From owner-freebsd-pf@FreeBSD.ORG Tue May 31 10:28:58 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0EEC516A41C for ; Tue, 31 May 2005 10:28:58 +0000 (GMT) (envelope-from marco+freebsd-pf@lordsith.net) Received: from maul.lordsith.net (maul.lordsith.net [82.169.114.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D85843D1D for ; Tue, 31 May 2005 10:28:57 +0000 (GMT) (envelope-from marco+freebsd-pf@lordsith.net) Received: by maul.lordsith.net (Postfix, from userid 1001) id D35371704C; Tue, 31 May 2005 12:28:55 +0200 (CEST) Date: Tue, 31 May 2005 12:28:55 +0200 From: Marco van Lienen To: freebsd-pf Message-ID: <20050531102855.GA40275@lordsith.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Organization: LordSith.Net X-Operating-System: FreeBSD 5.4-STABLE X-FreeBSD: RULEZ Them All X-GPG-Fingerprint: A025 D8AA AC1B D2FC 380D 4FC1 8EA0 0BA8 8580 E6CB X-GPG-Key: http://lordsith.net/gpgkey X-Uptime: 11:50AM up 3 days, 21:31, 1 user, load averages: 0.24, 0.11, 0.09 User-Agent: Mutt/1.5.9i Subject: authpf does authenticate but gives no shell X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Marco van Lienen List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 10:28:58 -0000 Hello list, I'm trying to setup authpf on a RELENG_5_4 box. After setting up the environment for authpf, when I try to logon to this box as a user which should be given /usr/sbin/authpf as the login shell I get the "Hello $user, You are authenticated from host "$user_ip" but then I don't get a prompt. When I logon to the same box as a regular user I do see the authpf user logged in making use of authpf. Usernames changed for example purposes: $ ps auxww|grep authpf foo 1383 0.0 0.4 1540 952 p0 S+ 12:26PM 0:00.00 grep authpf bar 1361 0.0 0.5 1672 1376 p1 Ss+ 12:24PM 0:00.01 -authpf: bar@10.31.12.165 (authpf) The authpf box is a box with 1 NIC and it has regular and admin users (admin users need to receive less restrictive access into the network). All users are allowed to ssh into the box but only the admin users should be allowed to ssh further into the network. Regular users may login but are only allowed to do local work. Here is how I've setup the environment. In /etc/pf.conf I have: # interface definitions # if_loop = "lo0" if_pub = "em0" if_log = "em0" # # TCP services sshd = "22" block in log block out # # pass all loopback traffic pass quick on $if_loop # ICMP pass in quick inet proto icmp icmp-type 8 code 0 keep state pass in quick inet proto icmp icmp-type 3 code 4 keep state pass in quick inet proto icmp icmp-type 11 keep state pass out quick inet proto icmp keep state # # input rules pass in log quick on $if_pub proto tcp from any port > 1023 to port $sshd flags S/SA keep state anchor authpf pass out quick on $if_pub proto udp keep state In /etc/authpf/ I've created: authpf.allow (contains 1 admin user only) authpf.conf (empty zero-byte file) authpf.message (additional text which is being echoed upon login) authpf.rules authpf.rules: # interface definitions # if_pub = "em0" # # input rules pass in quick on $if_pub proto tcp from $user_ip to port = ssh flags S/SA keep state # # output rules pass out log quick on $if_pub proto tcp to 10.31.12.165 port = ssh flags S/SA modulate state pass out quick on $if_pub proto udp keep state As you can see, the 1 admin user is allowed to establish an ssh connection to host: 10.31.12.165. A `pfctl -a anchor -sr` shows that the anchor is being picked up and the authpf.rules file has been parsed and activated: # pfctl -a authpf -sr No ALTQ support in kernel ALTQ related functions disabled pass in quick on em0 inet proto tcp from 10.31.12.165 to any port = ssh flags S/SA keep state pass out log quick on em0 inet proto tcp from any to 10.31.12.165 port = ssh flags S/SA modulate state pass out quick on em0 proto udp all keep state I've setup an additional login class through login.conf(5): authpf:\ :shell=/usr/sbin/authpf:\ :tc=default: I've ran cap_mkdb /etc/login.conf and there is a new login.conf.db. I've tried only changing the class entry via chpass(1) to authpf and keeping the admin users' original shell (/usr/local/bin/bash (according to /var/log/messages this wouldn't allow me onto the box; it was warning about wrong shell or something)). After then changing the user shell to /usr/sbin/authpf it atleast echoes the Welcome text with the contents of /etc/authpf/authpf.message but then I don't get a prompt to input shell commands. Hope someone can help me out here. Cheers. Marco -- WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tomorrow?" BSD: "Are you guys coming or what?"