285 lines
4.9 KiB
HTML
285 lines
4.9 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>What is needed</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Authentication Gateway HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Introduction"
|
|
HREF="intro.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Setting up the Gateway Services"
|
|
HREF="setup.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Authentication Gateway HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="intro.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="setup.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="SERVICES"
|
|
></A
|
|
>2. What is needed</H1
|
|
><P
|
|
> This section describes what is needed for the authentication gateway.
|
|
</P
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="NETFILTER"
|
|
></A
|
|
>2.1. Netfilter</H2
|
|
><P
|
|
> The authentication gateway uses Netfilter and iptables to manage the
|
|
firewall. Please see the
|
|
<A
|
|
HREF="http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.html"
|
|
TARGET="_top"
|
|
> Netfilter HOWTO
|
|
</A
|
|
>.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="DYNAMICNETFILTERRULES"
|
|
></A
|
|
>2.2. Software for dynamic Netfilter rules.</H2
|
|
><P
|
|
>
|
|
One means to insert and remove Netfilter rules is to use
|
|
pam_iptables. This is a pluggable authentication module (PAM)
|
|
written by Nathan Zorn that can be found at
|
|
<A
|
|
HREF="http://www.itlab.musc.edu/~nathan/pam_iptables/"
|
|
TARGET="_top"
|
|
> http://www.itlab.musc.edu/~nathan/pam_iptables
|
|
</A
|
|
>.
|
|
This PAM module allows users to use ssh and telnet to authenticate
|
|
to the gateway.
|
|
|
|
</P
|
|
><P
|
|
>
|
|
Another means to dynamically remove and create Netfilter rules is
|
|
to use NocatAuth. NocatAuth can be found at
|
|
<A
|
|
HREF="http://nocat.net"
|
|
TARGET="_top"
|
|
> http://nocat.net
|
|
</A
|
|
>.
|
|
NocatAuth provides a web client for authenticating to the gateway.
|
|
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="DHCPD"
|
|
></A
|
|
>2.3. DHCP Server</H2
|
|
><P
|
|
> The authentication gateway will act as the dynamic host
|
|
configuration protocol (DHCP) server for the public network. It
|
|
only serves those requesting DHCP services on the public
|
|
network. I used the
|
|
<A
|
|
HREF="http://www.isc.org/products/DHCP/"
|
|
TARGET="_top"
|
|
> ISC DHCP Server
|
|
</A
|
|
>.
|
|
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AUTHENTICATION"
|
|
></A
|
|
>2.4. Authentication mechanism</H2
|
|
><P
|
|
>
|
|
The gateway can use any means of PAM authentication. The
|
|
authentication mechanism the Medical University of South Carolina
|
|
uses is LDAP. Since LDAP was used for authentication, the pam
|
|
modules on the gateway box were set up to use LDAP. More
|
|
information can be found at
|
|
<A
|
|
HREF="http://www.padl.com/pam_ldap.html"
|
|
TARGET="_top"
|
|
> http://www.padl.com/pam_ldap.html
|
|
</A
|
|
>.
|
|
PAM allows you to use many means of authentication. Please see the
|
|
documentation for the PAM module you would like to use. For more
|
|
information on other methods, see
|
|
<A
|
|
HREF="http://www.kernel.org/pub/linux/libs/pam/modules.html"
|
|
TARGET="_top"
|
|
> pam modules
|
|
</A
|
|
>.
|
|
|
|
</P
|
|
><P
|
|
>
|
|
If NocatAuth is used, an authentication service needs to be setup.
|
|
The NocatAuth authentication service supports authentication with
|
|
LDAP,RADIUS,MySQL,and a password file. More information can be
|
|
found at
|
|
<A
|
|
HREF="http://nocat.net/download/NoCatAuth/"
|
|
TARGET="_top"
|
|
> http://nocat.net/download/NoCatAuth/
|
|
</A
|
|
>.
|
|
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="DNSSERVER"
|
|
></A
|
|
>2.5. DNS Server</H2
|
|
><P
|
|
>
|
|
The gateway box also serves as a DNS server for the public
|
|
network. I installed <A
|
|
HREF="http://www.isc.org/products/BIND/"
|
|
TARGET="_top"
|
|
>Bind</A
|
|
>, and set it
|
|
up as a caching nameserver. The rpm package caching-namserver was
|
|
also used. This package came with Red Hat.
|
|
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="intro.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="setup.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Introduction</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Setting up the Gateway Services</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |