xref: /freebsd/contrib/pf/authpf/authpf.8 (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1.\" $FreeBSD$
2.\" $OpenBSD: authpf.8,v 1.43 2007/02/24 17:21:04 beck Exp $
3.\"
4.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>.  All rights reserved.
5.\"
6.\" Permission to use, copy, modify, and distribute this software for any
7.\" purpose with or without fee is hereby granted, provided that the above
8.\" copyright notice and this permission notice appear in all copies.
9.\"
10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17.\"
18.Dd March 28, 2006
19.Dt AUTHPF 8
20.Os
21.Sh NAME
22.Nm authpf
23.Nd authenticating gateway user shell
24.Sh SYNOPSIS
25.Nm authpf
26.Sh DESCRIPTION
27.Nm
28is a user shell for authenticating gateways.
29It is used to change
30.Xr pf 4
31rules when a user authenticates and starts a session with
32.Xr sshd 8
33and to undo these changes when the user's session exits.
34It is designed for changing filter and translation rules for an individual
35source IP address as long as a user maintains an active
36.Xr ssh 1
37session.
38Typical use would be for a gateway that authenticates users before
39allowing them Internet use, or a gateway that allows different users into
40different places.
41.Nm
42logs the successful start and end of a session to
43.Xr syslogd 8 .
44This, combined with properly set up filter rules and secure switches,
45can be used to ensure users are held accountable for their network traffic.
46.Pp
47.Nm
48can add filter and translation rules using the syntax described in
49.Xr pf.conf 5 .
50.Nm
51requires that the
52.Xr pf 4
53system be enabled and a
54.Xr fdescfs 5
55file system be mounted at
56.Pa /dev/fd
57before use.
58.Nm
59can also maintain the list of IP address of connected users
60in the "authpf_users"
61.Pa table .
62.Pp
63.Nm
64is meant to be used with users who can connect via
65.Xr ssh 1
66only.
67On startup,
68.Nm
69retrieves the client's connecting IP address via the
70.Ev SSH_CLIENT
71environment variable and, after performing additional access checks,
72reads a template file to determine what filter and translation rules
73(if any) to add.
74On session exit the same rules that were added at startup are removed.
75.Pp
76Each
77.Nm
78process stores its rules in a separate ruleset inside a
79.Xr pf 4
80.Pa anchor
81shared by all
82.Nm
83processes.
84By default, the
85.Pa anchor
86name "authpf" is used, and the ruleset names equal the username and PID of the
87.Nm
88processes as "username(pid)".
89The following rules need to be added to the main ruleset
90.Pa /etc/pf.conf
91in order to cause evaluation of any
92.Nm
93rules:
94.Bd -literal -offset indent
95nat-anchor "authpf/*"
96rdr-anchor "authpf/*"
97binat-anchor "authpf/*"
98anchor "authpf/*"
99.Ed
100.Pp
101The "/*" at the end of the anchor name is required for
102.Xr pf 4
103to process the rulesets attached to the anchor by
104.Nm authpf .
105.Sh FILTER AND TRANSLATION RULES
106Filter and translation rules for
107.Nm
108use the same format described in
109.Xr pf.conf 5 .
110The only difference is that these rules may (and probably should) use
111the macro
112.Em user_ip ,
113which is assigned the connecting IP address whenever
114.Nm
115is run.
116Additionally, the macro
117.Em user_id
118is assigned the user name.
119.Pp
120Filter and translation rules are stored in a file called
121.Pa authpf.rules .
122This file will first be searched for in
123.Pa /etc/authpf/users/$USER/
124and then in
125.Pa /etc/authpf/ .
126Only one of these files will be used if both are present.
127.Pp
128Per-user rules from the
129.Pa /etc/authpf/users/$USER/
130directory are intended to be used when non-default rules
131are needed on an individual user basis.
132It is important to ensure that a user can not write or change
133these configuration files.
134.Pp
135The
136.Pa authpf.rules
137file must exist in one of the above locations for
138.Nm
139to run.
140.Sh CONFIGURATION
141Options are controlled by the
142.Pa /etc/authpf/authpf.conf
143file.
144If the file is empty, defaults are used for all
145configuration options.
146The file consists of pairs of the form
147.Li name=value ,
148one per line.
149Currently, the allowed values are as follows:
150.Bl -tag -width Ds
151.It anchor=name
152Use the specified
153.Pa anchor
154name instead of "authpf".
155.It table=name
156Use the specified
157.Pa table
158name instead of "authpf_users".
159.El
160.Sh USER MESSAGES
161On successful invocation,
162.Nm
163displays a message telling the user he or she has been authenticated.
164It will additionally display the contents of the file
165.Pa /etc/authpf/authpf.message
166if the file exists and is readable.
167.Pp
168There exist two methods for providing additional granularity to the control
169offered by
170.Nm
171- it is possible to set the gateway to explicitly allow users who have
172authenticated to
173.Xr ssh 1
174and deny access to only a few troublesome individuals.
175This is done by creating a file with the banned user's login name as the
176filename in
177.Pa /etc/authpf/banned/ .
178The contents of this file will be displayed to a banned user, thus providing
179a method for informing the user that they have been banned, and where they can
180go and how to get there if they want to have their service restored.
181This is the default behaviour.
182.Pp
183It is also possible to configure
184.Nm
185to only allow specific users access.
186This is done by listing their login names, one per line, in
187.Pa /etc/authpf/authpf.allow .
188If "*" is found on a line, then all usernames match.
189If
190.Nm
191is unable to verify the user's permission to use the gateway, it will
192print a brief message and die.
193It should be noted that a ban takes precedence over an allow.
194.Pp
195On failure, messages will be logged to
196.Xr syslogd 8
197for the system administrator.
198The user does not see these, but will be told the system is unavailable due to
199technical difficulties.
200The contents of the file
201.Pa /etc/authpf/authpf.problem
202will also be displayed if the file exists and is readable.
203.Sh CONFIGURATION ISSUES
204.Nm
205maintains the changed filter rules as long as the user maintains an
206active session.
207It is important to remember however, that the existence
208of this session means the user is authenticated.
209Because of this, it is important to configure
210.Xr sshd 8
211to ensure the security of the session, and to ensure that the network
212through which users connect is secure.
213.Xr sshd 8
214should be configured to use the
215.Ar ClientAliveInterval
216and
217.Ar ClientAliveCountMax
218parameters to ensure that a ssh session is terminated quickly if
219it becomes unresponsive, or if arp or address spoofing is used to
220hijack the session.
221Note that TCP keepalives are not sufficient for
222this, since they are not secure.
223Also note that the various SSH tunnelling mechanisms,
224such as
225.Ar AllowTcpForwarding
226and
227.Ar PermitTunnel ,
228should be disabled for
229.Nm
230users to prevent them from circumventing restrictions imposed by the
231packet filter ruleset.
232.Pp
233.Nm
234will remove state table entries that were created during a user's
235session.
236This ensures that there will be no unauthenticated traffic
237allowed to pass after the controlling
238.Xr ssh 1
239session has been closed.
240.Pp
241.Nm
242is designed for gateway machines which typically do not have regular
243(non-administrative) users using the machine.
244An administrator must remember that
245.Nm
246can be used to modify the filter rules through the environment in
247which it is run, and as such could be used to modify the filter rules
248(based on the contents of the configuration files) by regular
249users.
250In the case where a machine has regular users using it, as well
251as users with
252.Nm
253as their shell, the regular users should be prevented from running
254.Nm
255by using the
256.Pa /etc/authpf/authpf.allow
257or
258.Pa /etc/authpf/banned/
259facilities.
260.Pp
261.Nm
262modifies the packet filter and address translation rules, and because
263of this it needs to be configured carefully.
264.Nm
265will not run and will exit silently if the
266.Pa /etc/authpf/authpf.conf
267file does not exist.
268After considering the effect
269.Nm
270may have on the main packet filter rules, the system administrator may
271enable
272.Nm
273by creating an appropriate
274.Pa /etc/authpf/authpf.conf
275file.
276.Sh EXAMPLES
277.Sy Control Files
278\- To illustrate the user-specific access control
279mechanisms, let us consider a typical user named bob.
280Normally, as long as bob can authenticate himself, the
281.Nm
282program will load the appropriate rules.
283Enter the
284.Pa /etc/authpf/banned/
285directory.
286If bob has somehow fallen from grace in the eyes of the
287powers-that-be, they can prohibit him from using the gateway by creating
288the file
289.Pa /etc/authpf/banned/bob
290containing a message about why he has been banned from using the network.
291Once bob has done suitable penance, his access may be restored by moving or
292removing the file
293.Pa /etc/authpf/banned/bob .
294.Pp
295Now consider a workgroup containing alice, bob, carol and dave.
296They have a
297wireless network which they would like to protect from unauthorized use.
298To accomplish this, they create the file
299.Pa /etc/authpf/authpf.allow
300which lists their login ids, one per line.
301At this point, even if eve could authenticate to
302.Xr sshd 8 ,
303she would not be allowed to use the gateway.
304Adding and removing users from
305the work group is a simple matter of maintaining a list of allowed userids.
306If bob once again manages to annoy the powers-that-be, they can ban him from
307using the gateway by creating the familiar
308.Pa /etc/authpf/banned/bob
309file.
310Though bob is listed in the allow file, he is prevented from using
311this gateway due to the existence of a ban file.
312.Pp
313.Sy Distributed Authentication
314\- It is often desirable to interface with a
315distributed password system rather than forcing the sysadmins to keep a large
316number of local password files in sync.
317The
318.Xr login.conf 5
319mechanism in
320.Ox
321can be used to fork the right shell.
322To make that happen,
323.Xr login.conf 5
324should have entries that look something like this:
325.Bd -literal -offset indent
326shell-default:shell=/bin/csh
327
328default:\e
329	...
330	:shell=/usr/sbin/authpf
331
332daemon:\e
333	...
334	:shell=/bin/csh:\e
335	:tc=default:
336
337staff:\e
338	...
339	:shell=/bin/csh:\e
340	:tc=default:
341.Ed
342.Pp
343Using a default password file, all users will get
344.Nm
345as their shell except for root who will get
346.Pa /bin/csh .
347.Pp
348.Sy SSH Configuration
349\- As stated earlier,
350.Xr sshd 8
351must be properly configured to detect and defeat network attacks.
352To that end, the following options should be added to
353.Xr sshd_config 5 :
354.Bd -literal -offset indent
355Protocol 2
356ClientAliveInterval 15
357ClientAliveCountMax 3
358.Ed
359.Pp
360This ensures that unresponsive or spoofed sessions are terminated within a
361minute, since a hijacker should not be able to spoof ssh keepalive messages.
362.Pp
363.Sy Banners
364\- Once authenticated, the user is shown the contents of
365.Pa /etc/authpf/authpf.message .
366This message may be a screen-full of the appropriate use policy, the contents
367of
368.Pa /etc/motd
369or something as simple as the following:
370.Bd -literal -offset indent
371This means you will be held accountable by the powers that be
372for traffic originating from your machine, so please play nice.
373.Ed
374.Pp
375To tell the user where to go when the system is broken,
376.Pa /etc/authpf/authpf.problem
377could contain something like this:
378.Bd -literal -offset indent
379Sorry, there appears to be some system problem. To report this
380problem so we can fix it, please phone 1-900-314-1597 or send
381an email to remove@bulkmailerz.net.
382.Ed
383.Pp
384.Sy Packet Filter Rules
385\- In areas where this gateway is used to protect a
386wireless network (a hub with several hundred ports), the default rule set as
387well as the per-user rules should probably allow very few things beyond
388encrypted protocols like
389.Xr ssh 1 ,
390.Xr ssl 8 ,
391or
392.Xr ipsec 4 .
393On a securely switched network, with plug-in jacks for visitors who are
394given authentication accounts, you might want to allow out everything.
395In this context, a secure switch is one that tries to prevent address table
396overflow attacks.
397.Pp
398Example
399.Pa /etc/pf.conf :
400.Bd -literal
401# by default we allow internal clients to talk to us using
402# ssh and use us as a dns server.
403internal_if="fxp1"
404gateway_addr="10.0.1.1"
405nat-anchor "authpf/*"
406rdr-anchor "authpf/*"
407binat-anchor "authpf/*"
408block in on $internal_if from any to any
409pass in quick on $internal_if proto tcp from any to $gateway_addr \e
410      port = ssh
411pass in quick on $internal_if proto udp from any to $gateway_addr \e
412      port = domain
413anchor "authpf/*"
414.Ed
415.Pp
416.Sy For a switched, wired net
417\- This example
418.Pa /etc/authpf/authpf.rules
419makes no real restrictions; it turns the IP address on and off, logging
420TCP connections.
421.Bd -literal
422external_if = "xl0"
423internal_if = "fxp0"
424
425pass in log quick on $internal_if proto tcp from $user_ip to any
426pass in quick on $internal_if from $user_ip to any
427.Ed
428.Pp
429.Sy For a wireless or shared net
430\- This example
431.Pa /etc/authpf/authpf.rules
432could be used for an insecure network (such as a public wireless network) where
433we might need to be a bit more restrictive.
434.Bd -literal
435internal_if="fxp1"
436ipsec_gw="10.2.3.4"
437
438# rdr ftp for proxying by ftp-proxy(8)
439rdr on $internal_if proto tcp from $user_ip to any port 21 \e
440      -> 127.0.0.1 port 8021
441
442# allow out ftp, ssh, www and https only, and allow user to negotiate
443# ipsec with the ipsec server.
444pass in log quick on $internal_if proto tcp from $user_ip to any \e
445      port { 21, 22, 80, 443 }
446pass in quick on $internal_if proto tcp from $user_ip to any \e
447      port { 21, 22, 80, 443 }
448pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp
449pass in quick proto esp from $user_ip to $ipsec_gw
450.Ed
451.Pp
452.Sy Dealing with NAT
453\- The following
454.Pa /etc/authpf/authpf.rules
455shows how to deal with NAT, using tags:
456.Bd -literal
457ext_if = "fxp1"
458ext_addr = 129.128.11.10
459int_if = "fxp0"
460# nat and tag connections...
461nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr
462pass in quick on $int_if from $user_ip to any
463pass out log quick on $ext_if tagged $user_ip
464.Ed
465.Pp
466With the above rules added by
467.Nm ,
468outbound connections corresponding to each users NAT'ed connections
469will be logged as in the example below, where the user may be identified
470from the ruleset name.
471.Bd -literal
472# tcpdump -n -e -ttt -i pflog0
473Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e
474129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e
47516384 <mss 1460,nop,nop,sackOK> (DF)
476.Ed
477.Pp
478.Sy Using the authpf_users table
479\- Simple
480.Nm
481settings can be implemented without an anchor by just using the "authpf_users"
482.Pa table .
483For example, the following
484.Xr pf.conf 5
485lines will give SMTP and IMAP access to logged in users:
486.Bd -literal
487table <authpf_users> persist
488pass in on $ext_if proto tcp from <authpf_users> \e
489        to port { smtp imap }
490.Ed
491.Pp
492It is also possible to use the "authpf_users"
493.Pa table
494in combination with anchors.
495For example,
496.Xr pf 4
497processing can be sped up by looking up the anchor
498only for packets coming from logged in users:
499.Bd -literal
500table <authpf_users> persist
501anchor "authpf/*" from <authpf_users>
502rdr-anchor "authpf/*" from <authpf_users>
503.Ed
504.Sh FILES
505.Bl -tag -width "/etc/authpf/authpf.conf" -compact
506.It Pa /etc/authpf/authpf.conf
507.It Pa /etc/authpf/authpf.allow
508.It Pa /etc/authpf/authpf.rules
509.It Pa /etc/authpf/authpf.message
510.It Pa /etc/authpf/authpf.problem
511.El
512.Sh SEE ALSO
513.Xr pf 4 ,
514.Xr pf.conf 5 ,
515.Xr fdescfs 5 ,
516.Xr securelevel 7 ,
517.Xr ftp-proxy 8
518.Sh HISTORY
519The
520.Nm
521program first appeared in
522.Ox 3.1 .
523.Sh BUGS
524Configuration issues are tricky.
525The authenticating
526.Xr ssh 1
527connection may be secured, but if the network is not secured the user may
528expose insecure protocols to attackers on the same network, or enable other
529attackers on the network to pretend to be the user by spoofing their IP
530address.
531.Pp
532.Nm
533is not designed to prevent users from denying service to other users.
534