OpenBSD Journal

Authpf makes an appearance

Contributed by Dengue on from the adding-granulairity-to-access-control dept.

Nick Holland writes :
"How many times have you wished you could enable and disable internet access by USER, not workstation IP address?

A new feature has quietly been introduced for OpenBSD 3.1, authpf. Check out the commit message, by Bob Beck:

CVSROOT:        /cvs
Module name:    src
Changes by:    2002/04/01 10:43:42

Added files:
        usr.sbin/authpf: Makefile authpf.8 authpf.c pathnames.h 

Log message:
authpf - authenticating gateway shell for use with ssh(1) to make
authenticating gateway type firewalls.

caveats - needs to be setuid to opertate (but does not install that way)
consult the man page for configuration issues.
Check out:

Short version: As a user authenticates using ssh, authpf will alter the PF (and NAT) rules as desired for that user on the node that user is on. When the user logs out, the PF rules are reverted back to as they were before the user logged in, and all the states they had are killed.

Think about some of the possibilities:

  • Keep your wireless access for your users, and not anyone driving by with a laptop.
  • Permit internet access only to selected people in your office, or restricted based on who they are, not where they sit.
  • Permit field users to have access to internal services, with the filters following them as they authenticate, rather than having to be preconfigured. Great for people from locations with dynamic addresses or people traveling.
This is really nifty, I think."

(Comments are closed)

  1. By Kint () on

    This is more than nifty, I think. This is f***ing awesome!

    This is the kind of stuff that makes me so proud to use OpenBSD.

  2. By Kint () on

    This is more than nifty, I think. This is f***ing awesome!

    This is the kind of stuff that makes me so proud to use OpenBSD.

  3. By ernie () on

    At first i thought this rocked. but now I see some problems with it, unless I'm misunderstanding. The client requires an SSH client, and they need to stay connected (I guess this isn't a huge deal, but I can see people complaining, and they just closed the window, logging them out).

    What would be cooler is if you could do it with an SSL web server ... then just make it the IE start page, and you're set ... not sure about expiry though, maybe a job that checks traffic or something, run out of cron? Or just say, 8 hours, then they get timed out ...

  4. By Anonymous () on

    I think tying a userland program (ssh) into the kernel in any way is the worst idea since the jump to conclusions mat. I think this is opening up OpenBSD to all types of potential new security problems. I also think, while filtering based on IP isn't quite as 'hip' as filtering based on user, at least it is reasonably secure. Yes, this has some advantages but I think I agree that client side certs with SSL may have been cooler. My 2c.

  5. By Isak Lyberth () on

    could this maybe be used as an local who's online thing, like icq? or a pay pr time online thing
    i would like that

  6. By Anonymous Coward () on

    I've been planning to implement an administration server whereby admins in our company can login to one machine and then get access to their specific machines. authpf gives me new flexibility.

  7. By Ben Goren () on

    Any way this could be applied on a per-application basis, rather than just per-user?

    What I'm thinking: many Windows computers have problems with spyware programs that phone home. Some Windows ``personal firewall'' programs patch the local network stack so they can grant or deny network access on a per-application basis. You could, for example, allow Netscape to make connections on TCP port 443 but prevent IE from doing so.

    I can't immediately envision a way of useing authpf to accomplish this. I'd be interested in hearing from somebody with more imagination or knowledge about it....


  8. By nchriss () nchriss at strife dot org on mailto:nchriss at strife dot org

    I'm aware the mechanisms are different and maybe someone's working on something similar but.. could this be extended to OpenBSDs IPSec functionality to allow access by user & IP? Simple VPN client? This is something plenty of commercial vendors offer that I thought would be really nice for openbsd? I guess it would be more of an isakmpkd hack than anything... any thoughts?

  9. By hyrax () dneufert at hotmail dot com on mailto:dneufert at hotmail dot com

    I think that the best way to do tge authentication to this athpf is trought a module like pam! I will gives you the power to do everything you want about authentication.

  10. By Anonymous Coward () on

    So how long before we can start using this with a stable branch? I'm not completely sure but 3.0 was released last December so we can expect 3.1 by June?

    Just out of curiosity, any obsd gurus planning on making some stable patches for this available?

  11. By FJ () on

    Almost the same solution but based on telnet.

    And a link for you who donīt read .ps

  12. By Roo () on

    I know you can use file ownership & permissions to prevent people from monkeying with their local config file... But I'd rather see the permissions be centrally controlled... It just strikes me as dangerous because you have to trust people... :)

    Careless admins will get burnt (as ever), but in this case they are pretty much unprotected from themselves... That's if I'm understanding how it works properly...


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]