| Title: Authentication gateway with SSH on OpenBSD
Author: Solène
Date: 01 December 2022
Tags: openbsd security nocloud
Description: In this article, you will learn how to use the OpenBSD
authpf shell to manipulate the firewall when connecting over SSH.
# Introduction
A neat feature in OpenBSD is the program authpf, an authenticating
gateway using SSH.
Basically, it allows to dynamically configure the local firewall PF by
connecting/disconnecting into a user account over SSH, either to toggle
an IP into a table or rules through a PF anchor.
# Use case
This program is very useful for the following use case:
* firewall rules dedicated to authenticated users
* enabling NAT to authenticated users
* using a different bandwidth queue for authenticated users
* logging, or not logging network packets of authenticated users
Of course, you can be creative and imagine other use cases.
This method is actually different from using a VPN, it doesn't have
encryption extra cost but is less secure in the sense it only
authenticates an IP or username, so if you use it over the Internet,
the triggered rule may also benefit to people using the same IP as
yours. However, it's much simpler to set up because users only have to
share their public SSH key, while setting up a VPN is another level of
complexity and troubleshooting.
# Example setup
In the following example, you manage a small office OpenBSD router, but
you only want Chloe's workstation to reach the Internet with the NAT.
We need to create her a dedicated account, set the shell to authpf,
deploy her SSH key and configure PF.
```shell
# useradd -m -s /usr/sbin/authpf chloe
# echo "$ssh_key" >> ~chloe/.ssh/authorized_keys
# touch /etc/authpf/authpf.conf /etc/authpf/authpf/rules
```
Now, you can edit `/etc/pf.conf` and use the default table name
`authpf_users`. With the following PF snippet, we will only allow
authenticated users to go through the NAT.
```
table persist
match out on egress inet from to any nat-to (egress)
```
Reload your firewall, and when Chloe will connect, she will be able to
go through the NAT.
# Conclusion
The program authpf is an efficient tool for the network administrator's
toolbox. And with the use of PF anchors, you can really extend its
potential as you want, it's really not limited to tables.
# Going further
The man page contains a lot of extra information for customization, you
should definitely read it if you plan to use authpf.
|
|
## Blocking users
It's possible to ban users, for various reasons you may want to block
someone with a message asking to reach the help desk. This can be done
by creating a file name after the username, like in the following
example for user `chloe`: `/etc/authpf/banned/chloe`, the file text
content will be displayed to the user upon connection.
## Greeeting message
It's possible to write a custom greeting message displayed upon
connection, this can be global or per user, just write a message in
`/etc/authpf/authpf.message` for a global one, or
`/etc/authpf/users/chloe/authpf.message` for user `chloe`. |