739 lines
46 KiB
Plaintext
739 lines
46 KiB
Plaintext
|
Authentication Gateway HOWTO
|
|||
|
|
|||
|
Nathan Zorn
|
|||
|
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><zornnh@musc.edu>
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
Revision History
|
|||
|
Revision 0.05 2002-11-05
|
|||
|
Revision 0.05 2002-05-10 Revised by: nhz
|
|||
|
Revision 0.04 2002-02-28 Revised by: nhz
|
|||
|
Revision 0.03 2001-09-28 Revised by: nhz
|
|||
|
Revision 0.02 2001-09-28 Revised by: KET
|
|||
|
Revision 0.01 2001-09-06 Revised by: nhz
|
|||
|
|
|||
|
|
|||
|
There are many concerns with the security of wireless networks and public
|
|||
|
access areas such as libraries or dormitories. These concerns are not met
|
|||
|
with current security implementations. A work around has been proposed by
|
|||
|
using an authentication gateway. This gateway addresses the security concerns
|
|||
|
by forcing the user to authenticate in order to use the network.
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
Table of Contents
|
|||
|
1. Introduction
|
|||
|
1.1. Copyright Information
|
|||
|
1.2. Disclaimer
|
|||
|
1.3. New Versions
|
|||
|
1.4. Credits
|
|||
|
1.5. Feedback
|
|||
|
|
|||
|
|
|||
|
2. What is needed
|
|||
|
2.1. Netfilter
|
|||
|
2.2. Software for dynamic Netfilter rules.
|
|||
|
2.3. DHCP Server
|
|||
|
2.4. Authentication mechanism
|
|||
|
2.5. DNS Server
|
|||
|
|
|||
|
|
|||
|
3. Setting up the Gateway Services
|
|||
|
3.1. Netfilter Setup
|
|||
|
3.2. Dynamic Netfilter rules.
|
|||
|
3.3. DHCP Server Setup
|
|||
|
3.4. Authentication Method Setup
|
|||
|
3.5. DNS Setup
|
|||
|
|
|||
|
|
|||
|
4. Using the authentication gateway
|
|||
|
5. Concluding Remarks
|
|||
|
6. Additional Resources
|
|||
|
7. Questions and Answers
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
With wireless networks and public acces areas it is very easy for an
|
|||
|
unauthorized user to gain access. Unauthorized users can look for a signal
|
|||
|
and grab connection information from the signal. Unauthorized users can plug
|
|||
|
their machine into a public terminal and gain access to the network. Security
|
|||
|
has been put in place such as WEP, but this security can be subverted with
|
|||
|
tools like AirSnort. One approach to solving these problems is to not rely on
|
|||
|
the wireless security features , and instead to place an authentication
|
|||
|
gateway in front of the wireless network or public access area and force
|
|||
|
users to authenticate against it before using the network. This HOWTO
|
|||
|
describes how to set up this gateway with Linux.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.1. Copyright Information
|
|||
|
|
|||
|
This document is copyrighted (c) 2001 Nathan Zorn. Permission is granted to
|
|||
|
copy, distribute and/or modify this document under the terms of the GNU Free
|
|||
|
Documentation License, Version 1.1 or any later version published by the Free
|
|||
|
Software Foundation; with no Invariant Sections, with no Front-Cover Texts,
|
|||
|
and with no Back-Cover Texts. A copy of the license is available at http://
|
|||
|
www.gnu.org/copyleft/fdl.html
|
|||
|
|
|||
|
If you have any questions, please contact <zornnh@musc.edu>
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.2. Disclaimer
|
|||
|
|
|||
|
No liability for the contents of this documents can be accepted. Use the
|
|||
|
concepts, examples and other content at your own risk. As this is a new
|
|||
|
edition of this document, there may be errors and inaccuracies, that may of
|
|||
|
course be damaging to your system. Proceed with caution, and although this is
|
|||
|
highly unlikely, the author(s) do not take any responsibility for that.
|
|||
|
|
|||
|
All copyrights are held by their by their respective owners, unless
|
|||
|
specifically noted otherwise. Use of a term in this document should not be
|
|||
|
regarded as affecting the validity of any trademark or service mark.
|
|||
|
|
|||
|
Naming of particular products or brands should not be seen as endorsements.
|
|||
|
|
|||
|
You are strongly recommended to take a backup of your system before major
|
|||
|
installation and backups at regular intervals.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.3. New Versions
|
|||
|
|
|||
|
The newest release of this document can be found at http://www.itlab.musc.edu
|
|||
|
/~nathan/authentication_gateway/ . Related HOWTOs can be found at the Linux
|
|||
|
Documentation Project homepage.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.4. Credits
|
|||
|
|
|||
|
Jamin W. Collins
|
|||
|
|
|||
|
Kristin E Thomas
|
|||
|
|
|||
|
Logu (visolve.com)
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.5. Feedback
|
|||
|
|
|||
|
Feedback is most certainly welcome for this document. Without your
|
|||
|
submissions and input, this document wouldn't exist. Please send your
|
|||
|
additions, comments and criticisms to the following email address : <
|
|||
|
zornnh@musc.edu>.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2. What is needed
|
|||
|
|
|||
|
This section describes what is needed for the authentication gateway.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2.1. Netfilter
|
|||
|
|
|||
|
The authentication gateway uses Netfilter and iptables to manage the
|
|||
|
firewall. Please see the Netfilter HOWTO .
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2.2. Software for dynamic Netfilter rules.
|
|||
|
|
|||
|
One means to insert and remove Netfilter rules is to use pam_iptables. This
|
|||
|
is a pluggable authentication module (PAM) written by Nathan Zorn that can be
|
|||
|
found at http://www.itlab.musc.edu/~nathan/pam_iptables . This PAM module
|
|||
|
allows users to use ssh and telnet to authenticate to the gateway.
|
|||
|
|
|||
|
Another means to dynamically remove and create Netfilter rules is to use
|
|||
|
NocatAuth. NocatAuth can be found at http://nocat.net . NocatAuth provides a
|
|||
|
web client for authenticating to the gateway.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2.3. DHCP Server
|
|||
|
|
|||
|
The authentication gateway will act as the dynamic host configuration
|
|||
|
protocol (DHCP) server for the public network. It only serves those
|
|||
|
requesting DHCP services on the public network. I used the ISC DHCP Server .
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2.4. Authentication mechanism
|
|||
|
|
|||
|
The gateway can use any means of PAM authentication. The authentication
|
|||
|
mechanism the Medical University of South Carolina uses is LDAP. Since LDAP
|
|||
|
was used for authentication, the pam modules on the gateway box were set up
|
|||
|
to use LDAP. More information can be found at http://www.padl.com/
|
|||
|
pam_ldap.html . PAM allows you to use many means of authentication. Please
|
|||
|
see the documentation for the PAM module you would like to use. For more
|
|||
|
information on other methods, see pam modules .
|
|||
|
|
|||
|
If NocatAuth is used, an authentication service needs to be setup. The
|
|||
|
NocatAuth authentication service supports authentication with
|
|||
|
LDAP,RADIUS,MySQL,and a password file. More information can be found at http:
|
|||
|
//nocat.net/download/NoCatAuth/ .
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2.5. DNS Server
|
|||
|
|
|||
|
The gateway box also serves as a DNS server for the public network. I
|
|||
|
installed [http://www.isc.org/products/BIND/] Bind, and set it up as a
|
|||
|
caching nameserver. The rpm package caching-namserver was also used. This
|
|||
|
package came with Red Hat.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3. Setting up the Gateway Services
|
|||
|
|
|||
|
This section describes how to setup each piece of the authentication gateway.
|
|||
|
The examples used are for a public network in the 10.0.1.0 subnet. eth0 is
|
|||
|
the interface on the box that is connected to the internal network. eth1 is
|
|||
|
the interface connected to the public network. The IP address used for this
|
|||
|
interface is 10.0.1.1. These settings can be changed to fit the network you
|
|||
|
are using. Red Hat 7.1 was used for the gateway box, so a lot of the examples
|
|||
|
are specific to Red Hat.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.1. Netfilter Setup
|
|||
|
|
|||
|
To setup netfilter the kernel must be recompiled to include netfilter
|
|||
|
support. Please see the [http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html]
|
|||
|
Kernel-HOWTO for more information on configuring and compiling your kernel.
|
|||
|
|
|||
|
This is what my kernel configuration looked like.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| # |
|
|||
|
| # Networking options |
|
|||
|
| # |
|
|||
|
| CONFIG_PACKET=y |
|
|||
|
| # CONFIG_PACKET_MMAP is not set |
|
|||
|
| # CONFIG_NETLINK is not set |
|
|||
|
| CONFIG_NETFILTER=y |
|
|||
|
| CONFIG_NETFILTER_DEBUG=y |
|
|||
|
| CONFIG_FILTER=y |
|
|||
|
| CONFIG_UNIX=y |
|
|||
|
| CONFIG_INET=y |
|
|||
|
| CONFIG_IP_MULTICAST=y |
|
|||
|
| # CONFIG_IP_ADVANCED_ROUTER is not set |
|
|||
|
| # CONFIG_IP_PNP is not set |
|
|||
|
| # CONFIG_NET_IPIP is not set |
|
|||
|
| # CONFIG_NET_IPGRE is not set |
|
|||
|
| # CONFIG_IP_MROUTE is not set |
|
|||
|
| # CONFIG_INET_ECN is not set |
|
|||
|
| # CONFIG_SYN_COOKIES is not set |
|
|||
|
| |
|
|||
|
| |
|
|||
|
| # IP: Netfilter Configuration |
|
|||
|
| # |
|
|||
|
| CONFIG_IP_NF_CONNTRACK=y |
|
|||
|
| CONFIG_IP_NF_FTP=y |
|
|||
|
| CONFIG_IP_NF_IPTABLES=y |
|
|||
|
| CONFIG_IP_NF_MATCH_LIMIT=y |
|
|||
|
| CONFIG_IP_NF_MATCH_MAC=y |
|
|||
|
| CONFIG_IP_NF_MATCH_MARK=y |
|
|||
|
| CONFIG_IP_NF_MATCH_MULTIPORT=y |
|
|||
|
| CONFIG_IP_NF_MATCH_TOS=y |
|
|||
|
| CONFIG_IP_NF_MATCH_TCPMSS=y |
|
|||
|
| CONFIG_IP_NF_MATCH_STATE=y |
|
|||
|
| CONFIG_IP_NF_MATCH_UNCLEAN=y |
|
|||
|
| CONFIG_IP_NF_MATCH_OWNER=y |
|
|||
|
| CONFIG_IP_NF_FILTER=y |
|
|||
|
| CONFIG_IP_NF_TARGET_REJECT=y |
|
|||
|
| CONFIG_IP_NF_TARGET_MIRROR=y |
|
|||
|
| CONFIG_IP_NF_NAT=y |
|
|||
|
| CONFIG_IP_NF_NAT_NEEDED=y |
|
|||
|
| CONFIG_IP_NF_TARGET_MASQUERADE=y |
|
|||
|
| CONFIG_IP_NF_TARGET_REDIRECT=y |
|
|||
|
| CONFIG_IP_NF_NAT_FTP=y |
|
|||
|
| CONFIG_IP_NF_MANGLE=y |
|
|||
|
| CONFIG_IP_NF_TARGET_TOS=y |
|
|||
|
| CONFIG_IP_NF_TARGET_MARK=y |
|
|||
|
| CONFIG_IP_NF_TARGET_LOG=y |
|
|||
|
| CONFIG_IP_NF_TARGET_TCPMSS=y |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
Once netfilter has been configured, turn on IP forwarding by executing this
|
|||
|
command.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| echo 1 > /proc/sys/net/ipv4/ip_forward |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
To make sure ip forwarding is enabled when the machine restarts add the
|
|||
|
following line to /etc/sysctl.conf.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| net.ipv4.ip_forward = 1 |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
If NocatAuth is being used, you can skip to the NoCatAuth gateway setup
|
|||
|
section.
|
|||
|
|
|||
|
iptables needs to be installed. To install iptables either use a package from
|
|||
|
your distribution or install from source. Once the above options were
|
|||
|
compiled in the new kernel and iptables was installed, I set the following
|
|||
|
default firewall rules.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
|
|||
|
| iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP |
|
|||
|
| iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP |
|
|||
|
| iptables -I FORWARD -o eth0 -j DROP |
|
|||
|
| iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
The above commands can also be put in an initscript to start up when the
|
|||
|
server restarts. To make sure the rules have been added issue the following
|
|||
|
commands:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| iptables -v -t nat -L |
|
|||
|
| iptables -v -t filter -L |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
To save these rules I used Red Hat's init scripts.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| /etc/init.d/iptables save |
|
|||
|
| /etc/init.d/iptables restart |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
Now the gateway box will be able to do network address translation (NAT), but
|
|||
|
it will drop all forwarding packets except those coming from within the
|
|||
|
public network and bound for the gateway.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.2. Dynamic Netfilter rules.
|
|||
|
|
|||
|
This section describes how to setup the software needed to dynamically insert
|
|||
|
and remove Netfilter rules on the gateway.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.2.1. PAM iptables Module
|
|||
|
|
|||
|
The PAM session module that inserts the firewall rules is needed to allow
|
|||
|
forwarding for the authenticated client. To set it up simply get the [ftp://
|
|||
|
ftp.itlab.musc.edu/pub/pam_iptables.tar.gz] source and compile it by running
|
|||
|
the following commands.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| gcc -fPIC -c pam_iptables.c |
|
|||
|
| ld -x --shared -o pam_iptables.so pam_iptables.o |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
You should now have two binaries called pam_iptables.so and pam_iptables.o.
|
|||
|
Copy pam_iptables.so to /lib/security/pam_iptables.so.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| cp pam_iptables.so /lib/security/pam_iptables.so |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
Now install the firewall script to /usr/local/auth-gw.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| mkdir /usr/local/auth-gw |
|
|||
|
| cp insFwall /usr/local/auth-gw |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
The chosen authentication client for the gateway was ssh so we added the
|
|||
|
following line to /etc/pam.d/sshd.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| session required /lib/security/pam_iptables.so |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
Now, when a user logs in with ssh, the firewall rule will be added.
|
|||
|
|
|||
|
To test if the pam_iptables module is working perform the following steps:
|
|||
|
|
|||
|
1. Log into the box with ssh.
|
|||
|
|
|||
|
2. Check to see if the rule was added with the command iptables -L -v.
|
|||
|
|
|||
|
3. Log out of the box to make sure the rule is removed.
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
3.2.2. NoCatAuth gateway
|
|||
|
|
|||
|
This section describes the process of setting up the NocatAuth gateway. To
|
|||
|
setup NocatAuth get the [http://nocat.net/download/NoCatAuth/] source and
|
|||
|
install with the following steps.
|
|||
|
|
|||
|
Make sure gpgv is installed. gpgv is a PGP signature verifier. It is part of
|
|||
|
gnupg and can be found at [http://www.gnupg.org/download.html] http://
|
|||
|
www.gnupg.org/download.html.
|
|||
|
|
|||
|
Unpack the NocatAuth tar file.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| tar xvzf NocatAuth-x.xx.tar.gz |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
If you do not want NoCatAuth to be in the directory /usr/local/nocat, edit
|
|||
|
the Makefile and change INST_PATH to the directory you would like NoCatAuth
|
|||
|
to reside.
|
|||
|
|
|||
|
Next build the gateway.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| cd NoCatAuth-x.xx |
|
|||
|
| make gateway |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
Edit the /usr/local/nocat.conf file. Please see the INSTALL documentation for
|
|||
|
details on what is required in the conf file. An example conf file looks like
|
|||
|
the following:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| |
|
|||
|
| ###### gateway.conf -- NoCatAuth Gateway Configuration. |
|
|||
|
| # |
|
|||
|
| # Format of this file is: Directive Value, one per |
|
|||
|
| # line. Trailing and leading whitespace is ignored. Any |
|
|||
|
| # line beginning with a punctuation character is assumed to |
|
|||
|
| # be a comment. |
|
|||
|
| |
|
|||
|
| Verbosity 10 |
|
|||
|
| #we are behind a NAT so put the gateway in passive mode |
|
|||
|
| GatewayMode Passive |
|
|||
|
| GatewayLog /usr/local/nocat/nocat.log |
|
|||
|
| LoginTimeout 300 |
|
|||
|
| |
|
|||
|
| ######Open Portal settings. |
|
|||
|
| HomePage http://www.itlab.musc.edu/ |
|
|||
|
| DocumentRoot /usr/local/nocat/htdocs |
|
|||
|
| SplashForm splash.html |
|
|||
|
| ###### Active/Passive Portal settings. |
|
|||
|
| TrustedGroups Any |
|
|||
|
| AuthServiceAddr egon.itlab.musc.edu |
|
|||
|
| AuthServiceURL https://$AuthServiceAddr/cgi-bin/login |
|
|||
|
| LogoutURL https://$AuthServiceAddr/forms/logout.html |
|
|||
|
| ###### Other Common Gateway Options. |
|
|||
|
| AllowedWebHosts egon.itlab.musc.edu |
|
|||
|
| ResetCmd initialize.fw |
|
|||
|
| PermitCmd access.fw permit $MAC $IP $Class |
|
|||
|
| DenyCmd access.fw deny $MAC $IP $Class |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
Now you should be able to start the gateway. If any problems occur, please
|
|||
|
see the INSTALL documentation in the unpacked NoCatAuth directory. The
|
|||
|
following command will start the gateway:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| /usr/local/nocat/bin/gateway |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.3. DHCP Server Setup
|
|||
|
|
|||
|
I installed DHCP using the following dhcpd.conf file.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| subnet 10.0.1.0 netmask 255.255.255.0 { |
|
|||
|
| # --- default gateway |
|
|||
|
| option routers 10.0.1.1; |
|
|||
|
| option subnet-mask 255.255.255.0; |
|
|||
|
| option broadcast-address 10.0.1.255; |
|
|||
|
| |
|
|||
|
| option domain-name-servers 10.0.1.1; |
|
|||
|
| range 10.0.1.3 10.0.1.254; |
|
|||
|
| option time-offset -5; # Eastern Standard Time |
|
|||
|
| |
|
|||
|
| default-lease-time 21600; |
|
|||
|
| max-lease-time 43200; |
|
|||
|
| |
|
|||
|
| } |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
The server was then run using eth1 , the interface to the public net.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| /usr/sbin/dhcpd eth1 |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.4. Authentication Method Setup
|
|||
|
|
|||
|
Authentication with PAM and a NoCatAuth authentication service is described.
|
|||
|
Both examples are done with LDAP. Other means of authentication besides LDAP
|
|||
|
can be used. Please read the documentation for PAM and NoCatAuth to find the
|
|||
|
steps to use another authentication source.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.4.1. PAM LDAP
|
|||
|
|
|||
|
As indicated in previous sections, I've set this gateway up to use LDAP for
|
|||
|
authenticating. However, you can use any means that PAM allows for
|
|||
|
authentication. See Section 2.4 for more information.
|
|||
|
|
|||
|
In order to get PAM LDAP to authenticate, I installed [http://
|
|||
|
www.openldap.org] OpenLDAP and configured it with the following in /etc/
|
|||
|
ldap.conf.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| # Your LDAP server. Must be resolvable without using LDAP. |
|
|||
|
| host itc.musc.edu |
|
|||
|
| |
|
|||
|
| # The distinguished name of the search base. |
|
|||
|
| base dc=musc,dc=edu |
|
|||
|
| ssl no |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
The following files were used to configure PAM to do the LDAP authentication.
|
|||
|
These files were generated by Red Hat's configuration utility.
|
|||
|
|
|||
|
/etc/pam.d/system-auth was created and looked like this.
|
|||
|
+------------------------------------------------------------------------------------------------------------------+
|
|||
|
| #%PAM-1.0 |
|
|||
|
| # This file is auto-generated. |
|
|||
|
| # User changes will be destroyed the next time authconfig is run. |
|
|||
|
| auth required /lib/security/pam_env.so |
|
|||
|
| auth sufficient /lib/security/pam_unix.so likeauth nullok |
|
|||
|
| auth sufficient /lib/security/pam_ldap.so use_first_pass |
|
|||
|
| auth required /lib/security/pam_deny.so |
|
|||
|
| |
|
|||
|
| account required /lib/security/pam_unix.so |
|
|||
|
| account [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so |
|
|||
|
| |
|
|||
|
| password required /lib/security/pam_cracklib.so retry=3 |
|
|||
|
| password sufficient /lib/security/pam_unix.so nullok use_authtok |
|
|||
|
| password sufficient /lib/security/pam_ldap.so use_authtok |
|
|||
|
| password required /lib/security/pam_deny.so |
|
|||
|
| |
|
|||
|
| session required /lib/security/pam_limits.so |
|
|||
|
| session required /lib/security/pam_unix.so |
|
|||
|
| session optional /lib/security/pam_ldap.so |
|
|||
|
| |
|
|||
|
+------------------------------------------------------------------------------------------------------------------+
|
|||
|
|
|||
|
Then the following /etc/pam.d/sshd file was created.
|
|||
|
+------------------------------------------------------------------------------+
|
|||
|
| #%PAM-1.0 |
|
|||
|
| auth required /lib/security/pam_stack.so service=system-auth |
|
|||
|
| auth required /lib/security/pam_nologin.so |
|
|||
|
| account required /lib/security/pam_stack.so service=system-auth |
|
|||
|
| password required /lib/security/pam_stack.so service=system-auth |
|
|||
|
| session required /lib/security/pam_stack.so service=system-auth |
|
|||
|
| #this line is added for firewall rule insertion upon login |
|
|||
|
| session required /lib/security/pam_iptables.so debug |
|
|||
|
| session optional /lib/security/pam_console.so |
|
|||
|
| |
|
|||
|
+------------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
3.4.2. NoCatAuth Service
|
|||
|
|
|||
|
It is recommended to install the NoCatAuth Service on another server besides
|
|||
|
the gateway. A seperate server was used in my examples. In order to setup a
|
|||
|
NoCatAuth Service, you will need the following software:
|
|||
|
|
|||
|
1. An SSL enabled webserver, preferably with a registered SSL cert. I used
|
|||
|
Apache + mod_ssl.
|
|||
|
|
|||
|
2. Perl 5 (5.6 or better recommended)
|
|||
|
|
|||
|
3. Net::LDAP, Digest::MD5, DBI, and DBD::MySQL perl modules (get them from
|
|||
|
CPAN) The module you need depends on what authentication source you are
|
|||
|
going to use. In my example Net::LDAP is used as the authentication
|
|||
|
means.
|
|||
|
|
|||
|
4. Gnu Privacy Guard (gnupg 1.0.6 or better), available at http://
|
|||
|
www.gnupg.org/download.html
|
|||
|
|
|||
|
|
|||
|
To install unpack the tar file.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| $ tar zvxf NoCatAuth-x.xx.tar.gz |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
If you would like to change the path that NoCatAuth resides , edit the
|
|||
|
Makefile and change INST_PATH to the desired directory.
|
|||
|
|
|||
|
Next run the command: make authserv This installs everything in /usr/local/
|
|||
|
nocat or what you changed INST_PATH to.
|
|||
|
|
|||
|
Then run make pgpkey The defaults should be fine for most purposes.
|
|||
|
IMPORTANT: do NOT enter a passphrase! Otherwise, you will get strange
|
|||
|
messages when the auth service attempts to encrypt messages, and tries to
|
|||
|
read your passphrase from a non-existent tty
|
|||
|
|
|||
|
Edit /usr/local/nocat/nocat.conf to fit your situation. Here is an example:
|
|||
|
+-------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
|||
|
| ###### authserv.conf -- NoCatAuth Authentication Service Configuration. |
|
|||
|
| # |
|
|||
|
| # Format of this file is: Directive Value, one per |
|
|||
|
| # line. Trailing and leading whitespace is ignored. Any |
|
|||
|
| # line beginning with a punctuation character is assumed to |
|
|||
|
| # be a comment. |
|
|||
|
| |
|
|||
|
| Verbosity 10 |
|
|||
|
| HomePage http://www.itlab.musc.edu/ |
|
|||
|
| DocumentRoot /usr/local/nocat/htdocs |
|
|||
|
| # LDAP source |
|
|||
|
| DataSource LDAP |
|
|||
|
| LDAPHost authldap.musc.edu |
|
|||
|
| LDAPBase dc=musc,dc=edu |
|
|||
|
| |
|
|||
|
| UserTable Member |
|
|||
|
| UserIDField User |
|
|||
|
| UserPasswdField Pass |
|
|||
|
| UserAuthField Status |
|
|||
|
| UserStampField Created |
|
|||
|
| |
|
|||
|
| GroupTable Network |
|
|||
|
| GroupIDField Network |
|
|||
|
| GroupAdminField Admin |
|
|||
|
| MinPasswdLength 8 |
|
|||
|
| |
|
|||
|
| # LocalGateway -- If you run auth service on the same subnet |
|
|||
|
| # (or host) as the gateway you need to specify the hostname |
|
|||
|
| # of the gateway. Otherwise omit it. (Requires Net::Netmask) |
|
|||
|
| # |
|
|||
|
| # LocalGateway 192.168.1.7 |
|
|||
|
| |
|
|||
|
| LoginForm login.html |
|
|||
|
| LoginOKForm login_ok.html |
|
|||
|
| FatalForm fatal.html |
|
|||
|
| ExpiredForm expired.html |
|
|||
|
| RenewForm renew.html |
|
|||
|
| PassiveRenewForm renew_pasv.html |
|
|||
|
| RegisterForm register.html |
|
|||
|
| RegisterOKForm register_ok.html |
|
|||
|
| RegisterFields Name URL Description |
|
|||
|
| |
|
|||
|
| UpdateForm update.html |
|
|||
|
| UpdateFields URL Description |
|
|||
|
| |
|
|||
|
| ###### Auth service user messages. Should be self-explanatory. |
|
|||
|
| # |
|
|||
|
| LoginGreeting Greetings! Welcome to the Medical University of SC's Network. |
|
|||
|
| LoginMissing Please fill in all fields! |
|
|||
|
| LoginBadUser That e-mail address is unknown. Please try again. |
|
|||
|
| LoginBadPass That e-mail and password do not match. Please try again. |
|
|||
|
| LoginBadStatus Sorry, you are not a registered co-op member. |
|
|||
|
| |
|
|||
|
| RegisterGreeting Welcome! Please enter the following information to register.RegisterMissing Name, E-mail, and password fields must be filled in. |
|
|||
|
| RegisterUserExists Sorry, that e-mail address is already taken. Are you already registered? |
|
|||
|
| RegisterBadUser The e-mail address provided appears to be invalid. Did you spell it correctly? |
|
|||
|
| RegisterInvalidPass All passwords must be at least six characters long. |
|
|||
|
| RegisterPassNoMatch The passwords you provided do not match. Please try again. |
|
|||
|
| RegisterSuccess Congratulations, you have successfully registered. |
|
|||
|
| |
|
|||
|
| UpdateGreeting Enter your E-mail and password to update your info. |
|
|||
|
| UpdateBadUser That e-mail address is unknown. Please try again. |
|
|||
|
| UpdateBadPass That e-mail and password do not match. Please try again. |
|
|||
|
| UpdateInvalidPass New passwords must be at least eight characters long. |
|
|||
|
| UpdatePassNoMatch The new passwords you provided do not match. Please try again. |
|
|||
|
| UpdateSuccess Congratulations, you have successfully updated your account. |
|
|||
|
| |
|
|||
|
| |
|
|||
|
+-------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
|||
|
|
|||
|
Make sure /usr/local/nocat/pgp is owned by the web server user. (ie..nobody
|
|||
|
or www-data)
|
|||
|
|
|||
|
Add etc/authserv.conf to your apache httpd.conf file.
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| Include /usr/local/nocat/etc/authserv.conf |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
Copy your /usr/local/nocat/trustedkeys.pgp to the gateway. Restart apache
|
|||
|
and try it out. Please see the NoCatAuth documentation for more information.
|
|||
|
It can be found in docs/ in the unpacked NoCatAuth directory.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.5. DNS Setup
|
|||
|
|
|||
|
I installed the default version of Bind that comes with Red Hat 7.1, and
|
|||
|
the caching-nameserver RPM. The DHCP server tells the machines on the public
|
|||
|
net to use the gateway box as their nameserver.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
4. Using the authentication gateway
|
|||
|
|
|||
|
To use the authentication gateway, configure your client machine to use DHCP.
|
|||
|
Install a ssh client on the box and ssh into the gateway. Once you are logged
|
|||
|
in, you will have access to the internal network. The following is an example
|
|||
|
session from a unix based client:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| bash>ssh zornnh@10.0.1.1 |
|
|||
|
| zornnh's Password: |
|
|||
|
| |
|
|||
|
| gateway> |
|
|||
|
| |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
As long as you stayed logged in, you will have access. Once you log out,
|
|||
|
access will be taken away.
|
|||
|
|
|||
|
To use the authentication gateway with NoCatAuth installed, configure your
|
|||
|
client machine to use DHCP. Install a web browser such as Mozilla. Start up
|
|||
|
the web browser. The browser should be redirected to the authentication
|
|||
|
screen.
|
|||
|
|
|||
|
|
|||
|
Figure 1. Nocat Login
|
|||
|
|
|||
|
[nocat_auth]
|
|||
|
Submit your username and password and a screen will pop up explaining that
|
|||
|
you are authenticated to the network and to keep the window open to remain
|
|||
|
authenticated. Click logout or close the window to end the session.
|
|||
|
|
|||
|
|
|||
|
Figure 2. Authentication Window
|
|||
|
|
|||
|
[nocat_auth_in]
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
5. Concluding Remarks
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>This method of security does not rely on the security provided by the
|
|||
|
wireless network community. It assumes that the entire wireless network
|
|||
|
is insecure and outside of your network.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>The gateway does not encrypt traffic. It only allows you access to the
|
|||
|
network behind it. If encryption and authentication are desired, a VPN
|
|||
|
should be used.
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
6. Additional Resources
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>A [http://www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html]
|
|||
|
document describing the NASA implementation of the authentication
|
|||
|
gateway.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>A white paper describing how the University of Alberta created an
|
|||
|
authentication gateway.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>[http://nocat.net] Nocat.net has an authentication gateway for wireless
|
|||
|
networks. This software has a web based client.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>[http://www.cs.utexas.edu/users/mcguire/software/horatio/] Horatio:
|
|||
|
Authenticated Network Access is a firewall authentication tool. The
|
|||
|
premise: Legitimate users want to attach laptops and other mobile hosts
|
|||
|
to the network, but security demands that illegitimate users be prevented
|
|||
|
from accessing the internal, secure network and from abusing the general
|
|||
|
Internet.
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
7. Questions and Answers
|
|||
|
|
|||
|
This is just a collection of what I believe are the most common questions
|
|||
|
people might have. Give me more feedback and I will turn this section into a
|
|||
|
proper FAQ.
|
|||
|
|
|||
|
1. Why are the iptables rules not flushing out when a client closes the
|
|||
|
telnet window? It works if the client logsout of the telnet session. In
|
|||
|
case of ssh the rules get flushed even if the ssh window is closed.
|
|||
|
|
|||
|
I have not come up with a good answer or solution to this problem. Logu
|
|||
|
has contributed some modifications to pam_iptables and a set of other
|
|||
|
tools to solve this problem. These tools can be found in the contrib
|
|||
|
directory with pam_iptables.
|
|||
|
|
|||
|
2. What does NoCat not work in IE6? It seems to authenticate but doesn't
|
|||
|
write the firewal rule.
|
|||
|
|
|||
|
Make sure your nocat html contains the following: < meta http-equiv=
|
|||
|
"Refresh" content="$redirect" />
|
|||
|
|
|||
|
The html files that should contain this metatag are
|
|||
|
login_ok.html,renew.html, and renew_pasv.html.
|
|||
|
|
|||
|
|