« Return to Thread: authpf allows only one user from the same source ip; kicks off previous user
Re: authpf allows only one user from the same source ip; kicks off previous user
by beck-7
::
Rate this Message:
Nope. That's how it is supposed to work.
The point of authpf is for the user to say "this IP
is me" - if that IP could perhaps not be him, well, this
is not an application for authpf. I.E. if your users
are coming in from a NAT, you should rethink what you
are doing.
-Bob
* Chris Youb <chris.youb@...> [2007-06-25 15:15]:
> When multiple users with the same source IP want access through the firewall
> authpf grants access to the newly authenticating user and kicks off the
> previous user. Is there a way to turn off this behaviour so both users
> maintain authpf tables?
>
> Works:
> 1a. user1@... -> authpf -> maintains logon
> 1b. user2@... -> authpf -> logs on
>
> Doesn't Work:
> 2a. user1@... -> authpf -> gets kicked off
> 2b. user2@... -> authpf -> logs on
>
>
> Real-life example:
>
> Step #1 xuser authenticates from IP_1; xuser has access to firewall
> firewall# pfctl -s Anchors -v
> authpf
> authpf/bfisher(25933)
> authpf/xuser(1308)
> authpf/rarthur(15647)
> authpf/schatterjee(31961)
>
> Step #2 cyoub authenticates from IP_2; both xuser and cyoub have access to
> firewall
> firewall# pfctl -s Anchors -v
> authpf
> authpf/bfisher(25933)
> authpf/cyoub(2104)
> authpf/xuser(1308)
> authpf/rarthur(15647)
> authpf/schatterjee(31961)
>
> Step #3 cyoub authenticates from IP_1; ONLY cyoub has access to firewall as
> he was the last to login. xuser is kicked off???
> firewall# pfctl -s Anchors -v
> authpf
> authpf/bfisher(25933)
> authpf/cyoub(27921)
> authpf/rarthur(15647)
> authpf/schatterjee(31961)
>
> firewall# pfctl -a "authpf/cyoub(27921)" -s rules
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.0.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.8.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.12.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.80.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.48.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.28.0/22 flags S/SA keep
> state
> --
> View this message in context: http://www.nabble.com/authpf-allows-only-one-user-from-the-same-source-ip--kicks-off-previous-user-tf3978999.html#a11295667
> Sent from the openbsd user - misc mailing list archive at Nabble.com.
>
--
#!/usr/bin/perl
if ((not 0 && not 1) != (! 0 && ! 1)) {
print "Larry and Tom must smoke some really primo stuff...\n";
}
The point of authpf is for the user to say "this IP
is me" - if that IP could perhaps not be him, well, this
is not an application for authpf. I.E. if your users
are coming in from a NAT, you should rethink what you
are doing.
-Bob
* Chris Youb <chris.youb@...> [2007-06-25 15:15]:
> When multiple users with the same source IP want access through the firewall
> authpf grants access to the newly authenticating user and kicks off the
> previous user. Is there a way to turn off this behaviour so both users
> maintain authpf tables?
>
> Works:
> 1a. user1@... -> authpf -> maintains logon
> 1b. user2@... -> authpf -> logs on
>
> Doesn't Work:
> 2a. user1@... -> authpf -> gets kicked off
> 2b. user2@... -> authpf -> logs on
>
>
> Real-life example:
>
> Step #1 xuser authenticates from IP_1; xuser has access to firewall
> firewall# pfctl -s Anchors -v
> authpf
> authpf/bfisher(25933)
> authpf/xuser(1308)
> authpf/rarthur(15647)
> authpf/schatterjee(31961)
>
> Step #2 cyoub authenticates from IP_2; both xuser and cyoub have access to
> firewall
> firewall# pfctl -s Anchors -v
> authpf
> authpf/bfisher(25933)
> authpf/cyoub(2104)
> authpf/xuser(1308)
> authpf/rarthur(15647)
> authpf/schatterjee(31961)
>
> Step #3 cyoub authenticates from IP_1; ONLY cyoub has access to firewall as
> he was the last to login. xuser is kicked off???
> firewall# pfctl -s Anchors -v
> authpf
> authpf/bfisher(25933)
> authpf/cyoub(27921)
> authpf/rarthur(15647)
> authpf/schatterjee(31961)
>
> firewall# pfctl -a "authpf/cyoub(27921)" -s rules
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.0.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.8.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.12.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.80.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.48.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.28.0/22 flags S/SA keep
> state
> --
> View this message in context: http://www.nabble.com/authpf-allows-only-one-user-from-the-same-source-ip--kicks-off-previous-user-tf3978999.html#a11295667
> Sent from the openbsd user - misc mailing list archive at Nabble.com.
>
--
#!/usr/bin/perl
if ((not 0 && not 1) != (! 0 && ! 1)) {
print "Larry and Tom must smoke some really primo stuff...\n";
}
« Return to Thread: authpf allows only one user from the same source ip; kicks off previous user
| Free embeddable forum powered by Nabble | Forum Help |
