 |
Title: Authentication gateway with SSH on OpenBSD |
|
Author: Solène |
|
Date: 01 December 2022 |
|
Tags: openbsd security nocloud |
|
Description: In this article, you will learn how to use the OpenBSD |
|
authpf shell to manipulate the firewall when connecting over SSH. |
|
|
|
# Introduction |
|
|
|
A neat feature in OpenBSD is the program authpf, an authenticating |
|
gateway using SSH. |
|
|
|
Basically, it allows to dynamically configure the local firewall PF by |
|
connecting/disconnecting into a user account over SSH, either to toggle |
|
an IP into a table or rules through a PF anchor. |
|
|
|
# Use case |
|
|
|
This program is very useful for the following use case: |
|
|
|
* firewall rules dedicated to authenticated users |
|
* enabling NAT to authenticated users |
|
* using a different bandwidth queue for authenticated users |
|
* logging, or not logging network packets of authenticated users |
|
|
|
Of course, you can be creative and imagine other use cases. |
|
|
|
This method is actually different from using a VPN, it doesn't have |
|
encryption extra cost but is less secure in the sense it only |
|
authenticates an IP or username, so if you use it over the Internet, |
|
the triggered rule may also benefit to people using the same IP as |
|
yours. However, it's much simpler to set up because users only have to |
|
share their public SSH key, while setting up a VPN is another level of |
|
complexity and troubleshooting. |
|
|
|
# Example setup |
|
|
|
In the following example, you manage a small office OpenBSD router, but |
|
you only want Chloe's workstation to reach the Internet with the NAT. |
|
We need to create her a dedicated account, set the shell to authpf, |
|
deploy her SSH key and configure PF. |
|
|
|
```shell |
|
# useradd -m -s /usr/sbin/authpf chloe |
|
# echo "$ssh_key" >> ~chloe/.ssh/authorized_keys |
|
# touch /etc/authpf/authpf.conf /etc/authpf/authpf/rules |
|
``` |
|
|
|
Now, you can edit `/etc/pf.conf` and use the default table name |
|
`authpf_users`. With the following PF snippet, we will only allow |
|
authenticated users to go through the NAT. |
|
|
|
``` |
|
table <authpf_users> persist |
|
match out on egress inet from <authpf_users> to any nat-to (egress) |
|
``` |
|
|
|
Reload your firewall, and when Chloe will connect, she will be able to |
|
go through the NAT. |
|
|
|
# Conclusion |
|
|
|
The program authpf is an efficient tool for the network administrator's |
|
toolbox. And with the use of PF anchors, you can really extend its |
|
potential as you want, it's really not limited to tables. |
|
|
|
# Going further |
|
|
|
The man page contains a lot of extra information for customization, you |
|
should definitely read it if you plan to use authpf. |
|
|
 |
OpenBSD man page of authpf(8) |
|
|
|
## Blocking users |
|
|
|
It's possible to ban users, for various reasons you may want to block |
|
someone with a message asking to reach the help desk. This can be done |
|
by creating a file name after the username, like in the following |
|
example for user `chloe`: `/etc/authpf/banned/chloe`, the file text |
|
content will be displayed to the user upon connection. |
|
|
|
## Greeeting message |
|
|
|
It's possible to write a custom greeting message displayed upon |
|
connection, this can be global or per user, just write a message in |
|
`/etc/authpf/authpf.message` for a global one, or |
|
`/etc/authpf/users/chloe/authpf.message` for user `chloe`. |
