xref: /openbsd/usr.sbin/authpf/authpf.8 (revision e5dd7070) 
1.\" $OpenBSD: authpf.8,v 1.55 2020/04/05 10:11:07 jmc Exp $
2.\"
3.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>.  All rights reserved.
4.\"
5.\" Permission to use, copy, modify, and distribute this software for any
6.\" purpose with or without fee is hereby granted, provided that the above
7.\" copyright notice and this permission notice appear in all copies.
8.\"
9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\"
17.Dd $Mdocdate: April 5 2020 $
18.Dt AUTHPF 8
19.Os
20.Sh NAME
21.Nm authpf ,
22.Nm authpf-noip
23.Nd authenticating gateway user shell
24.Sh SYNOPSIS
25.Nm authpf
26.Nm authpf-noip
27.Sh DESCRIPTION
28.Nm
29is a user shell for authenticating gateways.
30It is used to change
31.Xr pf 4
32rules when a user authenticates and starts a session with
33.Xr sshd 8
34and to undo these changes when the user's session exits.
35Typical use would be for a gateway that authenticates users before
36allowing them Internet use, or a gateway that allows different users into
37different places.
38Combined with properly set up filter rules and secure switches,
39.Nm
40can be used to ensure users are held accountable for their network traffic.
41It is meant to be used with users who can connect via
42.Xr ssh 1
43only, and requires the
44.Xr pf 4
45subsystem to be enabled.
46.Pp
47.Nm authpf-noip
48is a user shell
49which allows multiple connections to take
50place from the same IP address.
51It is useful primarily in cases where connections are tunneled via
52the gateway system, and can be directly associated with the user name.
53It cannot ensure accountability when
54classifying connections by IP address;
55in this case the client's IP address
56is not provided to the packet filter via the
57.Ar client_ip
58macro or the
59.Ar authpf_users
60table.
61Additionally, states associated with the client IP address
62are not purged when the session is ended.
63.Pp
64To use either
65.Nm
66or
67.Nm authpf-noip ,
68the user's shell needs to be set to
69.Pa /usr/sbin/authpf
70or
71.Pa /usr/sbin/authpf-noip .
72.Pp
73.Nm
74uses the
75.Xr pf.conf 5
76syntax to change rules for an individual user or client IP address
77as long as a user maintains an active
78.Xr ssh 1
79session, and logs the successful start and end of a session to
80.Xr syslogd 8 .
81.Nm
82retrieves the client's connecting IP address via the
83.Ev SSH_CLIENT
84environment variable and, after performing additional access checks,
85reads a template file to determine what rules (if any) to add, and
86maintains the list of IP addresses of connected users in the
87.Ar authpf_users
88table.
89On session exit the same rules and table entries that were added at startup
90are removed, and all states associated with the client's IP address are purged.
91.Pp
92Each
93.Nm
94process stores its rules in a separate ruleset inside a
95.Xr pf 4
96.Pa anchor
97shared by all
98.Nm
99processes.
100By default, the
101.Pa anchor
102name "authpf" is used, and the ruleset names equal the username and PID of the
103.Nm
104processes as "username(pid)".
105The following needs to be added to the main ruleset
106.Pa /etc/pf.conf
107in order to cause evaluation of any
108.Nm
109rules:
110.Bd -literal -offset indent
111anchor "authpf/*"
112.Ed
113.Pp
114The "/*" at the end of the anchor name is required for
115.Xr pf 4
116to process the rulesets attached to the anchor by
117.Nm authpf .
118.Sh FILTER RULES
119Filter rules for
120.Nm
121use the same format described in
122.Xr pf.conf 5 .
123The only difference is that these rules may (and probably should) use
124the macro
125.Em user_ip ,
126which is assigned the connecting IP address whenever
127.Nm
128is run.
129Additionally, the macro
130.Em user_id
131is assigned the user name.
132.Pp
133Rules are stored in a file called
134.Pa authpf.rules .
135This file will first be searched for in
136.Pa /etc/authpf/users/$USER/ ,
137then in
138.Pa /etc/authpf/groups/$GROUP/
139and finally in
140.Pa /etc/authpf/ .
141Only the first found file will be used.
142.Pp
143Per-user rules from the
144.Pa /etc/authpf/users/$USER/
145directory are intended to be used when non-default rules
146are needed on an individual user basis.
147Per-group rules from the
148.Pa /etc/authpf/groups/$GROUP/
149directory are intended to be used when non-default rules
150are needed on a group basis.
151It is important to ensure that a user cannot write or change
152these configuration files.
153.Pp
154The
155.Pa authpf.rules
156file must exist in one of the above locations for
157.Nm
158to run.
159.Sh CONFIGURATION
160Options are controlled by the
161.Pa /etc/authpf/authpf.conf
162file.
163If the file is empty, defaults are used for all
164configuration options.
165The file consists of pairs of the form
166.Li name=value ,
167one per line.
168Currently, the allowed values are as follows:
169.Bl -tag -width Ds
170.It anchor=name
171Use the specified
172.Pa anchor
173name instead of "authpf".
174.It table=name
175Use the specified
176.Pa table
177name instead of "authpf_users".
178.El
179.Sh USER MESSAGES
180On successful invocation,
181.Nm
182displays a message telling the user he or she has been authenticated.
183It will additionally display the contents of the file called
184.Pa authpf.message .
185This file will first be searched for in
186.Pa /etc/authpf/users/$USER/
187and then in
188.Pa /etc/authpf/ .
189Only one of these files will be used if both are present.
190.Pp
191There exist two methods for providing additional granularity to the control
192offered by
193.Nm
194- it is possible to set the gateway to explicitly allow users who have
195authenticated to
196.Xr ssh 1
197and deny access to only a few troublesome individuals.
198This is done by creating a file with the banned user's login name as the
199filename in
200.Pa /etc/authpf/banned/ .
201The contents of this file will be displayed to a banned user, thus providing
202a method for informing the user that they have been banned, and where they can
203go and how to get there if they want to have their service restored.
204This is the default behaviour.
205.Pp
206It is also possible to configure
207.Nm
208to only allow specific users access.
209This is done by listing their login names, one per line, in
210.Pa /etc/authpf/authpf.allow .
211A group of users can also be indicated by prepending "%" to the group name,
212and all members of a login class can be indicated by prepending "@" to the
213login class name.
214If "*" is found on a line, then all usernames match.
215If
216.Nm
217is unable to verify the user's permission to use the gateway, it will
218print a brief message and die.
219It should be noted that a ban takes precedence over an allow.
220.Pp
221On failure, messages will be logged to
222.Xr syslogd 8
223for the system administrator.
224The user does not see these, but will be told the system is unavailable due to
225technical difficulties.
226The contents of the file
227.Pa /etc/authpf/authpf.problem
228will also be displayed if the file exists and is readable.
229.Sh CONFIGURATION ISSUES
230.Nm
231maintains the changed rules as long as the user maintains an active session.
232It is important to remember however, that the existence
233of this session means the user is authenticated.
234Because of this, it is important to configure
235.Xr sshd 8
236to ensure the security of the session, and to ensure that the network
237through which users connect is secure.
238.Xr sshd 8
239should be configured to use the
240.Ar ClientAliveInterval
241and
242.Ar ClientAliveCountMax
243parameters to ensure that a ssh session is terminated quickly if
244it becomes unresponsive, or if arp or address spoofing is used to
245hijack the session.
246Note that TCP keepalives are not sufficient for
247this, since they are not secure.
248Also note that the various SSH tunnelling mechanisms,
249such as
250.Ar AllowTcpForwarding
251and
252.Ar PermitTunnel ,
253should be disabled for
254.Nm
255users to prevent them from circumventing restrictions imposed by the
256packet filter ruleset.
257.Pp
258.Nm
259will remove state table entries that were created during a user's
260session.
261This ensures that there will be no unauthenticated traffic
262allowed to pass after the controlling
263.Xr ssh 1
264session has been closed.
265.Pp
266.Nm
267is designed for gateway machines which typically do not have regular
268(non-administrative) users using the machine.
269An administrator must remember that
270.Nm
271can be used to modify the
272.Xr pf 4
273rules through the environment in which it is run, and as such could be
274used to modify the rules (based on the contents of the configuration files)
275by regular users.
276In the case where a machine has regular users using it, as well
277as users with
278.Nm
279as their shell, the regular users should be prevented from running
280.Nm
281by using the
282.Pa /etc/authpf/authpf.allow
283or
284.Pa /etc/authpf/banned/
285facilities.
286.Pp
287.Nm
288modifies the packet filter rules, and because of this it needs to
289be configured carefully.
290.Nm
291will not run and will exit silently if the
292.Pa /etc/authpf/authpf.conf
293file does not exist.
294After considering the effect
295.Nm
296may have on the main packet filter rules, the system administrator may
297enable
298.Nm
299by creating an appropriate
300.Pa /etc/authpf/authpf.conf
301file.
302.Sh EXAMPLES
303.Sy Control Files
304\- To illustrate the user-specific access control
305mechanisms, let us consider a typical user named bob.
306Normally, as long as bob can authenticate himself, the
307.Nm
308program will load the appropriate rules.
309Enter the
310.Pa /etc/authpf/banned/
311directory.
312If bob has somehow fallen from grace in the eyes of the
313powers-that-be, they can prohibit him from using the gateway by creating
314the file
315.Pa /etc/authpf/banned/bob
316containing a message about why he has been banned from using the network.
317Once bob has done suitable penance, his access may be restored by moving or
318removing the file
319.Pa /etc/authpf/banned/bob .
320.Pp
321Now consider a workgroup containing alice, bob, carol and dave.
322They have a
323wireless network which they would like to protect from unauthorized use.
324To accomplish this, they create the file
325.Pa /etc/authpf/authpf.allow
326which lists their login ids, group prepended with "%", or login class
327prepended with "@", one per line.
328At this point, even if eve could authenticate to
329.Xr sshd 8 ,
330she would not be allowed to use the gateway.
331Adding and removing users from
332the work group is a simple matter of maintaining a list of allowed userids.
333If bob once again manages to annoy the powers-that-be, they can ban him from
334using the gateway by creating the familiar
335.Pa /etc/authpf/banned/bob
336file.
337Though bob is listed in the allow file, he is prevented from using
338this gateway due to the existence of a ban file.
339.Pp
340.Sy Distributed Authentication
341\- It is often desirable to interface with a
342distributed password system rather than forcing the sysadmins to keep a large
343number of local password files in sync.
344The
345.Xr login.conf 5
346mechanism in
347.Ox
348can be used to fork the right shell.
349To make that happen,
350.Xr login.conf 5
351should have entries that look something like this:
352.Bd -literal -offset indent
353shell-default:shell=/bin/csh
354
355default:\e
356	...
357	:shell=/usr/sbin/authpf
358
359daemon:\e
360	...
361	:shell=/bin/csh:\e
362	:tc=default:
363
364staff:\e
365	...
366	:shell=/bin/csh:\e
367	:tc=default:
368.Ed
369.Pp
370Using a default password file, all users will get
371.Nm
372as their shell except for root who will get
373.Pa /bin/csh .
374.Pp
375.Sy SSH Configuration
376\- As stated earlier,
377.Xr sshd 8
378must be properly configured to detect and defeat network attacks.
379To that end, the following options should be added to
380.Xr sshd_config 5 :
381.Bd -literal -offset indent
382ClientAliveInterval 15
383ClientAliveCountMax 3
384.Ed
385.Pp
386This ensures that unresponsive or spoofed sessions are terminated within a
387minute, since a hijacker should not be able to spoof ssh keepalive messages.
388.Pp
389.Sy Banners
390\- Once authenticated, the user is shown the contents of
391.Pa /etc/authpf/authpf.message .
392This message may be a screen-full of the appropriate use policy, the contents
393of
394.Pa /etc/motd
395or something as simple as the following:
396.Bd -literal -offset indent
397This means you will be held accountable by the powers that be
398for traffic originating from your machine, so please play nice.
399.Ed
400.Pp
401To tell the user where to go when the system is broken,
402.Pa /etc/authpf/authpf.problem
403could contain something like this:
404.Bd -literal -offset indent
405Sorry, there appears to be some system problem. To report this
406problem so we can fix it, please phone 1-900-314-1597 or send
407an email to remove@bulkmailerz.net.
408.Ed
409.Pp
410.Sy Packet Filter Rules
411\- In areas where this gateway is used to protect a
412wireless network (a hub with several hundred ports), the default rule set as
413well as the per-user rules should probably allow very few things beyond
414encrypted protocols like
415.Xr ssh 1 ,
416.Xr ssl 8 ,
417or
418.Xr ipsec 4 .
419On a securely switched network, with plug-in jacks for visitors who are
420given authentication accounts, you might want to allow out everything.
421In this context, a secure switch is one that tries to prevent address table
422overflow attacks.
423.Pp
424Example
425.Pa /etc/pf.conf :
426.Bd -literal
427# by default we allow internal clients to talk to us using
428# ssh and use us as a dns server.
429internal_if="fxp1"
430gateway_addr="10.0.1.1"
431block in on $internal_if from any to any
432pass in quick on $internal_if proto tcp from any to $gateway_addr \e
433      port = ssh
434pass in quick on $internal_if proto udp from any to $gateway_addr \e
435      port = domain
436anchor "authpf/*"
437.Ed
438.Pp
439.Sy For a switched, wired net
440\- This example
441.Pa /etc/authpf/authpf.rules
442makes no real restrictions; it turns the IP address on and off, logging
443TCP connections.
444.Bd -literal
445external_if = "xl0"
446internal_if = "fxp0"
447
448pass in log quick on $internal_if proto tcp from $user_ip to any
449pass in quick on $internal_if from $user_ip to any
450.Ed
451.Pp
452.Sy For a wireless or shared net
453\- This example
454.Pa /etc/authpf/authpf.rules
455could be used for an insecure network (such as a public wireless network) where
456we might need to be a bit more restrictive.
457.Bd -literal
458internal_if="fxp1"
459ipsec_gw="10.2.3.4"
460
461# rdr ftp for proxying by ftp-proxy(8)
462match in on $internal_if proto tcp from $user_ip to any port 21 \e
463      rdr-to 127.0.0.1 port 8021
464
465# allow out ftp, ssh, www and https only, and allow user to negotiate
466# ipsec with the ipsec server.
467pass in log quick on $internal_if proto tcp from $user_ip to any \e
468      port { 21, 22, 80, 443 }
469pass in quick on $internal_if proto tcp from $user_ip to any \e
470      port { 21, 22, 80, 443 }
471pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp
472pass in quick proto esp from $user_ip to $ipsec_gw
473.Ed
474.Pp
475.Sy Dealing with NAT
476\- The following
477.Pa /etc/authpf/authpf.rules
478shows how to deal with NAT, using tags:
479.Bd -literal
480ext_if = "fxp1"
481ext_addr = 129.128.11.10
482int_if = "fxp0"
483# nat and tag connections...
484match out on $ext_if from $user_ip to any tag $user_ip nat-to $ext_addr
485pass in quick on $int_if from $user_ip to any
486pass out log quick on $ext_if tagged $user_ip
487.Ed
488.Pp
489With the above rules added by
490.Nm ,
491outbound connections corresponding to each users NAT'ed connections
492will be logged as in the example below, where the user may be identified
493from the ruleset name.
494.Bd -literal
495# tcpdump -n -e -ttt -i pflog0
496Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e
497129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e
49816384 <mss 1460,nop,nop,sackOK> (DF)
499.Ed
500.Pp
501.Sy Using the authpf_users table
502\- Simple
503.Nm
504settings can be implemented without an anchor by just using the "authpf_users"
505.Pa table .
506For example, the following
507.Xr pf.conf 5
508lines will give SMTP and IMAP access to logged in users:
509.Bd -literal
510table <authpf_users> persist
511pass in on $ext_if proto tcp from <authpf_users> \e
512        to port { smtp imap }
513.Ed
514.Pp
515It is also possible to use the "authpf_users"
516.Pa table
517in combination with anchors.
518For example,
519.Xr pf 4
520processing can be sped up by looking up the anchor
521only for packets coming from logged in users:
522.Bd -literal
523table <authpf_users> persist
524anchor "authpf/*" from <authpf_users>
525.Ed
526.Pp
527.Sy Tunneled users
528\- normally
529.Nm
530allows only one session per client IP address.
531However in some cases, such as when connections are tunneled via
532.Xr ssh 1
533or
534.Xr ipsec 4 ,
535the connections can be authorized based on the userid of the user instead of
536the client IP address.
537In this case it is appropriate to use
538.Nm authpf-noip
539to allow multiple users behind a NAT gateway to connect.
540In the
541.Pa /etc/authpf/authpf.rules
542example below, the remote user could tunnel a remote desktop session to their
543workstation:
544.Bd -literal
545internal_if="bge0"
546workstation_ip="10.2.3.4"
547
548pass out on $internal_if from (self) to $workstation_ip port 3389 \e
549       user $user_id
550.Ed
551.Sh FILES
552.Bl -tag -width "/etc/authpf/authpf.conf" -compact
553.It Pa /etc/authpf/authpf.conf
554.It Pa /etc/authpf/authpf.allow
555.It Pa /etc/authpf/authpf.rules
556.It Pa /etc/authpf/authpf.message
557.It Pa /etc/authpf/authpf.problem
558.El
559.Sh SEE ALSO
560.Xr pf 4 ,
561.Xr pf.conf 5 ,
562.Xr securelevel 7 ,
563.Xr ftp-proxy 8
564.Sh HISTORY
565The
566.Nm
567program first appeared in
568.Ox 3.1 .
569.Sh BUGS
570Configuration issues are tricky.
571The authenticating
572.Xr ssh 1
573connection may be secured, but if the network is not secured the user may
574expose insecure protocols to attackers on the same network, or enable other
575attackers on the network to pretend to be the user by spoofing their IP
576address.
577.Pp
578.Nm
579is not designed to prevent users from denying service to other users.
580