
417.Xr ssl 8 ,
418or
419.Xr ipsec 4 .
420On a securely switched network, with plug-in jacks for visitors who are
421given authentication accounts, you might want to allow out everything.
422In this context, a secure switch is one that tries to prevent address table
423overflow attacks.
424.Pp
425Example
426.Pa /etc/pf.conf :
427.Bd -literal
428# by default we allow internal clients to talk to us using
429# ssh and use us as a dns server.
430internal_if="fxp1"
431gateway_addr="10.0.1.1"
432block in on $internal_if from any to any
433pass in quick on $internal_if proto tcp from any to $gateway_addr \e
434      port = ssh
435pass in quick on $internal_if proto udp from any to $gateway_addr \e
436      port = domain
437anchor "authpf/*"
438.Ed
439.Pp
440.Sy For a switched, wired net
441\- This example
442.Pa /etc/authpf/authpf.rules
443makes no real restrictions; it turns the IP address on and off, logging
444TCP connections.
445.Bd -literal
446external_if = "xl0"
447internal_if = "fxp0"
448
449pass in log quick on $internal_if proto tcp from $user_ip to any
450pass in quick on $internal_if from $user_ip to any
451.Ed
452.Pp
453.Sy For a wireless or shared net
454\- This example
455.Pa /etc/authpf/authpf.rules
456could be used for an insecure network (such as a public wireless network) where
457we might need to be a bit more restrictive.
458.Bd -literal
459internal_if="fxp1"
460ipsec_gw="10.2.3.4"
461
462# rdr ftp for proxying by ftp-proxy(8)
463match in on $internal_if proto tcp from $user_ip to any port 21 \e
464      rdr-to 127.0.0.1 port 8021
465
466# allow out ftp, ssh, www and https only, and allow user to negotiate
467# ipsec with the ipsec server.
468pass in log quick on $internal_if proto tcp from $user_ip to any \e
469      port { 21, 22, 80, 443 }
470pass in quick on $internal_if proto tcp from $user_ip to any \e
471      port { 21, 22, 80, 443 }
472pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp
473pass in quick proto esp from $user_ip to $ipsec_gw
474.Ed
475.Pp
476.Sy Dealing with NAT
477\- The following
478.Pa /etc/authpf/authpf.rules
479shows how to deal with NAT, using tags:
480.Bd -literal
481ext_if = "fxp1"
482ext_addr = 129.128.11.10
483int_if = "fxp0"
484# nat and tag connections...
485match out on $ext_if from $user_ip to any tag $user_ip nat-to $ext_addr
486pass in quick on $int_if from $user_ip to any
487pass out log quick on $ext_if tagged $user_ip
488.Ed
489.Pp
490With the above rules added by
491.Nm ,
492outbound connections corresponding to each users NAT'ed connections
493will be logged as in the example below, where the user may be identified
494from the ruleset name.
495.Bd -literal
496# tcpdump -n -e -ttt -i pflog0
497Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e
498129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e
49916384 <mss 1460,nop,nop,sackOK> (DF)
500.Ed
501.Pp
502.Sy Using the authpf_users table
503\- Simple
504.Nm
505settings can be implemented without an anchor by just using the "authpf_users"
506.Pa table .
507For example, the following
508.Xr pf.conf 5
509lines will give SMTP and IMAP access to logged in users:
510.Bd -literal
511table <authpf_users> persist
512pass in on $ext_if proto tcp from <authpf_users> \e
513        to port { smtp imap }
514.Ed
515.Pp
516It is also possible to use the "authpf_users"
517.Pa table
518in combination with anchors.
519For example,
520.Xr pf 4
521processing can be sped up by looking up the anchor
522only for packets coming from logged in users:
523.Bd -literal
524table <authpf_users> persist
525anchor "authpf/*" from <authpf_users>
526.Ed
527.Pp
528.Sy Tunneled users
529\- normally
530.Nm
531allows only one session per client IP address.
532However in some cases, such as when connections are tunneled via
533.Xr ssh 1
534or
535.Xr ipsec 4 ,
536the connections can be authorized based on the userid of the user instead of
537the client IP address.
538In this case it is appropriate to use
539.Nm authpf-noip
540to allow multiple users behind a NAT gateway to connect.
541In the
542.Pa /etc/authpf/authpf.rules
543example below, the remote user could tunnel a remote desktop session to their
544workstation:
545.Bd -literal
546internal_if="bge0"
547workstation_ip="10.2.3.4"
548
549pass out on $internal_if from (self) to $workstation_ip port 3389 \e
550       user $user_id
551.Ed
552.Sh FILES
553.Bl -tag -width "/etc/authpf/authpf.conf" -compact
554.It Pa /etc/authpf/authpf.conf
555.It Pa /etc/authpf/authpf.allow
556.It Pa /etc/authpf/authpf.rules
557.It Pa /etc/authpf/authpf.message
558.It Pa /etc/authpf/authpf.problem
559.El
560.Sh SEE ALSO
561.Xr pf 4 ,
562.Xr pf.conf 5 ,
563.Xr securelevel 7 ,
564.Xr ftp-proxy 8
565.Sh HISTORY
566The
567.Nm
568program first appeared in
569.Ox 3.1 .
570.Sh BUGS
571Configuration issues are tricky.
572The authenticating
573.Xr ssh 1
574connection may be secured, but if the network is not secured the user may
575expose insecure protocols to attackers on the same network, or enable other
576attackers on the network to pretend to be the user by spoofing their IP
577address.
578.Pp
579.Nm
580is not designed to prevent users from denying service to other users.
581