OpenBSD Journal

ISAKMP, user and group-level management a b x y z

Contributed by Dengue on from the pki dept.

Null asks : "While thinking about the implemention of a VPN structure I found myself with a problem. I already managed to put in production use a VPN network based on OpenBSD's isakmpd with x509 certificates, but what about the mobile users? In this case, it is important to authenticate not only the machine, but also the user. What suggestions does anyone have for user and group-level authentication? What would be really handy in my situation is an external authentication server (ldap)and a way to specify user(group) based access rules for the mobile users."

(Comments are closed)

  1. By Jared Solomon () on

    A couple of months ago, there was a posting here, and to a couple of other places (through Daemonnews perhaps?) about NASA having done something akin to this using openssh and openssl. I'm not sure if they did x.509

    However, it should come up if you STW.

  2. By Marco Brigham () on

    Well, you can issue x509 certificates to your users and have them associate a password to encrypt the corresponding private key. This certificate identifies the user to your isakmpd gateway.

    You can specify the SAs a certain users' DN can establish (i.e. cert 1 can access host A and host B whereas cert 2 can access the whole subnet).

    On the latest isakmpd build, if the users' IPSEC client supports "Virtual Identity", you can associate a certificate's DN to a certain (private) IP and supply name server and WINS configuration. This allows you to further tighten your security by limiting access based on source IP.

    User management seems to be rather manual; you have to insert each user certificate's DN and corresponding IP address in the configuration files. (If someone knows about an alternative way to-do this, please tell me...).

    I have a VPN gateway set-up this way. Works as advertised ; )

    Hope this helps.

    Kind regards,

    Marco Brigham

  3. By Boris () on

    Well you could write a custom auth.
    Assuming you are familiar with setuid proggies, it is not as hard as it looks, especially 2.9 and above: This layer you look for inserting your own auth already exists in OpenBSD.

    You'd stuff your custom auth proggy in /usr/lib/auth/login_-vpnslap (04555),
    Creating a new sort of auth capability.
    in openbsd, you can have a per-user authentication
    class, which is build in the user dbs, maiking it possible to test new auth classes
    on live boxes without messing other users.
    in /etc/login.conf, add a new class with
    auth as '-vpnslap'.

    For prototyping or even live stuff, to build
    faster you can use perl. Use the -T in perl,
    and may be clear out ENV{PATH} and some, then
    sprinkle around some lines like
    ($user) = $user =~ /A([^w-]+)z/s etc.
    you can use the Net::LDAP module.

    Check out login.conf (5) who tells all
    the syntax and many details for those custom auth.
    also setlogin (2), login_cap (3), authenticate (3) etc.

    If you done, post the work somewhere.

    All best,

  4. By Philipp Buehler () on

    If you could use HW Tokens and some X.509 structure, you could get some thoughts from this


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]