Discussion:
How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall?
Albert T
2007-11-19 22:09:41 UTC
Permalink
Hello.

I'm in the process of setting up my own network for my small office.

I've set up a small/lightweight FreeBSD-based firewall at the "edge"
of my network.

It's running the PF firewall. I've got that working well for simple usage.

I understand how to set up OpenVPN passthrough from a remote client
that has a VPN client; but, that requires the remote user to (a) have
the OpenVPN client, and/or (b) have "shell" access.

I'd like to do something a bit different -- client-less and
browser-only -- but I'm simply not sure how best to go about it.

Here's a description of what I'm shooting for.

I've installed the Lighttpd web server on the firewall.

I'd like to have Lighttpd listen on, and serve up a page/form at, one
of my several IP addresses.

That form should be an "S/KEY" / "OPIE" authentication form. A user
would navigate to that URL, enter OTP credentials (from a OTP
calculator, currently a J2ME).

If the credentials are VERIFIED, then I'd like to "talk to" the PF
firewall, and have it open port80 access at a different IP address to
ONLY the authenticating IP address, and for a limited time (say, 1
hour).

If the credentials are NOT VERIFIED, and there are for example 3
failed attempt within 15 minutes, then PF would be told to BLOCK ip
access from that IP for a given amount of time (say 24 hours).

Like I said, I'm not sure how to best go about this. Getting to this
point was not the easiset thing in the world, but reading and patience
paid off. But doing *this* -- I'm now having much luck even figuring
out how to narrow nown my searching.

I'd guess that some sort of PHP or CGI script on the Lighttpd
page/site would need to have that "listen and control" logic.

Is this a good way to go about this?

Can anyone point me in the direction of an EXISTING OpenSource
solution somewhere?

Thanks a bunch,

Albert
Sean Malloy
2007-11-20 06:14:54 UTC
Permalink
Sean
The first idea that came to my mind was authpf. Unfortunately it does not
meet your above requirements because it requires shell access. I think
you might want to consider using authpf instead. Here is a link to the
authpf section in the OpenBSD PF FAQ.
http://www.openbsd.org/faq/pf/authpf.html
And a link to the authpf(8) man page for OpenBSD 4.2 release.
http://www.openbsd.org/cgi-bin/man.cgi?query=authpf&sektion=8&manpath=OpenBSD+4.2
I didn't know about AuthPF. Interesting.
But, as you point out, only shell access, right?
I have never actually set up authpf before but from the FAQ it looks
like any user that authenticates has their shell set to
/usr/sbin/authpf in /etc/passwd. So they don't get a traditional shell like ksh, csh,
or bash. Any client machine would need SSH client software installed to connect.
My remote users need to be able to access from "any Kinko's" (for
example) where there's no guarantee of Shell access, but *always* a
browser at hand.
If you want your clients to connect from "any Kinko's" you might look at
portable apps.

http://portableapps.com/

I saw a cool demo of portable apps about a month ago. They have a
portable version of PuTTY. Install portable PuTTY on a USB flash
drive and then keep the flash drive on your key chain. You can plug the USB flash
drive into any computer running Microsoft Windows and run PuTTY off the flash drive.
AuthPF does look like it's worth learning about.
Thanks.
Albert
--
Sean Malloy
Home Page: www.catgrepsort.com
Brian Mayeur
2007-11-20 18:05:55 UTC
Permalink
why not implementing openSSL?
Post by Sean Malloy
Sean
The first idea that came to my mind was authpf. Unfortunately it does not
meet your above requirements because it requires shell access. I think
you might want to consider using authpf instead. Here is a link to the
authpf section in the OpenBSD PF FAQ.
http://www.openbsd.org/faq/pf/authpf.html
And a link to the authpf(8) man page for OpenBSD 4.2 release.
http://www.openbsd.org/cgi-bin/man.cgi?query=authpf&sektion=8&manpath=OpenBSD+4.2
I didn't know about AuthPF. Interesting.
But, as you point out, only shell access, right?
I have never actually set up authpf before but from the FAQ it looks
like any user that authenticates has their shell set to
/usr/sbin/authpf in /etc/passwd. So they don't get a traditional shell like ksh, csh,
or bash. Any client machine would need SSH client software installed to connect.
My remote users need to be able to access from "any Kinko's" (for
example) where there's no guarantee of Shell access, but *always* a
browser at hand.
If you want your clients to connect from "any Kinko's" you might look at
portable apps.
http://portableapps.com/
I saw a cool demo of portable apps about a month ago. They have a
portable version of PuTTY. Install portable PuTTY on a USB flash
drive and then keep the flash drive on your key chain. You can plug the USB flash
drive into any computer running Microsoft Windows and run PuTTY off the flash drive.
AuthPF does look like it's worth learning about.
Thanks.
Albert
--
Sean Malloy
Home Page: www.catgrepsort.com
Albert T
2007-11-20 19:10:24 UTC
Permalink
Brian
Post by Brian Mayeur
why not implementing openSSL?
How would I do that for a browser client that I don't own, can't add a
certificate to or otherwise modify, and do not have Shell access on?

Again, my requirement is browser-only with no shell access.

Albert
Albert T
2007-11-20 19:40:09 UTC
Permalink
Sorry about that...try openVPN...It uses VPN over SSL.
Unfortunately, this does not address my requirements -- repeated above
-- at all.

"Can I use a web browser as an OpenVPN client?

No. While OpenVPN uses the SSL/TLS protocol for security, OpenVPN is
not a web application proxy. It is an OSI layer 2 or 3 full-mesh
internetwork tunneling solution and requires that OpenVPN be installed
on both client and server."

Again, I need:

Browser only.
E.g., from a thin-client kiosk with a screen, keyboard, browser &
internet connection.
No additional software intalled.
No hardware attachment required.

Shell-based, or installed-client-based solutions do not work.

Thanks anyway.

Albert
Nick Owen
2007-11-20 20:55:48 UTC
Permalink
Check out SSL-Explorer.
--
Nick Owen
CEO
404-962-8983
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication

-----Original Message-----
From: "Albert T" <***@gmail.com>

Date: Tue, 20 Nov 2007 11:40:09
To:security-***@securityfocus.com
Subject: Re: How (best) to use web-from entry of an OTP/OPIE password to control a PF-firewall?
Sorry about that...try openVPN...It uses VPN over SSL.
Unfortunately, this does not address my requirements -- repeated above
-- at all.

"Can I use a web browser as an OpenVPN client?

No. While OpenVPN uses the SSL/TLS protocol for security, OpenVPN is
not a web application proxy. It is an OSI layer 2 or 3 full-mesh
internetwork tunneling solution and requires that OpenVPN be installed
on both client and server."

Again, I need:

Browser only.
E.g., from a thin-client kiosk with a screen, keyboard, browser &
internet connection.
No additional software intalled.
No hardware attachment required.

Shell-based, or installed-client-ba
Albert T
2007-11-20 21:17:46 UTC
Permalink
Nick
Post by Nick Owen
Check out SSL-Explorer.
Reading about it now. Thanks!

Looks like most of the solution. I'm not sure yet if it can be
launched -- and an IP:port opened in the firewall -- in response to a
"knock" @ a WebServer URL on a different IP:port ...

... but, it seems, much of the rest it claimed to be there.

Thanks.

Albert
Albert T
2007-11-20 19:08:02 UTC
Permalink
Sean,
Post by Sean Malloy
If you want your clients to connect from "any Kinko's" you might look at
portable apps.
http://portableapps.com/
I saw a cool demo of portable apps about a month ago. They have a
portable version of PuTTY. Install portable PuTTY on a USB flash
drive and then keep the flash drive on your key chain. You can plug the USB flash
drive into any computer running Microsoft Windows and run PuTTY off the flash drive.
Well, then "any Kinko's" was not an appropriate description. My fault.

"Portable" apps on a keychain assume that USB access is enabled.

My remote users need to be able to access with ONLY a browser. No
USB-, drives, peripherlas, etc to be plugged in.

Which is why I'm asking about browser-only solutions. INSTALLED
browsers, that is.

Albert
Albert T
2007-11-20 01:50:20 UTC
Permalink
Sean
The first idea that came to my mind was authpf. Unfortunately it does not
meet your above requirements because it requires shell access. I think
you might want to consider using authpf instead. Here is a link to the
authpf section in the OpenBSD PF FAQ.
http://www.openbsd.org/faq/pf/authpf.html
And a link to the authpf(8) man page for OpenBSD 4.2 release.
http://www.openbsd.org/cgi-bin/man.cgi?query=authpf&sektion=8&manpath=OpenBSD+4.2
I didn't know about AuthPF. Interesting.

But, as you point out, only shell access, right?

My remote users need to be able to access from "any Kinko's" (for
example) where there's no guarantee of Shell access, but *always* a
browser at hand.

AuthPF does look like it's worth learning about.

Thanks.

Albert
k***@gmail.com
2007-11-20 20:01:15 UTC
Permalink
Might you be best served Googling "Clientless ssl vpn open source?" Or some other query similar to that. I think you'll get more of what you want by pursuing some sort of SSL VPN solution. Maybe an ipsec VPN, if you're running systems that have extensive ipsec support (Windows)?

I'd link some that I found with that query, but I can't in good faith recommend something I've not tried.
Albert T
2007-11-20 20:51:46 UTC
Permalink
Post by k***@gmail.com
Might you be best served Googling "Clientless ssl vpn open source?" Or some other query similar to that. I think you'll get more of what you want by pursuing some sort of SSL VPN solution. Maybe an ipsec VPN, if you're running systems that have extensive ipsec support (Windows)?
Again, I can presume NOTHING other than a browser for the remote user.

Yes, there are some IPSec/SSL/VPN/etc commercial solutions; rather
expensive overkill and not what I'm asking about.

My remote users do NOT have a certificate with them. No USB keys can
be relied on.

OTP/OPIE password authentication, all/only via a 'vanilla' web
broswer, and opening a normally closed port is what I've been asking
about.
Albert T
2007-11-20 20:56:17 UTC
Permalink
Kurt,
http://3sp.com/showSslExplorerCommunity.do
It may not meet all of your needs, but that's what I'm aware of.
I'd noted SSLExplorer in my search results -- but had understood it to
be Windows-only, on the server side of things.

Apparently I was mistaken. Thanks, I'll take a closer look this.

I was hoping for something from a "Free as in beer" project that I
could learn from and install -- and it looks like this is commercial
-- but worth a look.

Thanks a bunch

Albert
Albert T
2007-11-20 20:58:01 UTC
Permalink
and,

"And best of all, it is totally free to use."

Thanks much!

Albert
Kurt Buff
2007-11-20 20:50:36 UTC
Permalink
Post by Albert T
Hello.
I'm in the process of setting up my own network for my small office.
I've set up a small/lightweight FreeBSD-based firewall at the "edge"
of my network.
It's running the PF firewall. I've got that working well for simple usage.
I understand how to set up OpenVPN passthrough from a remote client
that has a VPN client; but, that requires the remote user to (a) have
the OpenVPN client, and/or (b) have "shell" access.
I'd like to do something a bit different -- client-less and
browser-only -- but I'm simply not sure how best to go about it.
Here's a description of what I'm shooting for.
I've installed the Lighttpd web server on the firewall.
I'd like to have Lighttpd listen on, and serve up a page/form at, one
of my several IP addresses.
That form should be an "S/KEY" / "OPIE" authentication form. A user
would navigate to that URL, enter OTP credentials (from a OTP
calculator, currently a J2ME).
If the credentials are VERIFIED, then I'd like to "talk to" the PF
firewall, and have it open port80 access at a different IP address to
ONLY the authenticating IP address, and for a limited time (say, 1
hour).
If the credentials are NOT VERIFIED, and there are for example 3
failed attempt within 15 minutes, then PF would be told to BLOCK ip
access from that IP for a given amount of time (say 24 hours).
Like I said, I'm not sure how to best go about this. Getting to this
point was not the easiset thing in the world, but reading and patience
paid off. But doing *this* -- I'm now having much luck even figuring
out how to narrow nown my searching.
I'd guess that some sort of PHP or CGI script on the Lighttpd
page/site would need to have that "listen and control" logic.
Is this a good way to go about this?
Can anyone point me in the direction of an EXISTING OpenSource
solution somewhere?
Thanks a bunch,
Albert
The closest thing I can see to your requirements is:

http://3sp.com/showSslExplorerCommunity.do

It may not meet all of your needs, but that's what I'm aware of.

Kurt
Lars
2007-11-21 08:32:12 UTC
Permalink
Hello!

I think I have the solution to your problem.. I have made it myself
and I dont know if the source is quite ready to go public.. I need to
cleanup the code, please contact me if anyone want to help me out
here!

My solution is using OPIE S/key. I have done it like this:
- A perl script witch uses Auth::opie cpan. I'v compiled the perl
script to make it suidbit root so the apache web use can use it (need
access to /etc/opiekeys).
- PHP talks to the perl executable. PHP tell you the usuall s/key
challange and you need to respond the right answer.
- If login is ok, it sets a phpsession cookie and adds your ip adress
in a allowed list. It actually generates an htaccess files and sets
the php sessionID to be allowed and the ip to be allowed.
- Inside the logged in "place" I have another php script, that one
comunicates with iptables. I have added the www user to sudoers and
added so it can executa iptables without any hassle.. This script open
up for one specific port to one specific ip.
- You can also use the "control" script to delete authenticated php
sessions and allowed ip's. You can also delete IP's you have added to
the port allow list.

If you want to see how it works, please contact me.
If you want to try it, tell me and I can make a test page for you..
If you want to help to clean the code, please tell. Its not a mess,
and i'v tought about security from the start, so it should be secure.
But the main problem is that its a mix of several programming
languages. Perl to talk to the opie backend, php to talk to perl and
show the login page, bash to generate htaccess file and keep track of
logs and such. I really want to get rid of bash in this case.

If any one else thinks this sounds interesting, tell me. I want to
make it public but I dont know if anyone wants to use this..

Thanks
Lars
Post by Albert T
Hello.
I'm in the process of setting up my own network for my small office.
I've set up a small/lightweight FreeBSD-based firewall at the "edge"
of my network.
It's running the PF firewall. I've got that working well for simple usage.
I understand how to set up OpenVPN passthrough from a remote client
that has a VPN client; but, that requires the remote user to (a) have
the OpenVPN client, and/or (b) have "shell" access.
I'd like to do something a bit different -- client-less and
browser-only -- but I'm simply not sure how best to go about it.
Here's a description of what I'm shooting for.
I've installed the Lighttpd web server on the firewall.
I'd like to have Lighttpd listen on, and serve up a page/form at, one
of my several IP addresses.
That form should be an "S/KEY" / "OPIE" authentication form. A user
would navigate to that URL, enter OTP credentials (from a OTP
calculator, currently a J2ME).
If the credentials are VERIFIED, then I'd like to "talk to" the PF
firewall, and have it open port80 access at a different IP address to
ONLY the authenticating IP address, and for a limited time (say, 1
hour).
If the credentials are NOT VERIFIED, and there are for example 3
failed attempt within 15 minutes, then PF would be told to BLOCK ip
access from that IP for a given amount of time (say 24 hours).
Like I said, I'm not sure how to best go about this. Getting to this
point was not the easiset thing in the world, but reading and patience
paid off. But doing *this* -- I'm now having much luck even figuring
out how to narrow nown my searching.
I'd guess that some sort of PHP or CGI script on the Lighttpd
page/site would need to have that "listen and control" logic.
Is this a good way to go about this?
Can anyone point me in the direction of an EXISTING OpenSource
solution somewhere?
Thanks a bunch,
Albert
Loading...