Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 31 May 2005 12:28:55 +0200
From:      Marco van Lienen <marco+freebsd-pf@lordsith.net>
To:        freebsd-pf <freebsd-pf@freebsd.org>
Subject:   authpf does authenticate but gives no shell
Message-ID:  <20050531102855.GA40275@lordsith.net>

next in thread | raw e-mail | index | archive | help
Hello list,

I'm trying to setup authpf on a RELENG_5_4 box.
After setting up the environment for authpf, when I try to logon to this box
as a user which should be given /usr/sbin/authpf as the login shell I get the
"Hello $user, You are authenticated from host "$user_ip" but then I don't get
a prompt.
When I logon to the same box as a regular user I do see the authpf user logged
in making use of authpf.

Usernames changed for example purposes:

$ ps auxww|grep authpf
foo  1383  0.0  0.4  1540   952  p0  S+   12:26PM   0:00.00 grep authpf
bar  1361  0.0  0.5  1672  1376  p1  Ss+  12:24PM   0:00.01 -authpf:
bar@10.31.12.165 (authpf)

The authpf box is a box with 1 NIC and it has regular and admin users (admin users
need to receive less restrictive access into the network).
All users are allowed to ssh into the box but only the admin users should be
allowed to ssh further into the network.
Regular users may login but are only allowed to do local work.

Here is how I've setup the environment.

In /etc/pf.conf I have:

# interface definitions
#
if_loop = "lo0"
if_pub = "em0"
if_log = "em0"

#
# TCP services
sshd = "22"

block in log
block out

#
# pass all loopback traffic
pass quick on $if_loop

# ICMP
pass in quick inet proto icmp icmp-type 8 code 0 keep state
pass in quick inet proto icmp icmp-type 3 code 4 keep state
pass in quick inet proto icmp icmp-type 11       keep state

pass out quick inet proto icmp keep state

#
# input rules
pass in log quick on $if_pub proto tcp from any port > 1023 to port $sshd
flags 
S/SA keep state
anchor authpf

pass out quick on $if_pub proto udp keep state

In /etc/authpf/ I've created:

authpf.allow (contains 1 admin user only)
authpf.conf (empty zero-byte file)
authpf.message (additional text which is being echoed upon login)
authpf.rules

authpf.rules:
# interface definitions
#
if_pub = "em0"

#
# input rules
pass in quick on $if_pub proto tcp from $user_ip to port = ssh flags S/SA keep
state

#
# output rules
pass out log quick on $if_pub proto tcp to 10.31.12.165 port = ssh flags S/SA
modulate state
pass out quick on $if_pub proto udp keep state

As you can see, the 1 admin user is allowed to establish an ssh connection to
host: 10.31.12.165.

A `pfctl -a anchor -sr` shows that the anchor is being picked up and the
authpf.rules file has been parsed and activated:

# pfctl -a authpf -sr
No ALTQ support in kernel
ALTQ related functions disabled
pass in quick on em0 inet proto tcp from 10.31.12.165 to any port = ssh flags
S/SA keep state
pass out log quick on em0 inet proto tcp from any to 10.31.12.165 port = ssh
flags S/SA modulate state
pass out quick on em0 proto udp all keep state

I've setup an additional login class through login.conf(5):

authpf:\
        :shell=/usr/sbin/authpf:\
        :tc=default:

I've ran cap_mkdb /etc/login.conf and there is a new login.conf.db.

I've tried only changing the class entry via chpass(1) to authpf and keeping
the admin users' original shell (/usr/local/bin/bash (according to
/var/log/messages this wouldn't allow me onto the box; it was warning about wrong
shell or something)).
After then changing the user shell to /usr/sbin/authpf it atleast echoes the
Welcome text with the contents of /etc/authpf/authpf.message but then I don't
get a prompt to input shell commands.

Hope someone can help me out here.

Cheers.
Marco

-- 

WINDOWS: "Where do you want to go today?"
LINUX: "Where do you want to go tomorrow?"
BSD: "Are you guys coming or what?"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050531102855.GA40275>