OpenBSD Journal

Firewall authentication

Contributed by jose on from the authentication dept.

Alexandre Belloni writes: "At my new job, I had to make a firewall that supports Active Directory authentication to allow user going to internet. This was to replace an old watchguard firebox II. So, I made a little PHP script that does the same as the watchguard. This script is available from Please, feel free to make any comment on it."

This looks pretty neat and useful, and proably easier on users than the SSH based authpf we normally talk about.

(Comments are closed)

  1. By inet65535 () on

    I am replacing a watchdog firewall next month and was trying to figure a way to do this. Excellent timing, I'm excited to try this. Great Job!!!

  2. By Mike () on

    I cannot get to the site. Is it down? Is there a mirror?

    1. By Anonymous Coward () on

      It works perfectly for me. Maybe try another/no proxy server?

    2. By Ben () on

      I cannot get to the site. Is it down? Is there a mirror? Maby you need to log in to your firewall in order to view it. ;)

    3. By Alexandre Belloni () on

      Maybe, you are using ipv6, if so try

      I'm sorry my apache doesn't listen to ipv6 yet.

    4. By Alexandre Belloni () on

      I meant
      so you won't be bothered by the ipv6 dns reply :)

    5. By Mike () on

      I was able to access it from an outside computer so all is well now. I suppose I should have kept my mouth shut before doing more testing.

  3. By Anonymous Coward () on


  4. By Anonymous Coward () on

    I thought this was a site about OpenBSD? You know, that OS with integrated cryptography, to avoid exactly this kind of dumb shit?

    1. By Alexandre Belloni () on

      It is warned in the README. Feel free to use https and use kerberos with active directory so you will avoid plain text passwords. Then, please send me a patch as I don't want to spend more time on windows/openbsd interoperability right now.

      1. By Anonymous Coward () on

        Dude, it's great work! Can't satisfy them all.

        1. By Anon Y Mouse () on

          LOL, I'm not sure why you would use kerberos
          when LDAP has an SSL standard?

          Gen up two openssl certs and go to town.

    2. By Anonymous Coward () on

      What's wrong with HTTPS ?

      1. By Anonymous Coward () on

        My sentiments exactly!

      2. By Alexandre Belloni () on

        The fact is that althought you have https between the client and the firewall, the firewall still use plain text passwords to communicate withe the active directory server. I have been said it is possible to use kerberos with active directory maybe I will try when I will have some time.

        1. By Anon Y Mouse () on

          I don't think you understand me --

          Microsoft's Active Directory HAS LDAP already implemented, including SSL encrypted LDAP.

          Thus, the need for Kerberos is obviated.

          The PHP script should instead try to authenticate
          to the AD via an SSL encrypted LDAP call.

          No Kerberos required. Capiche?

          1. By Anonymous Coward () on

            thanks for the URL and capiche!

            Thank you code writer dude for writing the totally kewl program

          2. By Alexandre Belloni () on

            Ok, I didn't knew that. I don't know a lot about AD. I just heard that I could use kerberos to avoid plain text passwords. Thanks for the link I will try to improve this script.

            1. By Anonymous Coward () on

              Keep us posted if possible. I'd love to see more progress on this.

        2. By philipp () on

          and then there is always the point of
          having dedicated, physical subnets (like
          crossover cable between firewall and auth-server)
          - sniff that, kid!

          (if one can physically reach that cable, you
          already have different issues :) )


      3. By Anonymous Coward () on

    3. By Anonymous Coward () on

      what a great post. Direct and of course polite.

  5. By Raymond () on


    I agree that digest and HTTPS are better solutions. I've rewritten authpf into nph-authpf.cgi so it can also be used with digest.
    Some other features:
    - Will run chrooted
    - Will check if the starter is the web user.

    Even now, I'm not 100% convinced this is the way to go, although it's a lot better than the solutions provided by Nokia or Cisco.


    1. By Anonymous Coward () on

      Could you provide a url to your project?


      1. By Raymond () on

        Doesn't have one yet, give me a week and I'll post it here.

        1. By earx () on

          1. By Anonymous Coward () on

            This is why its important to use SSL and to personaly demonstrate how the login process works.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]