barefoot   Frontpage - Barefoot - Download - Usage - Status - Support - Modules - Docs - Links - Survey - GDPR

PAM Authentication

This page describes how to use PAM based authentication.


NOTE: The PAM based authentication method can only perform access control based on the source IP-address of the client, a functionality that is also available in the standard barefoot rule syntax. This authentication method is thus primarily aimed at configurations where there for some reason is desirable to perform IP-based filtering with a PAM module instead of, or in addition to, the Barefoot rules (e.g., because such a setup is already in use with other daemons).

Environment setup

The PAM system on the server needs to be configured independently of Barefoot for this authentication method to work. This might involve adding a configuration file for the Barefoot server to the PAM setup. The contents of the file depends on the operating system.

The default PAM service name is barefootd, but this can be overridden in individual rules in the server configuration file by setting pam.servicename to a different value. The default value can only be changed at compile time, so it is necessary to specify this setting in each rule that should use a different servicename than the default.

The PAM authentication method can only be used with PAM configurations that only require the IP-address of the client. One such PAM method is pam_rhosts, which can be found on some platforms that support PAM. One limitation compared to e.g., rsh is that the user name of the client will not be known (this applies to both the PAM USER and PAM RUSER values). The Barefoot server sets these values to rhostusr by default. To use the pam_rhosts module it might be necessary to add this user to the machine the Barefoot server is running on in order for the pam_rhosts module to work.

Server privileges

#server identities (not needed on Solaris)
user.privileged    : root
user.notprivileged : socks

The server might have to be started with root privileges to use PAM, even though password verification is not needed. If this is the case, the user.privileged and user.notprivileged keywords should be set as above to ensure that the server will run as an unprivileged user when it does not need root privileges.

Example method usage

clientmethod: pam

client pass {
        from: to: eth0 port = http
        bounce to: port = http
        protocol: tcp
        log: error # connect disconnect iooperation
        method: pam
	#use separate servicename for host based pam authentication
        pam.servicename: pam_host

The example above sets the pam.servicename to pam_host, which is assumed to be configured in a way which makes it possible to authenticate based on the client IP-address. The authentication method is first added as an authentication method to the global clientmethod keyword, and then added to the client pass rule. Only TCP connections or UDP packets where the PAM authentication is successful will match the rule and be passed.

Note that the source address for UDP packets can easily be forged.

Copyright © 1998-2018 Inferno Nettverk A/S