dante   Frontpage - Dante - Download - Status - Support - Modules - Docs - Links - Survey
 

BSD Authentication

This page describes how to use BSD authentication on OpenBSD.

Overview

BSD authentication is similar to PAM in that there are different authentication styles, comparable to the modules in PAM. BSD authentication can be found on OpenBSD and BSD/OS (not tested).

Dante supports use of BSD authentication to authenticate usernames and passwords supplied by a client using the SOCKS username authentication. Rather than using getpwnam()/crypt() in the server to authenticate the received information, the Dante server uses the BSD auth_userokay() function to verify the username/password combination.

Challenge-response authentication styles are not supported.

Note that the password is transmitted in cleartext with this authentication method. It should not be used over an insecure network.

Environment setup

The BSD authentication style to be used might need to be configured. This document does not cover this type of configuration.

The style to use can be set with the keyword bsdauth.stylename. Currently this value needs to be set in each rule. If not set, the system default will be used.

Server privileges

user.privileged    : root
user.notprivileged : socks

The might have to be started with root privileges when using the bsdauth socks authentication method. If this is the case, the user.privileged and user.notprivileged keywords should be set to ensure that the server will run as an unprivileged user when it does not need root privileges.

Example clientmethod usage

The BSD authentication mechanism requires a username and cannot be used as a clientmethod.

Example socksmethod usage -- client

route {
        from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.0.0.1 port = 1080
	proxyprotocol: socks_v5
        method: username
}

The username method is specified at the client, using the method keyword.

Example socksmethod usage -- server

#authentication methods
socksmethod: bsdauth
#incoming traffic, no authentication
socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: error # connect disconnect iooperation
	command: udpreply bindreply
}

#bind/outgoing traffic, with authentication
socks pass {  
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bind connect udpassociate
        log: error # connect disconnect iooperation
        socksmethod: bsdauth
#	bsdauth.stylename: passwd
}

The bsdauth socks method cannot be used for incoming traffic (bindreply, udpreply); in this example the first pass rule allows these commands to pass without authentication.


Copyright © 1998-2017 Inferno Nettverk A/S