Contributed by Dengue on from the adding-granulairity-to-access-control dept.
"How many times have you wished you could enable and disable internet access by USER, not workstation IP address?A new feature has quietly been introduced for OpenBSD 3.1, authpf. Check out the commit message, by Bob Beck:
------------------------ CVSROOT: /cvs Module name: src Changes by: beck@cvs.openbsd.org 2002/04/01 10:43:42 Added files: usr.sbin/authpf: Makefile authpf.8 authpf.c pathnames.h Log message: authpf - authenticating gateway shell for use with ssh(1) to make authenticating gateway type firewalls. caveats - needs to be setuid to opertate (but does not install that way) consult the man page for configuration issues. ------------------------Check out: http://www.openbsd.org/cgi-bin/man.cgi?query=authpf&sektion=8Short version: As a user authenticates using ssh, authpf will alter the PF (and NAT) rules as desired for that user on the node that user is on. When the user logs out, the PF rules are reverted back to as they were before the user logged in, and all the states they had are killed.
Think about some of the possibilities:
This is really nifty, I think."
- Keep your wireless access for your users, and not anyone driving by with a laptop.
- Permit internet access only to selected people in your office, or restricted based on who they are, not where they sit.
- Permit field users to have access to internal services, with the filters following them as they authenticate, rather than having to be preconfigured. Great for people from locations with dynamic addresses or people traveling.
(Comments are closed)
By Kint () kint@lysander.mine.nu on mailto:kint@lysander.mine.nu
This is the kind of stuff that makes me so proud to use OpenBSD.
By Kint () kint@lysander.mine.nu on mailto:kint@lysander.mine.nu
This is the kind of stuff that makes me so proud to use OpenBSD.
By ernie () on
What would be cooler is if you could do it with an SSL web server ... then just make it the IE start page, and you're set ... not sure about expiry though, maybe a job that checks traffic or something, run out of cron? Or just say, 8 hours, then they get timed out ...
By Anonymous () none@none.com on mailto:none@none.com
By Isak Lyberth () ily@cip-global.com on mailto:ily@cip-global.com
i would like that
By Anonymous Coward () on
By Ben Goren () ben@trumpetpower.com on http://www.trumpetpower.com/
Any way this could be applied on a per-application basis, rather than just per-user?
What I'm thinking: many Windows computers have problems with spyware programs that phone home. Some Windows ``personal firewall'' programs patch the local network stack so they can grant or deny network access on a per-application basis. You could, for example, allow Netscape to make connections on TCP port 443 but prevent IE from doing so.
I can't immediately envision a way of useing authpf to accomplish this. I'd be interested in hearing from somebody with more imagination or knowledge about it....
b&
By nchriss () nchriss at strife dot org on mailto:nchriss at strife dot org
By hyrax () dneufert at hotmail dot com on mailto:dneufert at hotmail dot com
By Anonymous Coward () on
Just out of curiosity, any obsd gurus planning on making some stable patches for this available?
By FJ () on
http://www.openbsd.org/papers/authgw-paper.ps
And a link for you who donīt read .ps
http://216.239.39.100/search?q=cache:ncJ73bd_huMC:www.openbsd.org/papers/authgw-paper.ps+authgw+openbsd&hl=sv
By Roo () on
Careless admins will get burnt (as ever), but in this case they are pretty much unprotected from themselves... That's if I'm understanding how it works properly...