Re: authpf allows only one user from the same source ip; kicks off previous user

view
thread

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Bob Beck <beck@...>

To: Chris Youb <chris.youb@...>

Cc: <misc@...>

Subject: Re: authpf allows only one user from the same source ip; kicks off previous user

Date: Monday, June 25, 2007 - 5:26 pm

Nope. That's how it is supposed to work. 

	The point of authpf is for the user to say "this IP
is me" - if that IP could perhaps not be him, well, this
is not an application for authpf. I.E. if your users
are coming in from a NAT, you should rethink what you
are doing. 

	-Bob


* Chris Youb <chris.youb@gmail.com> [2007-06-25 15:15]:
quoted text> When multiple users with the same source IP want access through the firewall
> authpf grants access to the newly authenticating user and kicks off the
> previous user.  Is there a way to turn off this behaviour so both users
> maintain authpf tables?
> 
> Works:
> 1a. user1@192.168.0.1 -> authpf -> maintains logon
> 1b. user2@192.168.0.2 -> authpf -> logs on
> 
> Doesn't Work:
> 2a. user1@192.168.0.1 -> authpf -> gets kicked off
> 2b. user2@192.168.0.1 -> authpf -> logs on 
> 
> 
> Real-life example:
> 
> Step #1 xuser authenticates from IP_1; xuser has access to firewall
> firewall# pfctl -s Anchors -v
>  authpf
>  authpf/bfisher(25933)
>  authpf/xuser(1308)
>  authpf/rarthur(15647)
>  authpf/schatterjee(31961)
> 
> Step #2 cyoub authenticates from IP_2; both xuser and cyoub have access to
> firewall
> firewall# pfctl -s Anchors -v
>  authpf
>  authpf/bfisher(25933)
>  authpf/cyoub(2104)
>  authpf/xuser(1308)
>  authpf/rarthur(15647)
>  authpf/schatterjee(31961)
> 
> Step #3 cyoub authenticates from IP_1; ONLY cyoub has access to firewall as
> he was the last to login.  xuser is kicked off???
> firewall# pfctl -s Anchors -v
>  authpf
>  authpf/bfisher(25933)
>  authpf/cyoub(27921)
>  authpf/rarthur(15647)
>  authpf/schatterjee(31961)
> 
> firewall# pfctl -a "authpf/cyoub(27921)" -s rules
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.0.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.8.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.12.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.20.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.80.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.48.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.4.0/22 flags S/SA keep
> state
> pass in quick on bge0 inet from 10.0.1.47 to 172.16.28.0/22 flags S/SA keep
> state
> -- 
> View this message in context: http://www.nabble.com/authpf-allows-only-one-user-from-the-same-source-ip--kicks-off-p...
> Sent from the openbsd user - misc mailing list archive at Nabble.com.
> 

-- 
#!/usr/bin/perl
if ((not 0 && not 1) !=  (! 0 && ! 1)) {
   print "Larry and Tom must smoke some really primo stuff...\n"; 
}

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

authpf allows only one user from the same source ip; kicks o..., Chris Youb, (Mon Jun 25, 5:10 pm)

Re: authpf allows only one user from the same source ip; kic..., Bob Beck, (Mon Jun 25, 5:26 pm)

Re: authpf allows only one user from the same source ip; kic..., Chris Youb, (Mon Jun 25, 6:50 pm)

Re: authpf allows only one user from the same source ip; kic..., Bob Beck, (Mon Jun 25, 7:47 pm)

Re: authpf allows only one user from the same source ip; kic..., Theo de Raadt, (Mon Jun 25, 7:00 pm)

Navigation

Mail archive search

Popular discussions


linux-kernel:
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Greg KH	[patch 00/04] RFC: Staging tree (drivers/staging)
James Bottomley	Re: Integration of SCST in the mainstream Linux kernel
Steven Rostedt	[RFC PATCH 1/3] Unified trace buffer
git:
Jon Smirl	! [rejected] master -> master (non-fast forward)
Marco Costalba	[ANNOUNCE] qgit4 aka qgit ported to Windows
Andi Kleen	Re: [kernel.org users] [RFD] On deprecating "git-foo" for builtins
Sverre Rabbelier	Git vs Monotone
openbsd-misc:
Richard Stallman	Real men don't attack straw men
GVG GVG	ssh_exchange_identification: Connection closed by remote host
Damian Gerow	Oddly high load average
Benjamin Adams	BSD Port from OpenJDK
linux-netdev:
Michael Grollman	Re: 8169 Intermittent ifup Failure Issue With RTL8102E Chipset in Intel's New D945...
Volker Armin Hemmann	build error with 2.6.27.6+reiser4+ehci-hub patch. ERROR: "mii_ethtool_gset" [drive...
Evgeniy Polyakov	[resend take 2 0/4] Distributed storage.
Wenji Wu	A Linux TCP SACK Question

Latest forum posts


serial driver xmit problem	46 minutes ago	Linux kernel
Why Windows is better than Linux	46 minutes ago	Linux general
How can I see my kernel messages in vt12?	7 hours ago	Linux kernel
Grub	18 hours ago	Linux general
vmalloc_fault handling in x86_64	1 day ago	Linux kernel
epoll_wait()ing on epoll FD	1 day ago	Linux kernel
Framebuffer in x86_64 causes problems to multiseat	1 day ago	Linux kernel
Difference between 2.4 and 2.6 regarding thread creation	1 day ago	Linux general
Netfilter kernel module	1 day ago	Linux kernel
Compiling gfs2 on kernel 2.6.27	1 day ago	Linux kernel

Show all forums...

Recent Tags

more tags

Colocation donated by:

Online users

Syndicate