Firewall authentication

Contributed by jose on 2003-08-27 from the authentication dept.

Alexandre Belloni writes: "At my new job, I had to make a firewall that supports Active Directory authentication to allow user going to internet. This was to replace an old watchguard firebox II. So, I made a little PHP script that does the same as the watchguard. This script is available from http://www.piout.net/phpauthpf.html Please, feel free to make any comment on it."

This looks pretty neat and useful, and proably easier on users than the SSH based authpf we normally talk about.

(Comments are closed)

Comments

By inet65535 () tech@probsd.com on 2003-08-27 12:15 mailto:tech@probsd.com

I am replacing a watchdog firewall next month and was trying to figure a way to do this. Excellent timing, I'm excited to try this. Great Job!!!
By Mike () on 2003-08-27 12:24

I cannot get to the site. Is it down? Is there a mirror?
Comments
1. By Anonymous Coward () on 2003-08-27 12:53
  
  It works perfectly for me. Maybe try another/no proxy server?
2. By Ben () on 2003-08-27 14:41
  
  I cannot get to the site. Is it down? Is there a mirror? Maby you need to log in to your firewall in order to view it. ;)
3. By Alexandre Belloni () on 2003-08-27 15:07 http://www.piout.net
  
  Maybe, you are using ipv6, if so try http://www.piout.net/phpauthpf.html
  
  I'm sorry my apache doesn't listen to ipv6 yet.
4. By Alexandre Belloni () on 2003-08-27 15:08 http://www.piout.net
  
  I meant http://piout.net/phpauthpf.html
  so you won't be bothered by the ipv6 dns reply :)
5. By Mike () on 2003-08-27 15:33
  
  I was able to access it from an outside computer so all is well now. I suppose I should have kept my mouth shut before doing more testing.
By Anonymous Coward () on 2003-08-27 17:17

sweeeeeeeeeeeeeeeeeeeeeeet!
By Anonymous Coward () on 2003-08-27 17:45

I thought this was a site about OpenBSD? You know, that OS with integrated cryptography, to avoid exactly this kind of dumb shit?
Comments
1. By Alexandre Belloni () on 2003-08-27 19:09
  
  It is warned in the README. Feel free to use https and use kerberos with active directory so you will avoid plain text passwords. Then, please send me a patch as I don't want to spend more time on windows/openbsd interoperability right now.
  Comments
  1. By Anonymous Coward () on 2003-08-27 19:36
    
    Dude, it's great work! Can't satisfy them all.
    
    Comments
    
    By Anon Y Mouse () on 2003-08-27 19:43
    
    LOL, I'm not sure why you would use kerberos
    when LDAP has an SSL standard?
    
    Gen up two openssl certs and go to town.
2. By Anonymous Coward () on 2003-08-27 19:10
  
  What's wrong with HTTPS ?
  Comments
  1. By Anonymous Coward () on 2003-08-27 19:35
    
    My sentiments exactly!
  2. By Alexandre Belloni () on 2003-08-27 19:45
    
    The fact is that althought you have https between the client and the firewall, the firewall still use plain text passwords to communicate withe the active directory server. I have been said it is possible to use kerberos with active directory maybe I will try when I will have some time.
    
    Comments
    
    By Anon Y Mouse () on 2003-08-27 19:59
    
    I don't think you understand me --
    
    Microsoft's Active Directory HAS LDAP already implemented, including SSL encrypted LDAP.
    
    Thus, the need for Kerberos is obviated.
    
    http://www.wedgetail.com/jcsi/sso/doc/guide/ssl-setup.html
    
    The PHP script should instead try to authenticate
    to the AD via an SSL encrypted LDAP call.
    
    No Kerberos required. Capiche?
    
    Comments
    
    By Anonymous Coward () on 2003-08-27 20:16
    
    thanks for the URL and capiche!
    
    Thank you code writer dude for writing the totally kewl program
    
    By Alexandre Belloni () on 2003-08-27 20:39
    
    Ok, I didn't knew that. I don't know a lot about AD. I just heard that I could use kerberos to avoid plain text passwords. Thanks for the link I will try to improve this script.
    
    Comments
    
    By Anonymous Coward () on 2003-08-27 21:58
    
    Keep us posted if possible. I'd love to see more progress on this.
    
    By philipp () on 2003-08-28 03:50
    
    and then there is always the point of
    having dedicated, physical subnets (like
    crossover cable between firewall and auth-server)
    - sniff that, kid!
    
    (if one can physically reach that cable, you
    already have different issues :) )
    
    //pb
  3. By Anonymous Coward () on 2003-08-28 02:15
    
    http://ettercap.sf.net
3. By Anonymous Coward () on 2003-08-28 06:43
  
  what a great post. Direct and of course polite.
By Raymond () raymond@openminds.nl on 2003-08-28 03:49 www.openminds.nl

Hi,

I agree that digest and HTTPS are better solutions. I've rewritten authpf into nph-authpf.cgi so it can also be used with digest.
Some other features:
- Will run chrooted
- Will check if the starter is the web user.

Even now, I'm not 100% convinced this is the way to go, although it's a lot better than the solutions provided by Nokia or Cisco.

Raymond.
Comments
1. By Anonymous Coward () on 2003-08-28 04:34
  
  Could you provide a url to your project?
  
  Thanks
  Comments
  1. By Raymond () raymond@openminds.nl on 2003-08-28 06:21 www.openminds.nl
    
    Doesn't have one yet, give me a week and I'll post it here.
    
    Comments
    
    By earx () on 2003-08-30 01:42
    
    http://airsnarf.shmoo.com/
    
    Comments
    
    By Anonymous Coward () on 2003-08-29 16:21
    
    This is why its important to use SSL and to personaly demonstrate how the login process works.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]