About me: My name is Solène Rapenne, pronouns she/her. I like learning and sharing knowledge. Hobbies: '(BSD OpenBSD Qubes OS Lisp cmdline gaming security QubesOS internet-stuff). I love percent and lambda characters. OpenBSD developer solene@. No AI is involved in this blog.

Contact me: solene at dataswamp dot org or @solene@bsd.network (mastodon).

You can sponsor my work financially if you want to help me writing this blog and contributing to Free Software as my daily job.

Authentication gateway with SSH on OpenBSD

Written by Solène, on 01 December 2022.
Tags: #openbsd #security #nocloud

Comments on Fediverse/Mastodon

1. Introduction §

A neat feature in OpenBSD is the program authpf, an authenticating gateway using SSH.

Basically, it allows to dynamically configure the local firewall PF by connecting/disconnecting into a user account over SSH, either to toggle an IP into a table or rules through a PF anchor.

2. Use case §

This program is very useful for the following use case:

  • firewall rules dedicated to authenticated users
  • enabling NAT to authenticated users
  • using a different bandwidth queue for authenticated users
  • logging, or not logging network packets of authenticated users

Of course, you can be creative and imagine other use cases.

This method is actually different from using a VPN, it doesn't have encryption extra cost but is less secure in the sense it only authenticates an IP or username, so if you use it over the Internet, the triggered rule may also benefit to people using the same IP as yours. However, it's much simpler to set up because users only have to share their public SSH key, while setting up a VPN is another level of complexity and troubleshooting.

3. Example setup §

In the following example, you manage a small office OpenBSD router, but you only want Chloe's workstation to reach the Internet with the NAT. We need to create her a dedicated account, set the shell to authpf, deploy her SSH key and configure PF. 

# useradd -m -s /usr/sbin/authpf chloe
# echo "$ssh_key" >> ~chloe/.ssh/authorized_keys
# touch /etc/authpf/authpf.conf /etc/authpf/authpf/rules

Now, you can edit /etc/pf.conf and use the default table name authpf_users. With the following PF snippet, we will only allow authenticated users to go through the NAT. 

table <authpf_users> persist
match out on egress inet from <authpf_users> to any nat-to (egress)

Reload your firewall, and when Chloe will connect, she will be able to go through the NAT.

4. Conclusion §

The program authpf is an efficient tool for the network administrator's toolbox. And with the use of PF anchors, you can really extend its potential as you want, it's really not limited to tables.

5. Going further §

The man page contains a lot of extra information for customization, you should definitely read it if you plan to use authpf.

OpenBSD man page of authpf(8)

5.1. Blocking users §

It's possible to ban users, for various reasons you may want to block someone with a message asking to reach the help desk. This can be done by creating a file name after the username, like in the following example for user chloe: /etc/authpf/banned/chloe, the file text content will be displayed to the user upon connection.

5.2. Greeeting message §

It's possible to write a custom greeting message displayed upon connection, this can be global or per user, just write a message in /etc/authpf/authpf.message for a global one, or /etc/authpf/users/chloe/authpf.message for user chloe.