First release: Oct 25, 2001
Last modified: Oct 9, 2004

Simple Authenticating Gateway for Linux

Description

In some sites, we need to control the access between different networks by user authentication. Normally, firewalls provide the capability of filtering IP packets by host authorization, by port number, etc. However, they do not provide access control by user authentication.

This program `authipgate' is a very simple (probably the simplest) implementation of Authenticating Gateway [1,2,3]. You can change the workstation router running Linux into Authenticating Gateway by authipgate. The program utilizes ipchains (kernel 2.2) or iptables (kernel 2.4) [4,5] which is commonly built into the Linux kernel. Suppose a user is using a WS/PC named `client1'. The authipgate works as follows.

Possible applications are as follows.

Since the algorithm is not very efficient nor elegant, it is not a good idea to run users' application programs on the gateway workstation. The workstation should be specialized for the Authenticating Gateway.
(Even for a normal gateway, users should not be allowed to run application programs on the gateway for security reasons.)

I have designed the program as simple as possible, since I do not like to modify the login processes of the operating system. I do not like to be bound to Linux. If another OS is equipped with the firewall whose rules can be dynamically configured, one may be able to make similar program for the OS based on authipgate quite easily.

Source Package

You can freely use, distribute or modify this program, create a new program based on it, or incorporate it into your codes, all without fee. This program is provided ``AS IS''. The author is not responsible for any damage caused by this program.

Legal notice : This package does NOT contain any cryptographic codes.

NAT support

NAT (NAPT) mode is available in authipgate-1.3 or newer versions.

In some sites, we need to let the gateway workstation work as a NAT box rather than a normal IP forwarding gateway. If USE_NAPT="yes" is specified in ``aipgd'' (a script in authipgate), NAPT (Network Address/Port Translation) feature will be turned on. All the clients will be observed as if they had the same IP address as the uplink port of the gateway from the outer networks.

Note that this feature should NOT be used in the sites where the administrator cannot trust the clients, because it will be difficult for the administrator to track the bad clients if NAPT is used. In a school for example: if a student did something wrong over the Internet and the administrator received a complaint from someone outside, the administrator or teachers would need to track the student and give an appropriate direction to the student. IP address can be a very important information for such trackings.

Extremely Restricted Shell (exrsh)

Extremely Restricted Shell (exrsh) is included in the package (>= v1.4). This program allows the normal users to use only a limited set of commands such as logout, exit, passwd, who, etc.

``exrsh'' can be used as an alternative login shell on the Authenticating Gateway. ``exrsh'' is useful for protecting the gateway from the abuses or the internal destructions by users.

Installation

Installation is very easy.

  % tar zxf authipgate-1.5.tgz
  % cd authipgate-1.5
  % make
  # make install
  (Customize /usr/local/sbin/aipgd .)

See INSTALLATION in the package for the details.

Testing Environments

authipgate is currently designed to work under RedHat-based Linuxes. The program has been tested under the following operating systems.

The former version 1.4 was tested under the following operating systems.

Security Notes

References

  1. R. Beck, ``Dealing with Public Ethernet Jacks --- Switches, Gateways, and Authentication,''   Proceedings of the 13th System Administration Conference (LISA'99), pp.149-154, 1999.
  2. H. Goto, M. Mambo, and H. Shizuya, ``Secure Access Ports with Authentication Using Inexpensive Switches and the Secure Shell,''   Transactions of IEICE (D-I), Vol.J84-D-I, No.10, pp.1502-1505, 2001. (in Japanese)
  3. Securing Wireless LAN / Ethernet Jacks in public spaces (in Japanese)
  4. The netfilter/iptables project (firewall, NAT and packet mangling for Linux 2.4)
  5. Linux 2.4 Packet Filtering HOWTO (Japanese version)


This page: All Rights Reserved, Copyright (C) Hideaki Goto 2001-2004
http://www.sc.isc.tohoku.ac.jp/~hgot/sources/authipgate.html
Other programs