xref: /freebsd/contrib/pf/authpf/authpf.8 (revision 43a5ec4eb41567cc92586503212743d89686d78f)
1.\" $FreeBSD$
2.\" $OpenBSD: authpf.8,v 1.47 2009/01/06 03:11:50 mcbride Exp $
3.\"
4.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>.  All rights reserved.
5.\"
6.\" Permission to use, copy, modify, and distribute this software for any
7.\" purpose with or without fee is hereby granted, provided that the above
8.\" copyright notice and this permission notice appear in all copies.
9.\"
10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17.\"
18.Dd January 29 2014
19.Dt AUTHPF 8
20.Os
21.Sh NAME
22.Nm authpf ,
23.Nm authpf-noip
24.Nd authenticating gateway user shell
25.Sh SYNOPSIS
26.Nm authpf
27.Nm authpf-noip
28.Sh DESCRIPTION
29.Nm
30is a user shell for authenticating gateways.
31It is used to change
32.Xr pf 4
33rules when a user authenticates and starts a session with
34.Xr sshd 8
35and to undo these changes when the user's session exits.
36Typical use would be for a gateway that authenticates users before
37allowing them Internet use, or a gateway that allows different users into
38different places.
39Combined with properly set up filter rules and secure switches,
40.Nm
41can be used to ensure users are held accountable for their network traffic.
42It is meant to be used with users who can connect via
43.Xr ssh 1
44only, and requires the
45.Xr pf 4
46subsystem and an
47.Xr fdescfs 5
48file system mounted at
49.Pa /dev/fd
50to be enabled.
51.Pp
52.Nm authpf-noip
53is a user shell
54which allows multiple connections to take
55place from the same IP address.
56It is useful primarily in cases where connections are tunneled via
57the gateway system, and can be directly associated with the user name.
58It cannot ensure accountability when
59classifying connections by IP address;
60in this case the client's IP address
61is not provided to the packet filter via the
62.Ar client_ip
63macro or the
64.Ar authpf_users
65table.
66Additionally, states associated with the client IP address
67are not purged when the session is ended.
68.Pp
69To use either
70.Nm
71or
72.Nm authpf-noip ,
73the user's shell needs to be set to
74.Pa /usr/sbin/authpf
75or
76.Pa /usr/sbin/authpf-noip .
77.Pp
78.Nm
79uses the
80.Xr pf.conf 5
81syntax to change filter and translation rules for an individual
82user or client IP address as long as a user maintains an active
83.Xr ssh 1
84session, and logs the successful start and end of a session to
85.Xr syslogd 8 .
86.Nm
87retrieves the client's connecting IP address via the
88.Ev SSH_CLIENT
89environment variable and, after performing additional access checks,
90reads a template file to determine what filter and translation rules
91(if any) to add, and
92maintains the list of IP addresses of connected users in the
93.Ar authpf_users
94table.
95On session exit the same rules and table entries that were added at startup
96are removed, and all states associated with the client's IP address are purged.
97.Pp
98Each
99.Nm
100process stores its rules in a separate ruleset inside a
101.Xr pf 4
102.Pa anchor
103shared by all
104.Nm
105processes.
106By default, the
107.Pa anchor
108name "authpf" is used, and the ruleset names equal the username and PID of the
109.Nm
110processes as "username(pid)".
111The following rules need to be added to the main ruleset
112.Pa /etc/pf.conf
113in order to cause evaluation of any
114.Nm
115rules:
116.Bd -literal -offset indent
117nat-anchor "authpf/*"
118rdr-anchor "authpf/*"
119binat-anchor "authpf/*"
120anchor "authpf/*"
121.Ed
122.Pp
123The "/*" at the end of the anchor name is required for
124.Xr pf 4
125to process the rulesets attached to the anchor by
126.Nm authpf .
127.Sh FILTER AND TRANSLATION RULES
128Filter and translation rules for
129.Nm
130use the same format described in
131.Xr pf.conf 5 .
132The only difference is that these rules may (and probably should) use
133the macro
134.Em user_ip ,
135which is assigned the connecting IP address whenever
136.Nm
137is run.
138Additionally, the macro
139.Em user_id
140is assigned the user name.
141.Pp
142Filter and translation rules are stored in a file called
143.Pa authpf.rules .
144This file will first be searched for in
145.Pa /etc/authpf/users/$USER/
146and then in
147.Pa /etc/authpf/ .
148Only one of these files will be used if both are present.
149.Pp
150Per-user rules from the
151.Pa /etc/authpf/users/$USER/
152directory are intended to be used when non-default rules
153are needed on an individual user basis.
154It is important to ensure that a user can not write or change
155these configuration files.
156.Pp
157The
158.Pa authpf.rules
159file must exist in one of the above locations for
160.Nm
161to run.
162.Sh CONFIGURATION
163Options are controlled by the
164.Pa /etc/authpf/authpf.conf
165file.
166If the file is empty, defaults are used for all
167configuration options.
168The file consists of pairs of the form
169.Li name=value ,
170one per line.
171Currently, the allowed values are as follows:
172.Bl -tag -width Ds
173.It anchor=name
174Use the specified
175.Pa anchor
176name instead of "authpf".
177.It table=name
178Use the specified
179.Pa table
180name instead of "authpf_users".
181.El
182.Sh USER MESSAGES
183On successful invocation,
184.Nm
185displays a message telling the user he or she has been authenticated.
186It will additionally display the contents of the file
187.Pa /etc/authpf/authpf.message
188if the file exists and is readable.
189.Pp
190There exist two methods for providing additional granularity to the control
191offered by
192.Nm
193- it is possible to set the gateway to explicitly allow users who have
194authenticated to
195.Xr ssh 1
196and deny access to only a few troublesome individuals.
197This is done by creating a file with the banned user's login name as the
198filename in
199.Pa /etc/authpf/banned/ .
200The contents of this file will be displayed to a banned user, thus providing
201a method for informing the user that they have been banned, and where they can
202go and how to get there if they want to have their service restored.
203This is the default behaviour.
204.Pp
205It is also possible to configure
206.Nm
207to only allow specific users access.
208This is done by listing their login names, one per line, in
209.Pa /etc/authpf/authpf.allow .
210A group of users can also be indicated by prepending "%" to the group name,
211and all members of a login class can be indicated by prepending "@" to the
212login class name.
213If "*" is found on a line, then all usernames match.
214If
215.Nm
216is unable to verify the user's permission to use the gateway, it will
217print a brief message and die.
218It should be noted that a ban takes precedence over an allow.
219.Pp
220On failure, messages will be logged to
221.Xr syslogd 8
222for the system administrator.
223The user does not see these, but will be told the system is unavailable due to
224technical difficulties.
225The contents of the file
226.Pa /etc/authpf/authpf.problem
227will also be displayed if the file exists and is readable.
228.Sh CONFIGURATION ISSUES
229.Nm
230maintains the changed filter rules as long as the user maintains an
231active session.
232It is important to remember however, that the existence
233of this session means the user is authenticated.
234Because of this, it is important to configure
235.Xr sshd 8
236to ensure the security of the session, and to ensure that the network
237through which users connect is secure.
238.Xr sshd 8
239should be configured to use the
240.Ar ClientAliveInterval
241and
242.Ar ClientAliveCountMax
243parameters to ensure that a ssh session is terminated quickly if
244it becomes unresponsive, or if arp or address spoofing is used to
245hijack the session.
246Note that TCP keepalives are not sufficient for
247this, since they are not secure.
248Also note that the various SSH tunnelling mechanisms,
249such as
250.Ar AllowTcpForwarding
251and
252.Ar PermitTunnel ,
253should be disabled for
254.Nm
255users to prevent them from circumventing restrictions imposed by the
256packet filter ruleset.
257.Pp
258.Nm
259will remove state table entries that were created during a user's
260session.
261This ensures that there will be no unauthenticated traffic
262allowed to pass after the controlling
263.Xr ssh 1
264session has been closed.
265.Pp
266.Nm
267is designed for gateway machines which typically do not have regular
268(non-administrative) users using the machine.
269An administrator must remember that
270.Nm
271can be used to modify the filter rules through the environment in
272which it is run, and as such could be used to modify the filter rules
273(based on the contents of the configuration files) by regular
274users.
275In the case where a machine has regular users using it, as well
276as users with
277.Nm
278as their shell, the regular users should be prevented from running
279.Nm
280by using the
281.Pa /etc/authpf/authpf.allow
282or
283.Pa /etc/authpf/banned/
284facilities.
285.Pp
286.Nm
287modifies the packet filter and address translation rules, and because
288of this it needs to be configured carefully.
289.Nm
290will not run and will exit silently if the
291.Pa /etc/authpf/authpf.conf
292file does not exist.
293After considering the effect
294.Nm
295may have on the main packet filter rules, the system administrator may
296enable
297.Nm
298by creating an appropriate
299.Pa /etc/authpf/authpf.conf
300file.
301.Sh EXAMPLES
302.Sy Control Files
303\- To illustrate the user-specific access control
304mechanisms, let us consider a typical user named bob.
305Normally, as long as bob can authenticate himself, the
306.Nm
307program will load the appropriate rules.
308Enter the
309.Pa /etc/authpf/banned/
310directory.
311If bob has somehow fallen from grace in the eyes of the
312powers-that-be, they can prohibit him from using the gateway by creating
313the file
314.Pa /etc/authpf/banned/bob
315containing a message about why he has been banned from using the network.
316Once bob has done suitable penance, his access may be restored by moving or
317removing the file
318.Pa /etc/authpf/banned/bob .
319.Pp
320Now consider a workgroup containing alice, bob, carol and dave.
321They have a
322wireless network which they would like to protect from unauthorized use.
323To accomplish this, they create the file
324.Pa /etc/authpf/authpf.allow
325which lists their login ids, group prepended with "%", or login class
326prepended with "@", one per line.
327At this point, even if eve could authenticate to
328.Xr sshd 8 ,
329she would not be allowed to use the gateway.
330Adding and removing users from
331the work group is a simple matter of maintaining a list of allowed userids.
332If bob once again manages to annoy the powers-that-be, they can ban him from
333using the gateway by creating the familiar
334.Pa /etc/authpf/banned/bob
335file.
336Though bob is listed in the allow file, he is prevented from using
337this gateway due to the existence of a ban file.
338.Pp
339.Sy Distributed Authentication
340\- It is often desirable to interface with a
341distributed password system rather than forcing the sysadmins to keep a large
342number of local password files in sync.
343The
344.Xr login.conf 5
345mechanism in
346.Ox
347can be used to fork the right shell.
348To make that happen,
349.Xr login.conf 5
350should have entries that look something like this:
351.Bd -literal -offset indent
352shell-default:shell=/bin/csh
353
354default:\e
355	...
356	:shell=/usr/sbin/authpf
357
358daemon:\e
359	...
360	:shell=/bin/csh:\e
361	:tc=default:
362
363staff:\e
364	...
365	:shell=/bin/csh:\e
366	:tc=default:
367.Ed
368.Pp
369Using a default password file, all users will get
370.Nm
371as their shell except for root who will get
372.Pa /bin/csh .
373.Pp
374.Sy SSH Configuration
375\- As stated earlier,
376.Xr sshd 8
377must be properly configured to detect and defeat network attacks.
378To that end, the following options should be added to
379.Xr sshd_config 5 :
380.Bd -literal -offset indent
381Protocol 2
382ClientAliveInterval 15
383ClientAliveCountMax 3
384.Ed
385.Pp
386This ensures that unresponsive or spoofed sessions are terminated within a
387minute, since a hijacker should not be able to spoof ssh keepalive messages.
388.Pp
389.Sy Banners
390\- Once authenticated, the user is shown the contents of
391.Pa /etc/authpf/authpf.message .
392This message may be a screen-full of the appropriate use policy, the contents
393of
394.Pa /etc/motd
395or something as simple as the following:
396.Bd -literal -offset indent
397This means you will be held accountable by the powers that be
398for traffic originating from your machine, so please play nice.
399.Ed
400.Pp
401To tell the user where to go when the system is broken,
402.Pa /etc/authpf/authpf.problem
403could contain something like this:
404.Bd -literal -offset indent
405Sorry, there appears to be some system problem. To report this
406problem so we can fix it, please phone 1-900-314-1597 or send
407an email to remove@bulkmailerz.net.
408.Ed
409.Pp
410.Sy Packet Filter Rules
411\- In areas where this gateway is used to protect a
412wireless network (a hub with several hundred ports), the default rule set as
413well as the per-user rules should probably allow very few things beyond
414encrypted protocols like
415.Xr ssh 1 ,
416.Xr ssl 8 ,
417or
418.Xr ipsec 4 .
419On a securely switched network, with plug-in jacks for visitors who are
420given authentication accounts, you might want to allow out everything.
421In this context, a secure switch is one that tries to prevent address table
422overflow attacks.
423.Pp
424Example
425.Pa /etc/pf.conf :
426.Bd -literal
427# by default we allow internal clients to talk to us using
428# ssh and use us as a dns server.
429internal_if="fxp1"
430gateway_addr="10.0.1.1"
431nat-anchor "authpf/*"
432rdr-anchor "authpf/*"
433binat-anchor "authpf/*"
434block in on $internal_if from any to any
435pass in quick on $internal_if proto tcp from any to $gateway_addr \e
436      port = ssh
437pass in quick on $internal_if proto udp from any to $gateway_addr \e
438      port = domain
439anchor "authpf/*"
440.Ed
441.Pp
442.Sy For a switched, wired net
443\- This example
444.Pa /etc/authpf/authpf.rules
445makes no real restrictions; it turns the IP address on and off, logging
446TCP connections.
447.Bd -literal
448external_if = "xl0"
449internal_if = "fxp0"
450
451pass in log quick on $internal_if proto tcp from $user_ip to any
452pass in quick on $internal_if from $user_ip to any
453.Ed
454.Pp
455.Sy For a wireless or shared net
456\- This example
457.Pa /etc/authpf/authpf.rules
458could be used for an insecure network (such as a public wireless network) where
459we might need to be a bit more restrictive.
460.Bd -literal
461internal_if="fxp1"
462ipsec_gw="10.2.3.4"
463
464# rdr ftp for proxying by ftp-proxy(8)
465rdr on $internal_if proto tcp from $user_ip to any port 21 \e
466      -> 127.0.0.1 port 8021
467
468# allow out ftp, ssh, www and https only, and allow user to negotiate
469# ipsec with the ipsec server.
470pass in log quick on $internal_if proto tcp from $user_ip to any \e
471      port { 21, 22, 80, 443 }
472pass in quick on $internal_if proto tcp from $user_ip to any \e
473      port { 21, 22, 80, 443 }
474pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp
475pass in quick proto esp from $user_ip to $ipsec_gw
476.Ed
477.Pp
478.Sy Dealing with NAT
479\- The following
480.Pa /etc/authpf/authpf.rules
481shows how to deal with NAT, using tags:
482.Bd -literal
483ext_if = "fxp1"
484ext_addr = 129.128.11.10
485int_if = "fxp0"
486# nat and tag connections...
487nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr
488pass in quick on $int_if from $user_ip to any
489pass out log quick on $ext_if tagged $user_ip
490.Ed
491.Pp
492With the above rules added by
493.Nm ,
494outbound connections corresponding to each users NAT'ed connections
495will be logged as in the example below, where the user may be identified
496from the ruleset name.
497.Bd -literal
498# tcpdump -n -e -ttt -i pflog0
499Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e
500129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e
50116384 <mss 1460,nop,nop,sackOK> (DF)
502.Ed
503.Pp
504.Sy Using the authpf_users table
505\- Simple
506.Nm
507settings can be implemented without an anchor by just using the "authpf_users"
508.Pa table .
509For example, the following
510.Xr pf.conf 5
511lines will give SMTP and IMAP access to logged in users:
512.Bd -literal
513table <authpf_users> persist
514pass in on $ext_if proto tcp from <authpf_users> \e
515        to port { smtp imap }
516.Ed
517.Pp
518It is also possible to use the "authpf_users"
519.Pa table
520in combination with anchors.
521For example,
522.Xr pf 4
523processing can be sped up by looking up the anchor
524only for packets coming from logged in users:
525.Bd -literal
526table <authpf_users> persist
527anchor "authpf/*" from <authpf_users>
528rdr-anchor "authpf/*" from <authpf_users>
529.Ed
530.Pp
531.Sy Tunneled users
532\- normally
533.Nm
534allows only one session per client IP address.
535However in some cases, such as when connections are tunneled via
536.Xr ssh 1
537or
538.Xr ipsec 4 ,
539the connections can be authorized based on the userid of the user instead of
540the client IP address.
541In this case it is appropriate to use
542.Nm authpf-noip
543to allow multiple users behind a NAT gateway to connect.
544In the
545.Pa /etc/authpf/authpf.rules
546example below, the remote user could tunnel a remote desktop session to their
547workstation:
548.Bd -literal
549internal_if="bge0"
550workstation_ip="10.2.3.4"
551
552pass out on $internal_if from (self) to $workstation_ip port 3389 \e
553       user $user_id
554.Ed
555.Sh FILES
556.Bl -tag -width "/etc/authpf/authpf.conf" -compact
557.It Pa /etc/authpf/authpf.conf
558.It Pa /etc/authpf/authpf.allow
559.It Pa /etc/authpf/authpf.rules
560.It Pa /etc/authpf/authpf.message
561.It Pa /etc/authpf/authpf.problem
562.El
563.Sh SEE ALSO
564.Xr pf 4 ,
565.Xr fdescfs 5 ,
566.Xr pf.conf 5 ,
567.Xr securelevel 7 ,
568.Xr ftp-proxy 8
569.Sh HISTORY
570The
571.Nm
572program first appeared in
573.Ox 3.1 .
574.Sh BUGS
575Configuration issues are tricky.
576The authenticating
577.Xr ssh 1
578connection may be secured, but if the network is not secured the user may
579expose insecure protocols to attackers on the same network, or enable other
580attackers on the network to pretend to be the user by spoofing their IP
581address.
582.Pp
583.Nm
584is not designed to prevent users from denying service to other users.
585