OpenBSD Journal

Building a PennKey (Kerberos) Authenticated Access Point with OpenBSD

Contributed by grey on from the useful-DIY-project dept.

Thanks again to Jose for pointing out another tutorial: Steven Vitale from the University of Pennsylvania put together this documentation on using OpenBSD as a kerberos authenticating wireless access point. He describes how to take advantage of features such as authpf, kerberos support and host-ap mode.

You can read the document here: http://www.gcrc.upenn.edu/~steve/pennkey_wireless.html

It appears as though Steven did this with OpenBSD 3.2, and the kerberos information is aimed towards the University of Pennsylvania's network. However, it is still a useful guide complete with pragmatic hardware recommendations; all good things if you are looking to implement this sort of thing yourself.

(Comments are closed)


Comments
  1. By Chas (12.217.90.112) on

    I've only done basic setup of WLANs and I have a few questions:

    Is it correct that you can either use ssh/authpf, or Kerberos? The document seems to indicate that both are not required.

    Can Putty be used as the ssh client, rather than the client used in the document?

    Putty allows port forwarding. Can I dispense with authpf, allow only ssh to the gateway on the wlan, and forward only a web proxy port, perhaps using squid or fwtk-httpgw? This seems to be much simpler, if somewhat limited.

    Is the problem with the incompatible Kerberos key format still in effect with 3.5?

    Are either of the techniques presented in the document at all vulnerable to wardriving/sniffing? No problems with WEP?

    Thanks for helping out a wlan neophyte.

    Comments
    1. By Christopher (65.92.48.36) christopher@themanor.net on

      Is it correct that you can either use ssh/authpf, or Kerberos? The document seems to indicate that both are not required.

      Kerberos is used in place of local passwords, with ssh being the mechanism to login. 3.5 ships with an openssh capable of direct gssapi(kerberos) logins via ssh, so you no longer need to provide a password to the remote machine. (man sshd_config : GSSAPIAuthentication)

      Can Putty be used as the ssh client, rather than the client used in the document?

      Sure.

      Putty allows port forwarding. Can I dispense with authpf, allow only ssh to the gateway on the wlan, and forward only a web proxy port, perhaps using squid or fwtk-httpgw? This seems to be much simpler, if somewhat limited.

      Depends on whether you want to give shell accounts to your users. But now you have to train your users how to set up forwarding with ssh. And you only have proxy for web ... no mail, no private vpn.

      Is the problem with the incompatible Kerberos key format still in effect with 3.5?

      Shouldn't be. 3.2 had heimdal 0.4e, lots has changed since then. 3.4/3.5 both have 0.6.0.

      Are either of the techniques presented in the document at all vulnerable to wardriving/sniffing? No problems with WEP?

      The usual suspects still exist ... man-in-the-middle on ssh unless you already have the host key, and you still have to configure transport security for your traffic, ipsec is built into OpenBSD, and winXP has tolerable support for it as well.

      WEP isn't worth the performance hit. Use ipsec and be guaranteed of end-to-end security on systems you control. Let the wireless do what its supposed to do: pass packets.

      Comments
      1. By Anonymous Coward (212.202.169.152) on

        with all the talk about insecure wep, i'm curious: how many people actually penetrated a 128-bit (i.e. 104-bit) wep-protected wlan? how long do you have to sniff on a frequented cell to get to the required amount of weak-IVs to break the key? we tried at work very hard to break in but did not succeed or even came close to this amount (4000, 10000? IVs, can't remember). it seems that at least the later orinoco firmware patches some of the bigger weaknesses of the IV-generation. i always here about that wep is easily crackable (as mentioned in one of the last deadly.org articles) but never see real proofs of that.

        Comments
        1. By Simon (217.157.132.75) on

          I don't know much about WEP, but take a look at AirSnort, it seems to be fairly easy to guess WEPs encrypted password. But I don't know much about it.

    2. By Juanjo (81.203.204.89) on http://blackshell.usebox.net/

      Can Putty be used as the ssh client, rather than the client used in the document?

      I've noticed some problems. PuTTY seems unable to log in an account without shell (eg. you're making a ssh tunnel with /sbin/nologin). That's a problem if you wanna let your users make ssh tunnels without login.

      There's a nice win32 port of openssh, I cannot remember the URL (ask google).

      Putty allows port forwarding. Can I dispense with authpf, allow only ssh to the gateway on the wlan, and forward only a web proxy port, perhaps using squid or fwtk-httpgw? This seems to be much simpler, if somewhat limited.

      I'm using kinda that configuration (squid listening 127.0.0.1 and ssh tunnels from wifi lan), but without PuTTY for the described problem.

    3. By James Holmes (142.161.30.213) on

      ssh determines the authorization method (kerberos,skey,password,etc) based on the user's login class set in the /etc/master.passwd file (or more accurately the database form of the master.passwd file: pwd.db and spwd.db) and the settings in /etc/login.conf and this is independent of authpf.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]