Title: Authentication gateway with SSH on OpenBSD
       Author: Solène
       Date: 01 December 2022
       Tags: openbsd security nocloud
       Description: In this article, you will learn how to use the OpenBSD
       authpf shell to manipulate the firewall when connecting over SSH.
       
       # Introduction
       
       A neat feature in OpenBSD is the program authpf, an authenticating
       gateway using SSH.
       
       Basically, it allows to dynamically configure the local firewall PF by
       connecting/disconnecting into a user account over SSH, either to toggle
       an IP into a table or rules through a PF anchor.
       
       # Use case
       
       This program is very useful for the following use case:
       
       * firewall rules dedicated to authenticated users
       * enabling NAT to authenticated users
       * using a different bandwidth queue for authenticated users
       * logging, or not logging network packets of authenticated users
       
       Of course, you can be creative and imagine other use cases.
       
       This method is actually different from using a VPN, it doesn't have
       encryption extra cost but is less secure in the sense it only
       authenticates an IP or username, so if you use it over the Internet,
       the triggered rule may also benefit to people using the same IP as
       yours.  However, it's much simpler to set up because users only have to
       share their public SSH key, while setting up a VPN is another level of
       complexity and troubleshooting.
       
       # Example setup
       
       In the following example, you manage a small office OpenBSD router, but
       you only want Chloe's workstation to reach the Internet with the NAT. 
       We need to create her a dedicated account, set the shell to authpf,
       deploy her SSH key and configure PF.
       
       ```shell
       # useradd -m -s /usr/sbin/authpf chloe
       # echo "$ssh_key" >> ~chloe/.ssh/authorized_keys
       # touch /etc/authpf/authpf.conf /etc/authpf/authpf/rules
       ```
       
       Now, you can edit `/etc/pf.conf` and use the default table name
       `authpf_users`.  With the following PF snippet, we will only allow
       authenticated users to go through the NAT.
       
       ```
       table <authpf_users> persist
       match out on egress inet from <authpf_users> to any nat-to (egress)
       ```
       
       Reload your firewall, and when Chloe will connect, she will be able to
       go through the NAT.
       
       # Conclusion
       
       The program authpf is an efficient tool for the network administrator's
       toolbox.  And with the use of PF anchors, you can really extend its
       potential as you want, it's really not limited to tables.
       
       # Going further
       
       The man page contains a lot of extra information for customization, you
       should definitely read it if you plan to use authpf.
       
 (HTM) OpenBSD man page of authpf(8)
       
       ## Blocking users
       
       It's possible to ban users, for various reasons you may want to block
       someone with a message asking to reach the help desk.  This can be done
       by creating a file name after the username, like in the following
       example for user `chloe`: `/etc/authpf/banned/chloe`, the file text
       content will be displayed to the user upon connection.
       
       ## Greeeting message
       
       It's possible to write a custom greeting message displayed upon
       connection, this can be global or per user, just write a message in
       `/etc/authpf/authpf.message` for a global one, or
       `/etc/authpf/users/chloe/authpf.message` for user `chloe`.