 |
Implementation of Gateway Authentication |
Introduction
Gateway Authentication is mainly used to authenticate people who access external network from a local network. In that case, the requests need to go through a gateway machine. We use this property to restrict the users from accessing the outside network, especially the internet. Here the authentication is done by using telnet or ssh with pam modules.
Prerequisites
1. The gateway machine should use linux kernel.
2. The linux kernel should be enabled with ip netfilter module or
ipchains.
3. The clients should have a telnet/ssh client.
Working principle
By default, all the local machines are denied from using the gateway with the help of iptables. This is done by denying all in the forward chain. When a user wants to access the internet, s/he has to telnet or ssh to the gateway machine which is a linux box and get authenticated. Once if the telnet or ssh session is established an iptable rule is inserted in the beginning of the filter table's forward chain, which allows that particular ip, from where the telnet/ssh client has connected to the gateway machine. When the session ends that particular rule which was added while logging in gets flushed. Adding and removing of the iptables rule is handled by a pam module named pam_iptables.so written by Nathan Zorn.
Modifications Made
The pam_iptables module code is meant for ssh client. This code was modified and two shell scripts were added to handle both telnet as well as ssh clients. Pam iptables module tracks the opening and closing of ssh session. Whenever a user logs into the machine with ssh, it reads the ssh pam config file /etc/pam.d/sshd and loads and executes the modules as per the configuration entry given in this file. The pam_iptables.so modules is thus given as an entry in the /etc/pam.d/ssh as below
session required /lib/security/pam_iptables.so
Similarly for telnet, the pam config file is /etc/pam.d/login. But this file is also used by console login. This posed some problems and the console login was not possible. The code brought null values when queried for the remote host, when logged in the system console. This situation was handled as an error and the console login failed. To over come this, remote host value is assigned as localhost when it returns null value.
The pam_iptables.c is also modified to execute a shell script, where we can add any kind of iptables rules. As compared to the original code which had the iptables rules inside the c-code, it is more flexible and we can add any kind of firewalling rules (ipchains or iptables) in the shell script and recompilation is not needed whenever we add or remove rules.
Instead of sending ip alone to the shell
executable, the modified version also sends username and tty,
Instead of
finding the client ip alone, the modified version of the code also gets
username and tty and passes these values to the shell script as the arguments
which makes it possible to restrict the services based on usernames ( for ex.
person A can do only ftp, B can only send and receive mails, C can use all
services...).
Since the closing session of telnet is not properly handled when the telnet window is closed, the handling of closing session is completely removed from the code and rmFwall script is added to take care of closing session of telnet or ssh.
The insFwall inserts the firewalling rules to allow the users to access internet and it also invokes rmFwall. The rmFwall script is run as a daemon and checks the session status using w command which comes with procps-2.0.7 package. The w.c code is slightly modified to give the full hostname instead of only 16 characters. It can now display 64 character. When a user closes or logs out the telnet/ssh, it detects it and again invokes insFwall with appropriate arguments to delete the firewalling rules. This time insFwall is invoked in such a way that it wont initiate rmFwall again.
The primary purpose of ssh/telnetting to the gateway machine is for gateway authentication, but the users will have the access to the command shell when they are successfully logged in. To avoid this we changed the users default shell to our own script vimesg which will only display a message (which will have logged in time, current time etc.), and quitting from this shell will close the ssh/telnet there by closing the session. Assigning the customized shell and group to the net users (restricted users) can be automated by adding the users using the addnetuser script provided.
Some more options are provided which may be useful to restrict the users. For example we can restrict a single group with single session only option. In this case a user belonging to a restricted group can open only one ssh/telnet session. This single session restriction can be configured in two ways, 1. by not allowing new sessions or 2. by closing the previous sessions and allowing the new session.
Configuration and Installation
The whole tar ball is available at the http://devel.kovaiteam.com/viAuth.tar.gz. Just follow the instructions given in the README file. In a nutshell, follow the instructions below.
1. login as root and cp the tarball to /usr/local
2. untar the tarball.
# tar xvzf viAuth.tar.gz
3. # cd viAuth/
4. Makefile provided is to compile w.c
command. To compile this issue,
# make clean
# make w
5. To compile and copy the pam module
# ./lccpam
6. Put the following line entry in the /etc/pam.d/login to use with telnet or in /etc/pam.d/sshd to use with ssh or in both to use with both telnet and ssh.
session required /lib/security/pam_iptables.so
7. In the file /usr/local/viAuth/insFwall modify the variable grp2deny and killprev to suit the needs.
8. Run the script lputfire initially to set default firewalling rules. (or modify the rules to the requirement and run it).
9. Add the firewalling rules in the same format in the file insFwall in the space provided so that will be inserted in the kernel space whenever a user logs in and removed when the session ends.
References
1. http://www.linuxdoc.org/HOWTO/Authentication-Gateway-HOWTO/
2. http://www.sc.isc.tohoku.ac.jp/~hgot/sources/authipgate.html
| Document Version | 1.0 | Comments: Last Updated On 09-05-02. Reviewed by Deepa |
| Created On | 08-05-02 | |
| Author | Loganathan.R | |
| logu@visolve.com |
©
|