You need to log into the firewall occasionally to manage it. You may log in directly at the console or remotely via TELNET or Rlogin. Occasionally, you may also need to send files to or from the firewall using FTP. Whenever you access the firewall remotely, you are sending your password (and your root password) in the clear across your internal network to the firewall. While you would like to believe that this is secure, you want to be prudent.
One way of protecting your password is to log into the firewall using some form of strong authentication that uses one-time passwords or time-based responses. The login shell program included with the Gauntlet firewall allows you to use the same strong authentication scheme for logging into the firewall itself as you do for activity between opposite sides of your security perimeter.
This chapter discusses the concepts behind the login shell program and explains how it works, how to configure the program, and how to use it. The chapter consists of the following sections:
The login shell program is a wrapper program that authenticates the user (using strong authentication) before passing control to the real login shell. It provides authentication and logging.
A user logs into the firewall via the console, TELNET, or rlogin. This calls the standard login program to process the login. The login program asks for a user name. The login program reads the /etc/passwd file and determines that this user does not require a password (because the password field is empty). It then passes the information to the program specified in the shell field, the login shell program (/usr/etc/login-sh).
The login shell program prompts the user for the appropriate response for their authentication method (S/Key password, and so on). The login shell program checks its configuration information (in the netperm table). It authenticates the user using the authentication server specified in the netperm table. The login shell program then reads the shell file configuration file (by default, /usr/local/etc/login-shellfile). It passes the login information to the executable specified for the user in the shell configuration file, which is normally the user's shell. The user is now logged into the firewall and ready to work.
The standard FTP daemon does not use login, so it will not invoke the login shell program for authentication. This is not usually a problem, because running the standard FTP daemon on the firewall is strongly discouraged.
Configuring the Gauntlet Firewall involves planning, enabling remote login, creating user accounts, configuring the proxy to enforce your policy, and securing other applications.
When planning for remote login, determine which users you want to allow to access the firewall remotely.
You must configure the firewall to allow remote login from other hosts.
Use the Gauntlet administration tools to allow the firewall to run the TELNET or rlogin daemons.
You must add support for the login shell so that the operating system recognizes the login shell as a valid shell.
To add support for the login shell, edit /etc/shells and add a line indicating the location and path of the login shell:
/usr/etc/login-sh |
To create user accounts:
Create or modify the user account on the firewall.
scooter::518:10:Scooter Lindley:/home/scooter:/usr/etc/login-sh |
Leave the password empty, because the login shell uses your strong authentication information.
If you include a password, you are prompted to authenticate twice: once for the information you enter here, and once for your strong authentication information.
Specify login-sh as the shell.
Create the user's home directory, if necessary:
mkdir /home/scooter |
Add the user to the appropriate group by editing /etc/groups.
If you are running the Gauntlet Firewall default configuration, you do not need to modify configuration rules for the login shell. If you have chosen a different authentication server or a different location for your shell file information, you must modify /usr/local/etc/netperm-table to reflect your configuration. Refer to the Gauntlet Netperm Table Reference Guide for more information about modifying the netperm table.
You must provide information for each user indicating their final (real) shell. After the login shell authenticates the user, it starts the user's final shell.
To configure the shell, edit the shellfile file (/usr/local/etc/login-shellfile) and add information about the final shell for that user:
username executable parameters
| username | Same user name that you specified when you created the user's account on the firewall. | |
| executable | Name of the executable that the login program executes after authenticating the user. This is typically the user's shell. | |
| parameters | Parameters to the executable program. The first parameter is typically a hyphen (-) and the shell name (csh, ksh, and so on). |
For example:
scooter /usr/bin/tcsh -tcsh |
To create the record in the authentication database:
Use the authentication management system to create authentication user entries for all users who will use the login shell on the firewall.
Use the same user name that you specified when you created the user on the firewall.
To secure other applications:
Disable programs (such as chsh) that allow users to change their shells. Either remove the executable or change the file permissions to 700:
chmod 700 chsh |
Create accounts on the firewall for only those people who need to administer the firewall. They will all have access to the root password. Changing file permissions will not prevent them from changing their shell. If you are creating accounts for other users on the firewall (which is not recommended), changing file permissions will prevent them from changing their shell.
Verify that the su command is not aliased to su -m in your account (.cshrc, .login, and so on) on the firewall. The -m option attempts to retain the current environment. This causes your login shell (in this case, login-sh) to be executed by user root. Because there is no entry for root in the login-shellfile, su -m does not work.
Using the login shell program can mean accessing the firewall from trusted or untrusted networks.
Log into the firewall (via the console, TELNET, or rlogin) as you did before. After you enter your user name, you are prompted for the response or password specified for your authentication scheme. Become root (via su) to do work as needed.
Connect to the firewall as you did before, providing your strong authentication information to connect to the proxy. If you log into the firewall itself, you will need to authenticate again.
Logging into the firewall as root from an untrusted network is strongly discouraged. When you log in as root, you are sending your password across the untrusted network, making it vulnerable to detection.
When you are using the login shell, the password is actually the strong authentication password, not the standard IRIX password.
Do not use the passwd or chpass programs on your IRIX system. To change your password, you must follow the instructions for changing your strong authentication information.
If you use the passwd or chpass programs, you will create an IRIX password. You will then need to provide both your IRIX password and your strong authentication information when you log into the firewall.