Contributed by Dengue on from the pki dept.
(Comments are closed)
OpenBSD Journal
Contributed by Dengue on from the pki dept.
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By Jared Solomon () jsolomon@inebraska.com on mailto:jsolomon@inebraska.com
However, it should come up if you STW.
http://www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html
By Marco Brigham () marco.brigham@advalvas.be on mailto:marco.brigham@advalvas.be
You can specify the SAs a certain users' DN can establish (i.e. cert 1 can access host A and host B whereas cert 2 can access the whole subnet).
On the latest isakmpd build, if the users' IPSEC client supports "Virtual Identity", you can associate a certificate's DN to a certain (private) IP and supply name server and WINS configuration. This allows you to further tighten your security by limiting access based on source IP.
User management seems to be rather manual; you have to insert each user certificate's DN and corresponding IP address in the configuration files. (If someone knows about an alternative way to-do this, please tell me...).
I have a VPN gateway set-up this way. Works as advertised ; )
Hope this helps.
Kind regards,
Marco Brigham
By Boris () on http://RootR.net
Assuming you are familiar with setuid proggies, it is not as hard as it looks, especially 2.9 and above: This layer you look for inserting your own auth already exists in OpenBSD.
You'd stuff your custom auth proggy in /usr/lib/auth/login_-vpnslap (04555),
Creating a new sort of auth capability.
in openbsd, you can have a per-user authentication
class, which is build in the user dbs, maiking it possible to test new auth classes
on live boxes without messing other users.
in /etc/login.conf, add a new class with
auth as '-vpnslap'.
For prototyping or even live stuff, to build
faster you can use perl. Use the -T in perl,
and may be clear out ENV{PATH} and some, then
sprinkle around some lines like
($user) = $user =~ /A([^w-]+)z/s etc.
you can use the Net::LDAP module.
Check out login.conf (5) who tells all
the syntax and many details for those custom auth.
also setlogin (2), login_cap (3), authenticate (3) etc.
If you done, post the work somewhere.
All best,
Boris
By Philipp Buehler () deadly@fips.de on mailto:deadly@fips.de
paper:
http://www.fox-it.com/pdf/x509_isakmp_complete.pdf