Hi Folks, I am about to introduce OpenBSD as an authentication layer in our company. While I read the manpage and did some initial testing with authpf, I'm not quite sure wether I can achieve what I need to. Let me describe the setup briefly:
network1 connects via ssh to $ext_if of the OpenBSD box. network2 is behind $int_if of my openbsd box. User1 should be able to access box 1, 2 and 3 via ssh (these being behind $int_if). User2 should be able to access just box 2, 3, and 4 (again via ssh). It seems like the way to go via authpf would be a rules file for user1 like that: (/etc/authpf/users/User1/authpf.rules) rdr on $ext_if proto tcp from $user_ip to $ext_if port 10122 -> 10.0.0.1 port 22 rdr on $ext_if proto tcp from $user_ip to $ext_if port 10222 -> 10.0.0.2 port 22 rdr on $ext_if proto tcp from $user_ip to $ext_if port 10322 -> 10.0.0.3 port 22 And User2, accordingly in his ....User2/authpf.rules file rdr on $ext_if proto tcp from $user_ip to $ext_if port 10222 -> 10.0.0.2 port 22 rdr on $ext_if proto tcp from $user_ip to $ext_if port 10322 -> 10.0.0.3 port 22 rdr on $ext_if proto tcp from $user_ip to $ext_if port 10422 -> 10.0.0.4 port 22 And yes, 10.0.0.x being hosts in network2 which are not directly accessable from network2. That should work, right? However, to make thinks more complicated, outgoing connections from network1 are only possible with destination tcp/22. So that config wouldn't suite my environment. And while on the topic of a bit more complicated, the source IP of network2 is always the same, which makes the usage of $user_ip impossible (right?!). Problem 2 seems to be solvable by using $user_id and packet tagging. I'm not quite sure how to solve problem 1 (outgoing connections only to dest 22). Would it be possible to give that user a real login shell in combination with authpf loading $user_id based rules? Did anybody do a setup like that before? Any hints are greatly appreciated. A quick "no, that doesn't seem to be possible" is fine too ;) I'm going back to my test setup now and play around with authpf. Cheers, Marian PS.: Please keep me CC'ed, I'm (still) not subscribed to the list.
