Title: Authentication gateway with SSH on OpenBSD | |
Author: Solène | |
Date: 01 December 2022 | |
Tags: openbsd security nocloud | |
Description: In this article, you will learn how to use the OpenBSD | |
authpf shell to manipulate the firewall when connecting over SSH. | |
# Introduction | |
A neat feature in OpenBSD is the program authpf, an authenticating | |
gateway using SSH. | |
Basically, it allows to dynamically configure the local firewall PF by | |
connecting/disconnecting into a user account over SSH, either to toggle | |
an IP into a table or rules through a PF anchor. | |
# Use case | |
This program is very useful for the following use case: | |
* firewall rules dedicated to authenticated users | |
* enabling NAT to authenticated users | |
* using a different bandwidth queue for authenticated users | |
* logging, or not logging network packets of authenticated users | |
Of course, you can be creative and imagine other use cases. | |
This method is actually different from using a VPN, it doesn't have | |
encryption extra cost but is less secure in the sense it only | |
authenticates an IP or username, so if you use it over the Internet, | |
the triggered rule may also benefit to people using the same IP as | |
yours. However, it's much simpler to set up because users only have to | |
share their public SSH key, while setting up a VPN is another level of | |
complexity and troubleshooting. | |
# Example setup | |
In the following example, you manage a small office OpenBSD router, but | |
you only want Chloe's workstation to reach the Internet with the NAT. | |
We need to create her a dedicated account, set the shell to authpf, | |
deploy her SSH key and configure PF. | |
```shell | |
# useradd -m -s /usr/sbin/authpf chloe | |
# echo "$ssh_key" >> ~chloe/.ssh/authorized_keys | |
# touch /etc/authpf/authpf.conf /etc/authpf/authpf/rules | |
``` | |
Now, you can edit `/etc/pf.conf` and use the default table name | |
`authpf_users`. With the following PF snippet, we will only allow | |
authenticated users to go through the NAT. | |
``` | |
table <authpf_users> persist | |
match out on egress inet from <authpf_users> to any nat-to (egress) | |
``` | |
Reload your firewall, and when Chloe will connect, she will be able to | |
go through the NAT. | |
# Conclusion | |
The program authpf is an efficient tool for the network administrator's | |
toolbox. And with the use of PF anchors, you can really extend its | |
potential as you want, it's really not limited to tables. | |
# Going further | |
The man page contains a lot of extra information for customization, you | |
should definitely read it if you plan to use authpf. | |
OpenBSD man page of authpf(8) | |
## Blocking users | |
It's possible to ban users, for various reasons you may want to block | |
someone with a message asking to reach the help desk. This can be done | |
by creating a file name after the username, like in the following | |
example for user `chloe`: `/etc/authpf/banned/chloe`, the file text | |
content will be displayed to the user upon connection. | |
## Greeeting message | |
It's possible to write a custom greeting message displayed upon | |
connection, this can be global or per user, just write a message in | |
`/etc/authpf/authpf.message` for a global one, or | |
`/etc/authpf/users/chloe/authpf.message` for user `chloe`. |