Contributed by Dengue on from the adding-granulairity-to-access-control dept.
"How many times have you wished you could enable and disable internet access by USER, not workstation IP address?
A new feature has quietly been introduced for OpenBSD 3.1, authpf. Check out the commit message, by Bob Beck:------------------------ CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2002/04/01 10:43:42 Added files: usr.sbin/authpf: Makefile authpf.8 authpf.c pathnames.h Log message: authpf - authenticating gateway shell for use with ssh(1) to make authenticating gateway type firewalls. caveats - needs to be setuid to opertate (but does not install that way) consult the man page for configuration issues. ------------------------Check out: http://www.openbsd.org/cgi-bin/man.cgi?query=authpf&sektion=8
Short version: As a user authenticates using ssh, authpf will alter the PF (and NAT) rules as desired for that user on the node that user is on. When the user logs out, the PF rules are reverted back to as they were before the user logged in, and all the states they had are killed.
Think about some of the possibilities:
This is really nifty, I think."
- Keep your wireless access for your users, and not anyone driving by with a laptop.
- Permit internet access only to selected people in your office, or restricted based on who they are, not where they sit.
- Permit field users to have access to internal services, with the filters following them as they authenticate, rather than having to be preconfigured. Great for people from locations with dynamic addresses or people traveling.
(Comments are closed)