PAM Authentication
This page describes how to use PAM based authentication.
Overview
NOTE: The PAM based authentication method can only perform access
control based on the source IP-address of the client, a functionality
that is also available in the standard barefoot rule syntax.
This authentication method is thus primarily aimed at configurations
where there for some reason is desirable to perform IP-based
filtering with a PAM module instead of, or in addition to, the
Barefoot rules (e.g., because such a setup is already in use with
other daemons).
Environment setup
The PAM system on the server needs to be configured independently
of Barefoot for this authentication method to work. This might
involve adding a configuration file for the Barefoot server to the
PAM setup. The contents of the file depends on the operating system.
The default PAM service name is barefootd, but this can be
overridden in individual rules in the server configuration file by
setting pam.servicename to a different value. The default
value can only be changed at compile time, so it is necessary to
specify this setting in each rule that should use a different
servicename than the default.
The PAM authentication method can only be used with PAM
configurations that only require the IP-address of the client. One
such PAM method is pam_rhosts, which can be found on some
platforms that support PAM. One limitation compared to e.g.,
rsh is that the user name of the client will not be known
(this applies to both the PAM USER and PAM RUSER
values). The Barefoot server sets these values to rhostusr
by default. To use the pam_rhosts module it might be
necessary to add this user to the machine the Barefoot server is
running on in order for the pam_rhosts module to work.
Server privileges
#server identities (not needed on Solaris)
user.privileged : root
user.notprivileged : socks
The server might have to be started with root
privileges to use PAM, even though password verification is not needed.
If this is the case, the
user.privileged and user.notprivileged keywords
should be set as above to ensure that the server will run as an unprivileged
user when it does not need root privileges.
Example method usage
clientmethod: pam
client pass {
from: 0.0.0.0/0 to: eth0 port = http
bounce to: webserv.example.org port = http
protocol: tcp
log: error # connect disconnect iooperation
method: pam
#use separate servicename for host based pam authentication
pam.servicename: pam_host
}
The example above sets the pam.servicename
to pam_host, which is assumed to be configured in a way
which makes it possible to authenticate based on the client
IP-address. The authentication method is first added as an
authentication method to the global clientmethod keyword,
and then added to the client pass rule. Only TCP
connections or UDP packets where the PAM authentication is
successful will match the rule and be passed.
Note that the source address for UDP packets can easily be
forged.
|