Add authpf-noip, which allows multiple users to connect from a single IP;

forces users to write sane rulesets for this by not providing $user_ip or
updating the authpf table.

testing and prodding by mtu, manpage heavily worked over by jmc
ok beck dhartmei henning

4 files changed, 107 insertions, 41 deletions

diff --git a/usr.sbin/authpf/Makefile b/usr.sbin/authpf/Makefile
index 3e0538a8d23..100001a0a74 100644
--- a/usr.sbin/authpf/Makefile
+++ b/usr.sbin/authpf/Makefile
@@ -1,7 +1,11 @@
-#	$OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $
+#	$OpenBSD: Makefile,v 1.13 2008/02/14 01:49:17 mcbride Exp $
 
 PROG=	authpf
 MAN=	authpf.8
+
+LINKS=  ${BINDIR}/authpf ${BINDIR}/authpf-noip
+MLINKS+=authpf.8 authpf-noip.8
+
 BINOWN= root
 BINGRP= authpf
 BINMODE= 6555
diff --git a/usr.sbin/authpf/authpf.8 b/usr.sbin/authpf/authpf.8
index 093b1f76d3a..0c66a38c8a9 100644
--- a/usr.sbin/authpf/authpf.8
+++ b/usr.sbin/authpf/authpf.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: authpf.8,v 1.44 2007/05/31 19:20:22 jmc Exp $
+.\" $OpenBSD: authpf.8,v 1.45 2008/02/14 01:49:17 mcbride Exp $
 .\"
 .\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>.  All rights reserved.
 .\"
@@ -14,14 +14,16 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: February 14 2008 $
 .Dt AUTHPF 8
 .Os
 .Sh NAME
-.Nm authpf
+.Nm authpf ,
+.Nm authpf-noip
 .Nd authenticating gateway user shell
 .Sh SYNOPSIS
 .Nm authpf
+.Nm authpf-noip
 .Sh DESCRIPTION
 .Nm
 is a user shell for authenticating gateways.
@@ -30,43 +32,63 @@ It is used to change
 rules when a user authenticates and starts a session with
 .Xr sshd 8
 and to undo these changes when the user's session exits.
-It is designed for changing filter and translation rules for an individual
-source IP address as long as a user maintains an active
-.Xr ssh 1
-session.
 Typical use would be for a gateway that authenticates users before
 allowing them Internet use, or a gateway that allows different users into
 different places.
+Combined with properly set up filter rules and secure switches,
 .Nm
-logs the successful start and end of a session to
-.Xr syslogd 8 .
-This, combined with properly set up filter rules and secure switches,
 can be used to ensure users are held accountable for their network traffic.
-.Pp
-.Nm
-can add filter and translation rules using the syntax described in
-.Xr pf.conf 5 .
-.Nm
-requires that the
+It is meant to be used with users who can connect via
+.Xr ssh 1
+only, and requires the
 .Xr pf 4
-system be enabled before use.
+subsystem to be enabled.
+.Pp
+.Nm authpf-noip
+is a user shell
+which allows multiple connections to take
+place from the same IP address.
+It is useful primarily in cases where connections are tunneled via
+the gateway system, and can be directly associated with the user name.
+It cannot ensure accountability when
+classifying connections by IP address;
+in this case the client's IP address
+is not provided to the packet filter via the
+.Ar client_ip
+macro or the
+.Ar authpf users
+table.
+Additionally, states associated with the client IP address
+are not purged when the session is ended.
+.Pp
+To use either
 .Nm
-can also maintain the list of IP address of connected users
-in the "authpf_users"
-.Pa table .
+or
+.Nm authpf-noip ,
+the user's shell needs to be set to
+.Pa /usr/sbin/authpf
+or
+.Pa /usr/sbin/authpf-noip .
 .Pp
 .Nm
-is meant to be used with users who can connect via
+uses the
+.Xr pf.conf 5
+syntax to change filter and translation rules for an individual
+user or client IP address as long as a user maintains an active
 .Xr ssh 1
-only.
-On startup,
+session, and logs the successful start and end of a session to
+.Xr syslogd 8 .
 .Nm
 retrieves the client's connecting IP address via the
 .Ev SSH_CLIENT
 environment variable and, after performing additional access checks,
 reads a template file to determine what filter and translation rules
-(if any) to add.
-On session exit the same rules that were added at startup are removed.
+(if any) to add, and
+maintains the list of IP addresses of connected users in the
+.Ar authpf_users
+table.
+On session exit the same rules and table entries that were added at startup
+are removed, and all states associated with the client's IP address are purged.
 .Pp
 Each
 .Nm
@@ -496,6 +518,31 @@ table <authpf_users> persist
 anchor "authpf/*" from <authpf_users>
 rdr-anchor "authpf/*" from <authpf_users>
 .Ed
+.Pp
+.Sy Tunneled users
+\- normally
+.Nm
+allows only one session per client IP address.
+However in some cases, such as when connections are tunneled via
+.Xr ssh 1
+or
+.Xr ipsec 4 ,
+the connections can be authorized based on the userid of the user instead of
+the client IP address.
+In this case it is appropriate to use
+.Nm authpf-noip
+to allow multiple users behind a NAT gateway to connect.
+In the
+.Pa /etc/authpf/authpf.rules
+example below, the remote user could tunnel a remote desktop session to their
+workstation:
+.Bd -literal
+internal_if="bge0"
+workstation_ip="10.2.3.4"
+
+pass out on $internal_if from (self) to $workstation_ip port 3389 \e
+       user $user_id
+.Ed
 .Sh FILES
 .Bl -tag -width "/etc/authpf/authpf.conf" -compact
 .It Pa /etc/authpf/authpf.conf
diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c
index fb2b23d445c..1416b0db917 100644
--- a/usr.sbin/authpf/authpf.c
+++ b/usr.sbin/authpf/authpf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: authpf.c,v 1.106 2008/02/01 07:08:03 mcbride Exp $	*/
+/*	$OpenBSD: authpf.c,v 1.107 2008/02/14 01:49:17 mcbride Exp $	*/
 
 /*
  * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org).
@@ -55,6 +55,7 @@ int	dev;			/* pf device */
 char	anchorname[PF_ANCHOR_NAME_SIZE] = "authpf";
 char	rulesetname[MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 2];
 char	tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
+int	user_ip = 1;	/* controls whether $user_ip is set */
 
 FILE	*pidfp;
 char	 luser[MAXLOGNAME];	/* username */
@@ -66,6 +67,7 @@ struct timeval	Tstart, Tend;	/* start and end times of session */
 volatile sig_atomic_t	want_death;
 static void		need_death(int signo);
 static __dead void	do_death(int);
+extern char *__progname;	/* program name */
 
 /*
  * User shell for authenticating gateways. Sole purpose is to allow
@@ -86,6 +88,9 @@ main(int argc, char *argv[])
 	char		*shell;
 	login_cap_t	*lc;
 
+	if (strcmp(__progname, "-authpf-noip") == 0)
+                user_ip = 0;
+
 	config = fopen(PATH_CONFFILE, "r");
 	if (config == NULL) {
 		syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE);
@@ -140,7 +145,8 @@ main(int argc, char *argv[])
 
 	login_close(lc);
 
-	if (strcmp(shell, PATH_AUTHPF_SHELL)) {
+	if (strcmp(shell, PATH_AUTHPF_SHELL) && 
+	    strcmp(shell, PATH_AUTHPF_SHELL_NOIP)) {
 		syslog(LOG_ERR, "wrong shell for user %s, uid %u",
 		    pw->pw_name, pw->pw_uid);
 		if (shell != pw->pw_shell)
@@ -172,8 +178,9 @@ main(int argc, char *argv[])
 	}
 
 
-	/* Make our entry in /var/authpf as /var/authpf/ipaddr */
-	n = snprintf(pidfile, sizeof(pidfile), "%s/%s", PATH_PIDFILE, ipsrc);
+	/* Make our entry in /var/authpf as ipaddr or username */
+	n = snprintf(pidfile, sizeof(pidfile), "%s/%s",
+	    PATH_PIDFILE, user_ip ? ipsrc : luser);
 	if (n < 0 || (u_int)n >= sizeof(pidfile)) {
 		syslog(LOG_ERR, "path to pidfile too long");
 		goto die;
@@ -293,7 +300,7 @@ main(int argc, char *argv[])
 		printf("Unable to modify filters\r\n");
 		do_death(0);
 	}
-	if (change_table(1, ipsrc) == -1) {
+	if (user_ip && change_table(1, ipsrc) == -1) {
 		printf("Unable to modify table\r\n");
 		change_filter(0, luser, ipsrc);
 		do_death(0);
@@ -677,11 +684,6 @@ cleanup:
 static int
 change_filter(int add, const char *luser, const char *ipsrc)
 {
-	char	*pargv[13] = {
-		"pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
-		"-D", "user_ip=X", "-D", "user_id=X", "-f",
-		"file", NULL
-	};
 	char	*fdpath = NULL, *userstr = NULL, *ipstr = NULL;
 	char	*rsn = NULL, *fn = NULL;
 	pid_t	pid;
@@ -690,6 +692,10 @@ change_filter(int add, const char *luser, const char *ipsrc)
 
 	if (add) {
 		struct stat sb;
+		char	*pargv[13] = {
+			"pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
+			"-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL
+		};
 
 		if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) {
 			syslog(LOG_ERR, "invalid luser/ipsrc");
@@ -715,8 +721,14 @@ change_filter(int add, const char *luser, const char *ipsrc)
 		pargv[2] = fdpath;
 		pargv[5] = rsn;
 		pargv[7] = userstr;
-		pargv[9] = ipstr;
-		pargv[11] = fn;
+		if (user_ip) {
+			pargv[9] = ipstr;
+			pargv[11] = fn;
+		} else {
+			pargv[8] = "-f";
+			pargv[9] = fn;
+			pargv[10] = NULL;
+		}
 
 		switch (pid = fork()) {
 		case -1:
@@ -861,8 +873,10 @@ do_death(int active)
 
 	if (active) {
 		change_filter(0, luser, ipsrc);
-		change_table(0, ipsrc);
-		authpf_kill_states();
+		if (user_ip) {
+			change_table(0, ipsrc);
+			authpf_kill_states();
+		}
 	}
 	if (pidfile[0] && (pidfp != NULL))
 		if (unlink(pidfile) == -1)
diff --git a/usr.sbin/authpf/pathnames.h b/usr.sbin/authpf/pathnames.h
index 358bfd0c106..e02cf77c9fe 100644
--- a/usr.sbin/authpf/pathnames.h
+++ b/usr.sbin/authpf/pathnames.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pathnames.h,v 1.7 2004/04/25 18:40:42 beck Exp $	*/
+/*	$OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $	*/
 
 /*
  * Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca)
@@ -35,4 +35,5 @@
 #define PATH_DEVFILE		"/dev/pf"
 #define PATH_PIDFILE		"/var/authpf"
 #define PATH_AUTHPF_SHELL	"/usr/sbin/authpf"
+#define PATH_AUTHPF_SHELL_NOIP	"/usr/sbin/authpf-noip"
 #define PATH_PFCTL		"/sbin/pfctl"