BSD Authentication
This page describes how to use BSD authentication on OpenBSD.
Overview
BSD authentication is similar to PAM in that there are different
authentication styles, comparable to the modules in
PAM. BSD authentication can be found on OpenBSD and BSD/OS (not
tested).
Dante supports use of BSD authentication to authenticate usernames
and passwords supplied by a client using the SOCKS username
authentication. Rather than using getpwnam()/crypt() in the
server to authenticate the received information, the Dante server
uses the BSD auth_userokay() function to verify the
username/password combination.
Challenge-response authentication styles are not supported.
Note that the password is transmitted in cleartext with this
authentication method. It should not be used over an insecure
network.
Environment setup
The BSD authentication style to be used might need to be
configured. This document does not cover this type of configuration.
The style to use can be set with the keyword
bsdauth.stylename. Currently this value needs to be
set in each rule. If not set, the system default will be used.
Server privileges
user.privileged : root
user.notprivileged : socks
The might have to be started with root privileges when
using the bsdauth socks authentication method. If this is
the case, the user.privileged
and user.notprivileged keywords should be set to ensure
that the server will run as an unprivileged user when it does not
need root privileges.
Example clientmethod usage
The BSD authentication mechanism requires a username and cannot be
used as a clientmethod.
Example socksmethod usage -- client
route {
from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.0.0.1 port = 1080
proxyprotocol: socks_v5
method: username
}
The username method is specified at the client, using
the method keyword.
Example socksmethod usage -- server
#authentication methods
socksmethod: bsdauth
#incoming traffic, no authentication
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: error # connect disconnect iooperation
command: udpreply bindreply
}
#bind/outgoing traffic, with authentication
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: bind connect udpassociate
log: error # connect disconnect iooperation
socksmethod: bsdauth
# bsdauth.stylename: passwd
}
The bsdauth socks method cannot be used for incoming traffic
(bindreply, udpreply); in this example the
first pass rule allows these commands to pass without
authentication.
|