xref: /freebsd/contrib/pf/authpf/authpf.8 (revision acd3428b7d3e94cef0e1881c868cb4b131d4ff41) 
1.\" $FreeBSD$
2.\" $OpenBSD: authpf.8,v 1.38 2005/01/04 09:57:04 jmc Exp $
3.\"
4.\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>.  All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\" 3. The name of the author may not be used to endorse or promote products
15.\"    derived from this software without specific prior written permission.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27.\"
28.Dd March 28, 2006
29.Dt AUTHPF 8
30.Os
31.Sh NAME
32.Nm authpf
33.Nd authenticating gateway user shell
34.Sh SYNOPSIS
35.Nm authpf
36.Sh DESCRIPTION
37.Nm
38is a user shell for authenticating gateways.
39It is used to change
40.Xr pf 4
41rules when a user authenticates and starts a session with
42.Xr sshd 8
43and to undo these changes when the user's session exits.
44It is designed for changing filter and translation rules for an individual
45source IP address as long as a user maintains an active
46.Xr ssh 1
47session.
48Typical use would be for a gateway that authenticates users before
49allowing them Internet use, or a gateway that allows different users into
50different places.
51.Nm
52logs the successful start and end of a session to
53.Xr syslogd 8 .
54This, combined with properly set up filter rules and secure switches,
55can be used to ensure users are held accountable for their network traffic.
56.Pp
57.Nm
58can add filter and translation rules using the syntax described in
59.Xr pf.conf 5 .
60.Nm
61requires that the
62.Xr pf 4
63system be enabled and a
64.Xr fdescfs 5
65file system be mounted at
66.Pa /dev/fd
67before use.
68.Nm
69can also maintain the list of IP address of connected users
70in the "authpf_users"
71.Pa table .
72.Pp
73.Nm
74is meant to be used with users who can connect via
75.Xr ssh 1
76only.
77On startup,
78.Nm
79retrieves the client's connecting IP address via the
80.Ev SSH_CLIENT
81environment variable and, after performing additional access checks,
82reads a template file to determine what filter and translation rules
83(if any) to add.
84On session exit the same rules that were added at startup are removed.
85.Pp
86Each
87.Nm
88process stores its rules in a separate ruleset inside a
89.Xr pf 4
90.Pa anchor
91shared by all
92.Nm
93processes.
94By default, the
95.Pa anchor
96name "authpf" is used, and the ruleset names equal the username and PID of the
97.Nm
98processes as "username(pid)".
99The following rules need to be added to the main ruleset
100.Pa /etc/pf.conf
101in order to cause evaluation of any
102.Nm
103rules:
104.Bd -literal -offset indent
105nat-anchor "authpf/*"
106rdr-anchor "authpf/*"
107binat-anchor "authpf/*"
108anchor "authpf/*"
109.Ed
110.Pp
111The "/*" at the end of the anchor name is required for
112.Xr pf 4
113to process the rulesets attached to the anchor by
114.Nm authpf .
115.Sh FILTER AND TRANSLATION RULES
116Filter and translation rules for
117.Nm
118use the same format described in
119.Xr pf.conf 5 .
120The only difference is that these rules may (and probably should) use
121the macro
122.Em user_ip ,
123which is assigned the connecting IP address whenever
124.Nm
125is run.
126Additionally, the macro
127.Em user_id
128is assigned the user name.
129.Pp
130Filter and translation rules are stored in a file called
131.Pa authpf.rules .
132This file will first be searched for in
133.Pa /etc/authpf/users/$USER/
134and then in
135.Pa /etc/authpf/ .
136Only one of these files will be used if both are present.
137.Pp
138Per-user rules from the
139.Pa /etc/authpf/users/$USER/
140directory are intended to be used when non-default rules
141are needed on an individual user basis.
142It is important to ensure that a user can not write or change
143these configuration files.
144.Pp
145The
146.Pa authpf.rules
147file must exist in one of the above locations for
148.Nm
149to run.
150.Sh CONFIGURATION
151Options are controlled by the
152.Pa /etc/authpf/authpf.conf
153file.
154If the file is empty, defaults are used for all
155configuration options.
156The file consists of pairs of the form
157.Li name=value ,
158one per line.
159Currently, the allowed values are as follows:
160.Bl -tag -width Ds
161.It anchor=name
162Use the specified
163.Pa anchor
164name instead of "authpf".
165.It table=name
166Use the specified
167.Pa table
168name instead of "authpf_users".
169.El
170.Sh USER MESSAGES
171On successful invocation,
172.Nm
173displays a message telling the user he or she has been authenticated.
174It will additionally display the contents of the file
175.Pa /etc/authpf/authpf.message
176if the file exists and is readable.
177.Pp
178There exist two methods for providing additional granularity to the control
179offered by
180.Nm
181- it is possible to set the gateway to explicitly allow users who have
182authenticated to
183.Xr ssh 1
184and deny access to only a few troublesome individuals.
185This is done by creating a file with the banned user's login name as the
186filename in
187.Pa /etc/authpf/banned/ .
188The contents of this file will be displayed to a banned user, thus providing
189a method for informing the user that they have been banned, and where they can
190go and how to get there if they want to have their service restored.
191This is the default behaviour.
192.Pp
193It is also possible to configure
194.Nm
195to only allow specific users access.
196This is done by listing their login names, one per line, in
197.Pa /etc/authpf/authpf.allow .
198If "*" is found on a line, then all usernames match.
199If
200.Nm
201is unable to verify the user's permission to use the gateway, it will
202print a brief message and die.
203It should be noted that a ban takes precedence over an allow.
204.Pp
205On failure, messages will be logged to
206.Xr syslogd 8
207for the system administrator.
208The user does not see these, but will be told the system is unavailable due to
209technical difficulties.
210The contents of the file
211.Pa /etc/authpf/authpf.problem
212will also be displayed if the file exists and is readable.
213.Sh CONFIGURATION ISSUES
214.Nm
215maintains the changed filter rules as long as the user maintains an
216active session.
217It is important to remember however, that the existence
218of this session means the user is authenticated.
219Because of this, it is important to configure
220.Xr sshd 8
221to ensure the security of the session, and to ensure that the network
222through which users connect is secure.
223.Xr sshd 8
224should be configured to use the
225.Ar ClientAliveInterval
226and
227.Ar ClientAliveCountMax
228parameters to ensure that a ssh session is terminated quickly if
229it becomes unresponsive, or if arp or address spoofing is used to
230hijack the session.
231Note that TCP keepalives are not sufficient for
232this, since they are not secure.
233Also note that
234.Ar AllowTcpForwarding
235should be disabled for
236.Nm
237users to prevent them from circumventing restrictions imposed by the
238packet filter ruleset.
239.Pp
240.Nm
241will remove state table entries that were created during a user's
242session.
243This ensures that there will be no unauthenticated traffic
244allowed to pass after the controlling
245.Xr ssh 1
246session has been closed.
247.Pp
248.Nm
249is designed for gateway machines which typically do not have regular
250(non-administrative) users using the machine.
251An administrator must remember that
252.Nm
253can be used to modify the filter rules through the environment in
254which it is run, and as such could be used to modify the filter rules
255(based on the contents of the configuration files) by regular
256users.
257In the case where a machine has regular users using it, as well
258as users with
259.Nm
260as their shell, the regular users should be prevented from running
261.Nm
262by using the
263.Pa /etc/authpf/authpf.allow
264or
265.Pa /etc/authpf/banned/
266facilities.
267.Pp
268.Nm
269modifies the packet filter and address translation rules, and because
270of this it needs to be configured carefully.
271.Nm
272will not run and will exit silently if the
273.Pa /etc/authpf/authpf.conf
274file does not exist.
275After considering the effect
276.Nm
277may have on the main packet filter rules, the system administrator may
278enable
279.Nm
280by creating an appropriate
281.Pa /etc/authpf/authpf.conf
282file.
283.Sh EXAMPLES
284.Sy Control Files
285\- To illustrate the user-specific access control
286mechanisms, let us consider a typical user named bob.
287Normally, as long as bob can authenticate himself, the
288.Nm
289program will load the appropriate rules.
290Enter the
291.Pa /etc/authpf/banned/
292directory.
293If bob has somehow fallen from grace in the eyes of the
294powers-that-be, they can prohibit him from using the gateway by creating
295the file
296.Pa /etc/authpf/banned/bob
297containing a message about why he has been banned from using the network.
298Once bob has done suitable penance, his access may be restored by moving or
299removing the file
300.Pa /etc/authpf/banned/bob .
301.Pp
302Now consider a workgroup containing alice, bob, carol and dave.
303They have a
304wireless network which they would like to protect from unauthorized use.
305To accomplish this, they create the file
306.Pa /etc/authpf/authpf.allow
307which lists their login ids, one per line.
308At this point, even if eve could authenticate to
309.Xr sshd 8 ,
310she would not be allowed to use the gateway.
311Adding and removing users from
312the work group is a simple matter of maintaining a list of allowed userids.
313If bob once again manages to annoy the powers-that-be, they can ban him from
314using the gateway by creating the familiar
315.Pa /etc/authpf/banned/bob
316file.
317Though bob is listed in the allow file, he is prevented from using
318this gateway due to the existence of a ban file.
319.Pp
320.Sy Distributed Authentication
321\- It is often desirable to interface with a
322distributed password system rather than forcing the sysadmins to keep a large
323number of local password files in sync.
324The
325.Xr login.conf 5
326mechanism in
327.Ox
328can be used to fork the right shell.
329To make that happen,
330.Xr login.conf 5
331should have entries that look something like this:
332.Bd -literal -offset indent
333shell-default:shell=/bin/csh
334
335default:\e
336	...
337	:shell=/usr/sbin/authpf
338
339daemon:\e
340	...
341	:shell=/bin/csh:\e
342	:tc=default:
343
344staff:\e
345	...
346	:shell=/bin/csh:\e
347	:tc=default:
348.Ed
349.Pp
350Using a default password file, all users will get
351.Nm
352as their shell except for root who will get
353.Pa /bin/csh .
354.Pp
355.Sy SSH Configuration
356\- As stated earlier,
357.Xr sshd 8
358must be properly configured to detect and defeat network attacks.
359To that end, the following options should be added to
360.Xr sshd_config 5 :
361.Bd -literal -offset indent
362Protocol 2
363ClientAliveInterval 15
364ClientAliveCountMax 3
365.Ed
366.Pp
367This ensures that unresponsive or spoofed sessions are terminated within a
368minute, since a hijacker should not be able to spoof ssh keepalive messages.
369.Pp
370.Sy Banners
371\- Once authenticated, the user is shown the contents of
372.Pa /etc/authpf/authpf.message .
373This message may be a screen-full of the appropriate use policy, the contents
374of
375.Pa /etc/motd
376or something as simple as the following:
377.Bd -literal -offset indent
378This means you will be held accountable by the powers that be
379for traffic originating from your machine, so please play nice.
380.Ed
381.Pp
382To tell the user where to go when the system is broken,
383.Pa /etc/authpf/authpf.problem
384could contain something like this:
385.Bd -literal -offset indent
386Sorry, there appears to be some system problem. To report this
387problem so we can fix it, please phone 1-900-314-1597 or send
388an email to remove@bulkmailerz.net.
389.Ed
390.Pp
391.Sy Packet Filter Rules
392\- In areas where this gateway is used to protect a
393wireless network (a hub with several hundred ports), the default rule set as
394well as the per-user rules should probably allow very few things beyond
395encrypted protocols like
396.Xr ssh 1 ,
397.Xr ssl 8 ,
398or
399.Xr ipsec 4 .
400On a securely switched network, with plug-in jacks for visitors who are
401given authentication accounts, you might want to allow out everything.
402In this context, a secure switch is one that tries to prevent address table
403overflow attacks.
404.Pp
405Example
406.Pa /etc/pf.conf :
407.Bd -literal
408# by default we allow internal clients to talk to us using
409# ssh and use us as a dns server.
410internal_if="fxp1"
411gateway_addr="10.0.1.1"
412nat-anchor "authpf/*"
413rdr-anchor "authpf/*"
414binat-anchor "authpf/*"
415block in on $internal_if from any to any
416pass in quick on $internal_if proto tcp from any to $gateway_addr \e
417      port = ssh
418pass in quick on $internal_if proto udp from any to $gateway_addr \e
419      port = domain
420anchor "authpf/*"
421.Ed
422.Pp
423.Sy For a switched, wired net
424\- This example
425.Pa /etc/authpf/authpf.rules
426makes no real restrictions; it turns the IP address on and off, logging
427TCP connections.
428.Bd -literal
429external_if = "xl0"
430internal_if = "fxp0"
431
432pass in log quick on $internal_if proto tcp from $user_ip to any \e
433      keep state
434pass in quick on $internal_if from $user_ip to any
435.Ed
436.Pp
437.Sy For a wireless or shared net
438\- This example
439.Pa /etc/authpf/authpf.rules
440could be used for an insecure network (such as a public wireless network) where
441we might need to be a bit more restrictive.
442.Bd -literal
443internal_if="fxp1"
444ipsec_gw="10.2.3.4"
445
446# rdr ftp for proxying by ftp-proxy(8)
447rdr on $internal_if proto tcp from $user_ip to any port 21 \e
448      -> 127.0.0.1 port 8081
449
450# allow out ftp, ssh, www and https only, and allow user to negotiate
451# ipsec with the ipsec server.
452pass in log quick on $internal_if proto tcp from $user_ip to any \e
453      port { 21, 22, 80, 443 } flags S/SA
454pass in quick on $internal_if proto tcp from $user_ip to any \e
455      port { 21, 22, 80, 443 }
456pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e
457      keep state
458pass in quick proto esp from $user_ip to $ipsec_gw
459.Ed
460.Pp
461.Sy Dealing with NAT
462\- The following
463.Pa /etc/authpf/authpf.rules
464shows how to deal with NAT, using tags:
465.Bd -literal
466ext_if = "fxp1"
467ext_addr = 129.128.11.10
468int_if = "fxp0"
469# nat and tag connections...
470nat on $ext_if from $user_ip to any tag $user_ip -> $ext_addr
471pass in quick on $int_if from $user_ip to any
472pass out log quick on $ext_if tagged $user_ip keep state
473.Ed
474.Pp
475With the above rules added by
476.Nm ,
477outbound connections corresponding to each users NAT'ed connections
478will be logged as in the example below, where the user may be identified
479from the ruleset name.
480.Bd -literal
481# tcpdump -n -e -ttt -i pflog0
482Oct 31 19:42:30.296553 rule 0.bbeck(20267).1/0(match): pass out on fxp1: \e
483129.128.11.10.60539 > 198.137.240.92.22: S 2131494121:2131494121(0) win \e
48416384 <mss 1460,nop,nop,sackOK> (DF)
485.Ed
486.Pp
487.Sy Using the authpf_users table
488\- Simple
489.Nm
490settings can be implemented without an anchor by just using the "authpf_users"
491.Pa table .
492For example, the following
493.Xr pf.conf 5
494lines will give SMTP and IMAP access to logged in users:
495.Bd -literal
496table <authpf_users> persist
497pass in on $ext_if proto tcp from <authpf_users> \e
498        to port { smtp imap } keep state
499.Ed
500.Pp
501It is also possible to use the "authpf_users"
502.Pa table
503in combination with anchors.
504For example,
505.Xr pf 4
506processing can be sped up by looking up the anchor
507only for packets coming from logged in users:
508.Bd -literal
509table <authpf_users> persist
510anchor "authpf/*" from <authpf_users>
511rdr-anchor "authpf/*" from <authpf_users>
512.Ed
513.Sh FILES
514.Bl -tag -width "/etc/authpf/authpf.conf" -compact
515.It Pa /etc/authpf/authpf.conf
516.It Pa /etc/authpf/authpf.allow
517.It Pa /etc/authpf/authpf.rules
518.It Pa /etc/authpf/authpf.message
519.It Pa /etc/authpf/authpf.problem
520.El
521.Sh SEE ALSO
522.Xr pf 4 ,
523.Xr pf.conf 5 ,
524.Xr fdescfs 5 ,
525.Xr ftp-proxy 8
526.Sh HISTORY
527The
528.Nm
529program first appeared in
530.Ox 3.1 .
531.Sh BUGS
532Configuration issues are tricky.
533The authenticating
534.Xr ssh 1
535connection may be secured, but if the network is not secured the user may
536expose insecure protocols to attackers on the same network, or enable other
537attackers on the network to pretend to be the user by spoofing their IP
538address.
539.Pp
540.Nm
541is not designed to prevent users from denying service to other users.
542