1.\" $FreeBSD$ 2.\" $OpenBSD: authpf.8,v 1.38 2005/01/04 09:57:04 jmc Exp $ 3.\" 4.\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. The name of the author may not be used to endorse or promote products 15.\" derived from this software without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.Dd March 28, 2006 29.Dt AUTHPF 8 30.Os 31.Sh NAME 32.Nm authpf 33.Nd authenticating gateway user shell 34.Sh SYNOPSIS 35.Nm authpf 36.Sh DESCRIPTION 37.Nm 38is a user shell for authenticating gateways. 39It is used to change 40.Xr pf 4 41rules when a user authenticates and starts a session with 42.Xr sshd 8 43and to undo these changes when the user's session exits. 44It is designed for changing filter and translation rules for an individual 45source IP address as long as a user maintains an active 46.Xr ssh 1 47session. 48Typical use would be for a gateway that authenticates users before 49allowing them Internet use, or a gateway that allows different users into 50different places. 51.Nm 52logs the successful start and end of a session to 53.Xr syslogd 8 . 54This, combined with properly set up filter rules and secure switches, 55can be used to ensure users are held accountable for their network traffic. 56.Pp 57.Nm 58can add filter and translation rules using the syntax described in 59.Xr pf.conf 5 . 60.Nm 61requires that the 62.Xr pf 4 63system be enabled and a 64.Xr fdescfs 5 65file system be mounted at 66.Pa /dev/fd 67before use. 68.Nm 69can also maintain the list of IP address of connected users 70in the "authpf_users" 71.Pa table . 72.Pp 73.Nm 74is meant to be used with users who can connect via 75.Xr ssh 1 76only. 77On startup, 78.Nm 79retrieves the client's connecting IP address via the 80.Ev SSH_CLIENT 81environment variable and, after performing additional access checks, 82reads a template file to determine what filter and translation rules 83(if any) to add. 84On session exit the same rules that were added at startup are removed. 85.Pp 86Each 87.Nm 88process stores its rules in a separate ruleset inside a 89.Xr pf 4 90.Pa anchor 91shared by all 92.Nm 93processes. 94By default, the 95.Pa anchor 96name "authpf" is used, and the ruleset names equal the username and PID of the 97.Nm 98processes as "username(pid)". 99The following rules need to be added to the main ruleset 100.Pa /etc/pf.conf 101in order to cause evaluation of any 102.Nm 103rules: 104.Bd -literal -offset indent 105nat-anchor "authpf/*" 106rdr-anchor "authpf/*" 107binat-anchor "authpf/*" 108anchor "authpf/*" 109.Ed 110.Pp 111The "/*" at the end of the anchor name is required for 112.Xr pf 4 113to process the rulesets attached to the anchor by 114.Nm authpf . 115.Sh FILTER AND TRANSLATION RULES 116Filter and translation rules for 117.Nm 118use the same format described in 119.Xr pf.conf 5 . 120The only difference is that these rules may (and probably should) use 121the macro 122.Em user_ip , 123which is assigned the connecting IP address whenever 124.Nm 125is run. 126Additionally, the macro 127.Em user_id 128is assigned the user name. 129.Pp 130Filter and translation rules are stored in a file called 131.Pa authpf.rules . 132This file will first be searched for in 133.Pa /etc/authpf/users/$USER/ 134and then in 135.Pa /etc/authpf/ . 136Only one of these files will be used if both are present. 137.Pp 138Per-user rules from the 139.Pa /etc/authpf/users/$USER/ 140directory are intended to be used when non-default rules 141are needed on an individual user basis. 142It is important to ensure that a user can not write or change 143these configuration files. 144.Pp 145The 146.Pa authpf.rules 147file must exist in one of the above locations for 148.Nm 149to run. 150.Sh CONFIGURATION 151Options are controlled by the 152.Pa /etc/authpf/authpf.conf 153file. 154If the file is empty, defaults are used for all 155configuration options. 156The file consists of pairs of the form 157.Li name=value , 158one per line. 159Currently, the allowed values are as follows: 160.Bl -tag -width Ds 161.It anchor=name 162Use the specified 163.Pa anchor 164name instead of "authpf". 165.It table=name 166Use the specified 167.Pa table 168name instead of "authpf_users". 169.El 170.Sh USER MESSAGES 171On successful invocation, 172.Nm 173displays a message telling the user he or she has been authenticated. 174It will additionally display the contents of the file 175.Pa /etc/authpf/authpf.message 176if the file exists and is readable. 177.Pp 178There exist two methods for providing additional granularity to the control 179offered by 180.Nm 181- it is possible to set the gateway to explicitly allow users who have 182authenticated to 183.Xr ssh 1 184and deny access to only a few troublesome individuals. 185This is done by creating a file with the banned user's login name as the 186filename in 187.Pa /etc/authpf/banned/ . 188The contents of this file will be displayed to a banned user, thus providing 189a method for informing the user that they have been banned, and where they can 190go and how to get there if they want to have their service restored. 191This is the default behaviour. 192.Pp 193It is also possible to configure 194.Nm 195to only allow specific users access. 196This is done by listing their login names, one per line, in 197.Pa /etc/authpf/authpf.allow . 198If "*" is found on a line, then all usernames match. 199If 200.Nm 201is unable to verify the user's permission to use the gateway, it will 202print a brief message and die. 203It should be noted that a ban takes precedence over an allow. 204.Pp 205On failure, messages will be logged to 206.Xr syslogd 8 207for the system administrator. 208The user does not see these, but will be told the system is unavailable due to 209technical difficulties. 210The contents of the file 211.Pa /etc/authpf/authpf.problem 212will also be displayed if the file exists and is readable. 213.Sh CONFIGURATION ISSUES 214.Nm 215maintains the changed filter rules as long as the user maintains an 216active session. 217It is important to remember however, that the existence 218of this session means the user is authenticated. 219Because of this, it is important to configure 220.Xr sshd 8 221to ensure the security of the session, and to ensure that the network 222through which users connect is secure. 223.Xr sshd 8 224should be configured to use the 225.Ar ClientAliveInterval 226and 227.Ar ClientAliveCountMax 228parameters to ensure that a ssh session is terminated quickly if 229it becomes unresponsive, or if arp or address spoofing is used to 230hijack the session. 231Note that TCP keepalives are not sufficient for 232this, since they are not secure. 233Also note that 234.Ar AllowTcpForwarding 235should be disabled for 236.Nm 237users to prevent them from circumventing restrictions imposed by the 238packet filter ruleset. 239.Pp 240.Nm 241will remove state table entries that were created during a user's 242session. 243This ensures that there will be no unauthenticated traffic 244allowed to pass after the controlling 245.Xr ssh 1 246session has been closed. 247.Pp 248.Nm 249is designed for gateway machines which typically do not have regular 250(non-administrative) users using the machine. 251An administrator must remember that 252.Nm 253can be used to modify the filter rules through the environment in 254which it is run, and as such could be used to modify the filter rules 255(based on the contents of the configuration files) by regular 256users. 257In the case where a machine has regular users using it, as well 258as users with 259.Nm 260as their shell, the regular users should be prevented from running 261.Nm 262by using the 263.Pa /etc/authpf/authpf.allow 264or 265.Pa /etc/authpf/banned/ 266facilities. 267.Pp 268.Nm 269modifies the packet filter and address translation rules, and because 270of this it needs to be configured carefully. 271.Nm 272will not run and will exit silently if the 273.Pa /etc/authpf/authpf.conf 274file does not exist. 275After considering the effect 276.Nm 277may have on the main packet filter rules, the system administrator may 278enable 279.Nm 280by creating an appropriate 281.Pa /etc/authpf/authpf.conf 282file. 283.Sh EXAMPLES 284.Sy Control Files 285\- To illustrate the user-specific access control 286mechanisms, let us consider a typical user named bob. 287Normally, as long as bob can authenticate himself, the 288.Nm 289program will load the appropriate rules. 290Enter the 291.Pa /etc/authpf/banned/ 292directory. 293If bob has somehow fallen from grace in the eyes of the 294powers-that-be, they can prohibit him from using the gateway by creating 295the file 296.Pa /etc/authpf/banned/bob 297containing a message about why he has been banned from using the network. 298Once bob has done suitable penance, his access may be restored by moving or 299removing the file 300.Pa /etc/authpf/banned/bob . 301.Pp 302Now consider a workgroup containing alice, bob, carol and dave. 303They have a 304wireless network which they would like to protect from unauthorized use. 305To accomplish this, they create the file 306.Pa /etc/authpf/authpf.allow 307which lists their login ids, one per line. 308At this point, even if eve could authenticate to 309.Xr sshd 8 , 310she would not be allowed to use the gateway. 311Adding and removing users from 312the work group is a simple matter of maintaining a list of allowed userids. 313If bob once again manages to annoy the powers-that-be, they can ban him from 314using the gateway by creating the familiar 315.Pa /etc/authpf/banned/bob 316file. 317Though bob is listed in the allow file, he is prevented from using 318this gateway due to the existence of a ban file. 319.Pp 320.Sy Distributed Authentication 321\- It is often desirable to interface with a 322distributed password system rather than forcing the sysadmins to keep a large 323number of local password files in sync. 324The 325.Xr login.conf 5 326mechanism in 327.Ox 328can be used to fork the right shell. 329To make that happen, 330.Xr login.conf 5 331should have entries that look something like this: 332.Bd -literal -offset indent 333shell-default:shell=/bin/csh 334 335default:\e 336 ... 337 :shell=/usr/sbin/authpf 338 339daemon:\e 340 ... 341 :shell=/bin/csh:\e 342 :tc=default: 343 344staff:\e 345 ... 346 :shell=/bin/csh:\e 347 :tc=default: 348.Ed 349.Pp 350Using a default password file, all users will get 351.Nm 352as their shell except for root who will get 353.Pa /bin/csh . 354.Pp 355.Sy SSH Configuration 356\- As stated earlier, 357.Xr sshd 8 358must be properly configured to detect and defeat network attacks. 359To that end, the following options should be added to 360.Xr sshd_config 5 : 361.Bd -literal -offset indent 362Protocol 2 363ClientAliveInterval 15 364ClientAliveCountMax 3 365.Ed 366.Pp 367This ensures that unresponsive or spoofed sessions are terminated within a 368minute, since a hijacker should not be able to spoof ssh keepalive messages. 369.Pp 370.Sy Banners 371\- Once authenticated, the user is shown the contents of 372.Pa /etc/authpf/authpf.message . 373This message may be a screen-full of the appropriate use policy, the contents 374of 375.Pa /etc/motd 376or something as simple as the following: 377.Bd -literal -offset indent 378This means you will be held accountable by the powers that be 379for traffic originating from your machine, so please play nice. 380.Ed 381.Pp 382To tell the user where to go when the system is broken, 383.Pa /etc/authpf/authpf.problem 384could contain something like this: 385.Bd -literal -offset indent 386Sorry, there appears to be some system problem. To report this 387problem so we can fix it, please phone 1-900-314-1597 or send 388an email to remove@bulkmailerz.net. 389.Ed 390.Pp 391.Sy Packet Filter Rules 392\- In areas where this gateway is used to protect a 393wireless network (a hub with several hundred ports), the default rule set as 394well as the per-user rules should probably allow very few things beyond 395encrypted protocols like 396.Xr ssh 1 , 397.Xr ssl 8 , 398or 399.Xr ipsec 4 . 400On a securely switched network, with plug-in jacks for visitors who are 401given authentication accounts, you might want to allow out everything. 402In this context, a secure switch is one that tries to prevent address table 403overflow attacks. 404.Pp 405Example 406.Pa /etc/pf.conf : 407.Bd -literal 408# by default we allow internal clients to talk to us using 409# ssh and use us as a dns server. 410internal_if="fxp1" 411gateway_addr="10.0.1.1" 412nat-anchor "authpf/*" 413rdr-anchor "authpf/*" 414binat-anchor "authpf/*" 415block in on $internal_if from any to any 416pass in quick on $internal_if proto tcp from any to $gateway_addr \e 417 port = ssh 418pass in quick on $internal_if proto udp from any to $gateway_addr \e 419 port = domain 420anchor "authpf/*" 421.Ed 422.Pp 423.Sy For a switched, wired net 424\- This example 425.Pa /etc/authpf/authpf.rules 426makes no real restrictions; it turns the IP address on and off, logging 427TCP connections. 428.Bd -literal 429external_if = "xl0" 430internal_if = "fxp0" 431 432pass in log quick on $internal_if proto tcp from $user_ip to any \e 433 keep state 434pass in quick on $internal_if from $user_ip to any 435.Ed 436.Pp 437.Sy For a wireless or shared net 438\- This example 439.Pa /etc/authpf/authpf.rules 440could be used for an insecure network (such as a public wireless network) where 441we might need to be a bit more restrictive. 442.Bd -literal 443internal_if="fxp1" 444ipsec_gw="10.2.3.4" 445 446# rdr ftp for proxying by ftp-proxy(8) 447rdr on $internal_if proto tcp from $user_ip to any port 21 \e 448 -> 127.0.0.1 port 8081 449 450# allow out ftp, ssh, www and https only, and allow user to negotiate 451# ipsec with the ipsec server. 452pass in log quick on $internal_if proto tcp from $user_ip to any \e 453 port { 21, 22, 80, 443 } flags S/SA 454pass in quick on $internal_if proto tcp from $user_ip to any \e 455 port { 21, 22, 80, 443 } 456pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e 457 keep state 458pass in quick proto esp from $user_ip to $ipsec_gw 459.Ed 460.Pp 461.Sy Dealing with NAT 462\- The following 463.Pa /etc/authpf/authpf.rules 464shows how to deal with NAT, using tags: 465.Bd -literal 466ext_if = "fxp1" 467ext_addr = 129.128.11.10 468int_if = "fxp0" 469# nat and tag connections... 470nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr 471pass in quick on $int_if from $user_ip to any 472pass out log quick on $ext_if tagged $user_ip keep state 473.Ed 474.Pp 475With the above rules added by 476.Nm , 477outbound connections corresponding to each users NAT'ed connections 478will be logged as in the example below, where the user may be identified 479from the ruleset name. 480.Bd -literal 481# tcpdump -n -e -ttt -i pflog0 482Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e 483129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e 48416384 <mss 1460,nop,nop,sackOK> (DF) 485.Ed 486.Pp 487.Sy Using the authpf_users table 488\- Simple 489.Nm 490settings can be implemented without an anchor by just using the "authpf_users" 491.Pa table . 492For example, the following 493.Xr pf.conf 5 494lines will give SMTP and IMAP access to logged in users: 495.Bd -literal 496table <authpf_users> persist 497pass in on $ext_if proto tcp from <authpf_users> \e 498 to port { smtp imap } keep state 499.Ed 500.Pp 501It is also possible to use the "authpf_users" 502.Pa table 503in combination with anchors. 504For example, 505.Xr pf 4 506processing can be sped up by looking up the anchor 507only for packets coming from logged in users: 508.Bd -literal 509table <authpf_users> persist 510anchor "authpf/*" from <authpf_users> 511rdr-anchor "authpf/*" from <authpf_users> 512.Ed 513.Sh FILES 514.Bl -tag -width "/etc/authpf/authpf.conf" -compact 515.It Pa /etc/authpf/authpf.conf 516.It Pa /etc/authpf/authpf.allow 517.It Pa /etc/authpf/authpf.rules 518.It Pa /etc/authpf/authpf.message 519.It Pa /etc/authpf/authpf.problem 520.El 521.Sh SEE ALSO 522.Xr pf 4 , 523.Xr pf.conf 5 , 524.Xr fdescfs 5 , 525.Xr ftp-proxy 8 526.Sh HISTORY 527The 528.Nm 529program first appeared in 530.Ox 3.1 . 531.Sh BUGS 532Configuration issues are tricky. 533The authenticating 534.Xr ssh 1 535connection may be secured, but if the network is not secured the user may 536expose insecure protocols to attackers on the same network, or enable other 537attackers on the network to pretend to be the user by spoofing their IP 538address. 539.Pp 540.Nm 541is not designed to prevent users from denying service to other users. 542