summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorRyan Thomas McBride <mcbride@cvs.openbsd.org>2008-02-14 01:49:18 +0000
committerRyan Thomas McBride <mcbride@cvs.openbsd.org>2008-02-14 01:49:18 +0000
commit0681d3a2bda5e02507feff18bfe29ff360bbb5e0 (patch)
treee8efc17ae33190cf6b492c100523fb244d55ffda /usr.sbin
parent591ec9c696216b317f0cdacee2e00d34789c0a08 (diff)
Add authpf-noip, which allows multiple users to connect from a single IP;
forces users to write sane rulesets for this by not providing $user_ip or updating the authpf table. testing and prodding by mtu, manpage heavily worked over by jmc ok beck dhartmei henning
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/authpf/Makefile6
-rw-r--r--usr.sbin/authpf/authpf.897
-rw-r--r--usr.sbin/authpf/authpf.c42
-rw-r--r--usr.sbin/authpf/pathnames.h3
4 files changed, 107 insertions, 41 deletions
diff --git a/usr.sbin/authpf/Makefile b/usr.sbin/authpf/Makefile
index 3e0538a8d23..100001a0a74 100644
--- a/usr.sbin/authpf/Makefile
+++ b/usr.sbin/authpf/Makefile
@@ -1,7 +1,11 @@
-# $OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $
+# $OpenBSD: Makefile,v 1.13 2008/02/14 01:49:17 mcbride Exp $
PROG= authpf
MAN= authpf.8
+
+LINKS= ${BINDIR}/authpf ${BINDIR}/authpf-noip
+MLINKS+=authpf.8 authpf-noip.8
+
BINOWN= root
BINGRP= authpf
BINMODE= 6555
diff --git a/usr.sbin/authpf/authpf.8 b/usr.sbin/authpf/authpf.8
index 093b1f76d3a..0c66a38c8a9 100644
--- a/usr.sbin/authpf/authpf.8
+++ b/usr.sbin/authpf/authpf.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: authpf.8,v 1.44 2007/05/31 19:20:22 jmc Exp $
+.\" $OpenBSD: authpf.8,v 1.45 2008/02/14 01:49:17 mcbride Exp $
.\"
.\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved.
.\"
@@ -14,14 +14,16 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: February 14 2008 $
.Dt AUTHPF 8
.Os
.Sh NAME
-.Nm authpf
+.Nm authpf ,
+.Nm authpf-noip
.Nd authenticating gateway user shell
.Sh SYNOPSIS
.Nm authpf
+.Nm authpf-noip
.Sh DESCRIPTION
.Nm
is a user shell for authenticating gateways.
@@ -30,43 +32,63 @@ It is used to change
rules when a user authenticates and starts a session with
.Xr sshd 8
and to undo these changes when the user's session exits.
-It is designed for changing filter and translation rules for an individual
-source IP address as long as a user maintains an active
-.Xr ssh 1
-session.
Typical use would be for a gateway that authenticates users before
allowing them Internet use, or a gateway that allows different users into
different places.
+Combined with properly set up filter rules and secure switches,
.Nm
-logs the successful start and end of a session to
-.Xr syslogd 8 .
-This, combined with properly set up filter rules and secure switches,
can be used to ensure users are held accountable for their network traffic.
-.Pp
-.Nm
-can add filter and translation rules using the syntax described in
-.Xr pf.conf 5 .
-.Nm
-requires that the
+It is meant to be used with users who can connect via
+.Xr ssh 1
+only, and requires the
.Xr pf 4
-system be enabled before use.
+subsystem to be enabled.
+.Pp
+.Nm authpf-noip
+is a user shell
+which allows multiple connections to take
+place from the same IP address.
+It is useful primarily in cases where connections are tunneled via
+the gateway system, and can be directly associated with the user name.
+It cannot ensure accountability when
+classifying connections by IP address;
+in this case the client's IP address
+is not provided to the packet filter via the
+.Ar client_ip
+macro or the
+.Ar authpf users
+table.
+Additionally, states associated with the client IP address
+are not purged when the session is ended.
+.Pp
+To use either
.Nm
-can also maintain the list of IP address of connected users
-in the "authpf_users"
-.Pa table .
+or
+.Nm authpf-noip ,
+the user's shell needs to be set to
+.Pa /usr/sbin/authpf
+or
+.Pa /usr/sbin/authpf-noip .
.Pp
.Nm
-is meant to be used with users who can connect via
+uses the
+.Xr pf.conf 5
+syntax to change filter and translation rules for an individual
+user or client IP address as long as a user maintains an active
.Xr ssh 1
-only.
-On startup,
+session, and logs the successful start and end of a session to
+.Xr syslogd 8 .
.Nm
retrieves the client's connecting IP address via the
.Ev SSH_CLIENT
environment variable and, after performing additional access checks,
reads a template file to determine what filter and translation rules
-(if any) to add.
-On session exit the same rules that were added at startup are removed.
+(if any) to add, and
+maintains the list of IP addresses of connected users in the
+.Ar authpf_users
+table.
+On session exit the same rules and table entries that were added at startup
+are removed, and all states associated with the client's IP address are purged.
.Pp
Each
.Nm
@@ -496,6 +518,31 @@ table <authpf_users> persist
anchor "authpf/*" from <authpf_users>
rdr-anchor "authpf/*" from <authpf_users>
.Ed
+.Pp
+.Sy Tunneled users
+\- normally
+.Nm
+allows only one session per client IP address.
+However in some cases, such as when connections are tunneled via
+.Xr ssh 1
+or
+.Xr ipsec 4 ,
+the connections can be authorized based on the userid of the user instead of
+the client IP address.
+In this case it is appropriate to use
+.Nm authpf-noip
+to allow multiple users behind a NAT gateway to connect.
+In the
+.Pa /etc/authpf/authpf.rules
+example below, the remote user could tunnel a remote desktop session to their
+workstation:
+.Bd -literal
+internal_if="bge0"
+workstation_ip="10.2.3.4"
+
+pass out on $internal_if from (self) to $workstation_ip port 3389 \e
+ user $user_id
+.Ed
.Sh FILES
.Bl -tag -width "/etc/authpf/authpf.conf" -compact
.It Pa /etc/authpf/authpf.conf
diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c
index fb2b23d445c..1416b0db917 100644
--- a/usr.sbin/authpf/authpf.c
+++ b/usr.sbin/authpf/authpf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authpf.c,v 1.106 2008/02/01 07:08:03 mcbride Exp $ */
+/* $OpenBSD: authpf.c,v 1.107 2008/02/14 01:49:17 mcbride Exp $ */
/*
* Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org).
@@ -55,6 +55,7 @@ int dev; /* pf device */
char anchorname[PF_ANCHOR_NAME_SIZE] = "authpf";
char rulesetname[MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 2];
char tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
+int user_ip = 1; /* controls whether $user_ip is set */
FILE *pidfp;
char luser[MAXLOGNAME]; /* username */
@@ -66,6 +67,7 @@ struct timeval Tstart, Tend; /* start and end times of session */
volatile sig_atomic_t want_death;
static void need_death(int signo);
static __dead void do_death(int);
+extern char *__progname; /* program name */
/*
* User shell for authenticating gateways. Sole purpose is to allow
@@ -86,6 +88,9 @@ main(int argc, char *argv[])
char *shell;
login_cap_t *lc;
+ if (strcmp(__progname, "-authpf-noip") == 0)
+ user_ip = 0;
+
config = fopen(PATH_CONFFILE, "r");
if (config == NULL) {
syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE);
@@ -140,7 +145,8 @@ main(int argc, char *argv[])
login_close(lc);
- if (strcmp(shell, PATH_AUTHPF_SHELL)) {
+ if (strcmp(shell, PATH_AUTHPF_SHELL) &&
+ strcmp(shell, PATH_AUTHPF_SHELL_NOIP)) {
syslog(LOG_ERR, "wrong shell for user %s, uid %u",
pw->pw_name, pw->pw_uid);
if (shell != pw->pw_shell)
@@ -172,8 +178,9 @@ main(int argc, char *argv[])
}
- /* Make our entry in /var/authpf as /var/authpf/ipaddr */
- n = snprintf(pidfile, sizeof(pidfile), "%s/%s", PATH_PIDFILE, ipsrc);
+ /* Make our entry in /var/authpf as ipaddr or username */
+ n = snprintf(pidfile, sizeof(pidfile), "%s/%s",
+ PATH_PIDFILE, user_ip ? ipsrc : luser);
if (n < 0 || (u_int)n >= sizeof(pidfile)) {
syslog(LOG_ERR, "path to pidfile too long");
goto die;
@@ -293,7 +300,7 @@ main(int argc, char *argv[])
printf("Unable to modify filters\r\n");
do_death(0);
}
- if (change_table(1, ipsrc) == -1) {
+ if (user_ip && change_table(1, ipsrc) == -1) {
printf("Unable to modify table\r\n");
change_filter(0, luser, ipsrc);
do_death(0);
@@ -677,11 +684,6 @@ cleanup:
static int
change_filter(int add, const char *luser, const char *ipsrc)
{
- char *pargv[13] = {
- "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
- "-D", "user_ip=X", "-D", "user_id=X", "-f",
- "file", NULL
- };
char *fdpath = NULL, *userstr = NULL, *ipstr = NULL;
char *rsn = NULL, *fn = NULL;
pid_t pid;
@@ -690,6 +692,10 @@ change_filter(int add, const char *luser, const char *ipsrc)
if (add) {
struct stat sb;
+ char *pargv[13] = {
+ "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
+ "-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL
+ };
if (luser == NULL || !luser[0] || ipsrc == NULL || !ipsrc[0]) {
syslog(LOG_ERR, "invalid luser/ipsrc");
@@ -715,8 +721,14 @@ change_filter(int add, const char *luser, const char *ipsrc)
pargv[2] = fdpath;
pargv[5] = rsn;
pargv[7] = userstr;
- pargv[9] = ipstr;
- pargv[11] = fn;
+ if (user_ip) {
+ pargv[9] = ipstr;
+ pargv[11] = fn;
+ } else {
+ pargv[8] = "-f";
+ pargv[9] = fn;
+ pargv[10] = NULL;
+ }
switch (pid = fork()) {
case -1:
@@ -861,8 +873,10 @@ do_death(int active)
if (active) {
change_filter(0, luser, ipsrc);
- change_table(0, ipsrc);
- authpf_kill_states();
+ if (user_ip) {
+ change_table(0, ipsrc);
+ authpf_kill_states();
+ }
}
if (pidfile[0] && (pidfp != NULL))
if (unlink(pidfile) == -1)
diff --git a/usr.sbin/authpf/pathnames.h b/usr.sbin/authpf/pathnames.h
index 358bfd0c106..e02cf77c9fe 100644
--- a/usr.sbin/authpf/pathnames.h
+++ b/usr.sbin/authpf/pathnames.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pathnames.h,v 1.7 2004/04/25 18:40:42 beck Exp $ */
+/* $OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $ */
/*
* Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca)
@@ -35,4 +35,5 @@
#define PATH_DEVFILE "/dev/pf"
#define PATH_PIDFILE "/var/authpf"
#define PATH_AUTHPF_SHELL "/usr/sbin/authpf"
+#define PATH_AUTHPF_SHELL_NOIP "/usr/sbin/authpf-noip"
#define PATH_PFCTL "/sbin/pfctl"