Re: pfauth vs. ip-authentication

Fri, 08 Jul 2005 06:14:55 -0700 

Malthe Borch wrote:
We're running an iptables setup with scripted authentication, that enables users to reach the internet on a per-ip basis. 


Users will authenticate to another machine on the network, that in turn 
opens a tunnel to the firewall, executes the script and closes the 
connection. The firewall will then on a regular basis send echo requests to  
the machine, and in case of a time out it will remove the clients ip-

address from the table.


How does this compare to a pfauth-based setup. I'm not sure I understand 
the mechanics of the authentication. Is it indirectly an implementation of 
ip-authentication thru the use of a secure tunnel as identification?


Any thoughts appreciated,



Authpf works through pf anchors - a placeholder where arbitary firewall 
rules can be dynamically inserted and removed. Authpf itself is a shell, 
that people reach through SSH. Between a successful authentication and 
the termination of the ssh session with authpf, customized (to whatever 
extend you wish) rules are loaded into the authpf anchor(s), e.g. rules 
that allow traffic from and to the authenticated IP. As soon as the 
authpf session is closed, the rules are removed again - without delay.



There is no pinging and guessing-whether-the-user-is-still-authenticated 
involved.



For example, a student in a university's computer pool logs on to a 
Windows client and double-clicks the "enable Internet" icon, which is 
putty starting a predefined SSH session to the authenticating gateway. 
The user authenticates and minimizes/iconizes/whateverizes the putty 
window while he does his or her work with Internet connectivity. 
Eventually, the student logs out, effectively closing the putty window 
and its ssh session as well. At this point, anyone who wants Internet 
access from that workstation needs to authenticate again. The next 
student, waiting impatiently to check email, logs in and quickly clicks 
the "enable Internet" icon and authenticates herself ...



Even if this logout/someone-else-logs-in dance on the same IP address 
only took fractions of a second, it would still be unambiguously clear 
who of the two people were using the Internet off that IP at any given time.


More information is available at
http://www.openbsd.org/cgi-bin/man.cgi?query=authpf
http://www.openbsd.org/faq/pf/authpf.html


Moritz






















					Reply via email to