########################################## # Nuauth Configuration file ########################################## # Nuauth ############################################# # Addresses nuauth listen on for clients, long example: # "0.0.0.0:4129 127.0.0.1:8080 192.168.1.2 [::1] [2a01:e35:8a04::3538]:5000" # will listen on: # * IPv4: 0.0.0.0 port 4129 # * IPv4: 127.0.0.1 port 4129 # * IPv4: 192.168.1.12 port 4129 (default port, nuauth_user_packet_port) # * IPv6: ::1 port 4129 (default port) # * IPv6: 2a01:e35:8a04::3538 port 5000 # Use 0.0.0.0 to bind to all IPv4 addresses, and [::] for all IPv6 addresses #nuauth_client_listen_addr="0.0.0.0" # address nuauth listens on for nufw packets # It uses the same syntax as nuauth_client_listen_addr. #nuauth_nufw_listen_addr="127.0.0.1" # Absolute path to the unix domain socket for nufw servers # If nuauth and nufw are installed on the same machine, # a unix sock can be used between them. # default: none #nuauth_client_listen_socket="/tmp/nuauth_nufw.sock" # Default port for nufw gw request #nuauth_gw_packet_port=4128 # Default port for user authentification packet #nuauth_user_packet_port=4129 # NuFW ############################################ # address of the nufw gw # in UDP clear mode this is the address nuauth # respond to authentication request # In TLS mode transform this variable in a list # containing all the ips used to connect to the # nuauth server : # nufw_gw_addr="192.168.75.1 192.168.75.254" # nufw_gw_addr="127.0.0.1" ############ # Is nufw using able to use libnetfilter_conntrack # and able to kill a session nufw_has_conntrack=1 ############ # Is nufw using able to use libnetfilter_conntrack # and has fixed timeout patch nufw_has_fixed_timeout=1 ############################################################## # Module configuration : # syntax is the following # list of modules separated by space # syntax of a module : # name[:type[:config file]] # if syntax is : # name : load module "name" with config file included in nuauth.conf # name:type : load module "type" with config file CONFIG_DIR/modules/name.conf # name:type:conf : load module "type" with config file "conf" ############################################################## ## Authentication module for user : # It is used if nuauth_uses_fake_sasl is set to 1 # to be choozen in : # - plaintext : user credentials are stored in a text file # - system : authentication is done against PAM and groups are system groups. This provides # a convenient way to use nss features and/or pam-modules nuauth_user_check_module="plaintext" # Set up following variables if you want to differenciate user id and # group fetching from authentication: #nuauth_get_user_id_module="plaintext" #nuauth_get_user_groups_module="plaintext" ## Acl checking module : # to be choozen in : # - ldap # - plaintext nuauth_acl_check_module="plaintext" # Cache acl for more performance ? nuauth_acl_cache=1 ## Period handling module: # to be choozen in: # - xml_defs # nuauth_periods_module="xml_defs" ############################################## #Choose user logging method ############################################## #You can log to MySQL, PostgreSQL, syslog or Prelude #Therefore, acceptable values for this parameter are: # : "mysql", "pgsql", "syslog", "nuprelude", "ulogd2" nuauth_user_logs_module="syslog" # define with nuauth_user_session_logs_module which method you # want to use for user connection and disconnection # Available modules are : # syslog: log message with syslog # script: run a custom script at user connection (CONFDIR/user-up.sh) and disconnection (CONFDIR/user-down.sh) # mysql: log users connection and disconnection in a sql table # nuprelude: log to Prelude IDS # example : nuauth_user_session_logs_module="syslog mysql" nuauth_user_session_logs_module="syslog" # Module to log authentification errors # Available modules: nuprelude, syslog nuauth_auth_error_log_module="syslog" ############################################ # Other nuauth modules ############################################ # Module to modify an user session just after its creation # Choose between : session_expire, session_authtype nuauth_user_session_modify_module="session_expire" # Module to finalize a packet before sending it back to nufw # Available modules: mark_group, mark_uid, mark_field, mark_flag nuauth_finalize_packet_module="mark_uid" ############################################## # Comportemental items ############################################## # Use command server? # nuauth_use_command_server=0 # Debug level (0<=debug_level<=9) nuauth_debug_level=0 # Debug area, binary and between # DEBUG_AREA_MAIN = 1 Main domain # DEBUG_AREA_PACKET = 2 Packet domain # DEBUG_AREA_USER = 4 User domain # DEBUG_AREA_GW = 8 Gateway domain # DEBUG_AREA_AUTH = 16 Auth. domain # DEBUG_AREA_PERF = 32 Performance display # default : DEFAULT_DEBUG_AREA = 31 # nuauth_debug_areas=31 # What to do when several acls are found for a match : # - 0: Accept packet if an ACCEPT acl matches # - 1: Drop packet if there is a DROP acl matching # - 2: First decision match # Default nuauth_prio_to_nok=2 nuauth_prio_to_nok=2 # client can work with two modes : # POLL : client check each time interval if it need to send a packet (traffic economy for WAN) # PUSH : nuauth warn client that they may need to send authentication packet (better response time on LAN) nuauth_push_to_client=1 # If set to 0, it relaxes constraint of check of IP source address of # authenticated packets. This can be useful to authenticate both IPv6 and IPv4 # packet in a simple client. #nuauth_user_check_ip_equality=0 # Set to 1 to use user_check module # Set to 0 to use sasl authentication # # Note: It is a good idea to set nuauth_log_users_without_realm # to 1 it you set nuauth_uses_fake_sasl to 0. # nuauth_uses_fake_sasl=1 # Number of connections a user can run # 0 = unlimited (default) nuauth_single_user_client_limit=0 # Number of connections per IP a user can run # 0 = unlimited (default) nuauth_single_ip_client_limit=0 # Reject (instead drop) when packet is reached # 0: use drop (default) # 1: reject (send icmp unreached message) nuauth_reject_after_timeout=0 # Reject (instead drop) when user is not in any group of a ACCEPT acl # 0: use drop (default) # 1: reject (send icmp unreached message) nuauth_reject_authenticated_drop=0 # DROP packet if logging phase has failed. # The main use of this variable is to decide weither to drop # or not packets when the number of packet in the logging queue # gets too high. # nuauth_drop_if_no_logging = 0 # Maximum number of packets that can remain on a logging queue. # When a packet arrives when this number of packets is queued, it # is not logged and get dropped if nuauth_drop_if_no_logging is 1. # nuauth_max_unassigned_messages = 2000 # Do we use a fallback hello authentication mode for non NuFW supported # protocols ? # This brings authentication for all protocols based on IP # by doing a posteriori IP based authentication. # WARNING : Authentication is FAR less strict than nufw original protocol : # * It authenticates NATed computer (and every computers behind the same firewall) # * It is strictly MONO user # * But, it can authenticate all type of IP flows nuauth_hello_authentication=0 # Do we use fallback mode when no client are found ? # nuauth_push_to_client has to be set to 1 if you choose to enable it nuauth_do_ip_authentication=0 ## ip authentication module # to be chozen in : # ipauth_guest auth_mysql # nuauth_ip_authentication_module="ipauth_guest" # set a user session duration after this duration is is necessary # to reauthenticate: # User is disconnected from the system after the duration. Disconnect # occurs when a packet arrives. # # Please note that asking the password has to be done if needed on client # side. # # Default is 0 which mean unlimited session # example : # nuauth_session_duration=3600 # maximum number of a simultaneously connected # nufw authentication clients # default : 1024 # nuauth_tls_max_clients=1024 # maximum number of simultaneously connected # nufw servers # (not implemented) # default : 16 # nuauth_tls_max_servers=8 ################################################ # Tuning parameters ################################################ include "nuauth.d/nuauth_tuning.conf" ################################################ # TLS parameters ################################################## include "nuauth.d/nuauth_tls.conf" ############################################ # Kerberos 5 authentication ############################################ include "nuauth.d/nuauth_krb5.conf" ############################################ # Users tracking ############################################# # decide if we're logging user activity # log level is the sum of values : # 0 : no log at all # 1 : log new user (in syslog) # 2 : log rejected packets # 4 : log accepted packets # 8 : do session tracking # complete session tracking need special iptables # rules, described in documentation nuauth_log_users=9 #Controls whether the users logging is absolutely safe : access is logged before #granted. This is probably necessary if SQL backend is used for SSO. nuauth_log_users_sync=1 # update log entries to avoid accidental double connection # DO NOT DISABLE IT BY CHANGING IT TO 0 if you want strict security # WHEN USING SSO MODULES nuauth_log_users_strict=1 # remove realm from username before logging # this is the recommanded setting as it is easier # to interact with other authorisation modules when SSO # feature are used. nuauth_log_users_without_realm=1 #################################################### # plaintext parameters ##################################################### #plaintext_userfile="/etc/nufw/users.nufw" #plaintext_aclfile="/etc/nufw/acls.nufw" ################################################### # system parameters ################################################### # add a lock to be able to deal with non thread # safe pam modules. For more safety this is set to 1 by default # NEEDED for winbind. system_pam_module_not_threadsafe=1 # Some glibc (read 2.3.2) have a buggy implementation # of getgrouplist which causes a crash. If this is the case # set the following option to the maximum number of groups # for a single user. #system_glibc_cant_guess_maxgroups=0 # Suppress domain added as prefix during login phase #system_suppress_prefixed_domain=0 ########################################### # Ldap external auth ########################################### include "nuauth.d/nuauth_ldap.conf" ############################################### # Database User Logging config ############################################### include "nuauth.d/nuauth_mysql.conf" include "nuauth.d/nuauth_pgsql.conf" ########################### # # X509 modules ###################### # For x509_std : nuauth_tls_trusted_issuer_dn #This option is used to match issuer of a certificate against this string. #It there is a match, then we trust the give certificate. # nuauth_tls_trusted_issuer_dn=DN ############################### # xml_defs module ############################## # Place where periods have to be read #xml_defs_periodfile="/etc/nufw/periods.xml" # ####################################### # marking modules ####################################### include "nuauth.d/nuauth_mark.conf" ########################################### # authtype module ########################################### include "nuauth.d/nuauth_authtype.conf" ########################################### # auth_mysql module ########################################### # for ip authentication # name of the table containing user sessions # mysql_ipauth_table_name="ipauth_sessions" # Is the mysql function check_net active in the MySQL database # mysql_ipauth_check_netmask=1 # # # for userid and groupid check # mysql_userinfo_table_name="userinfo" # mysql_groups_table_name="groups" # mysql_groupinfo_table_name="groupinfo" # # fallback to guest's username, userID and groupID # instead of dropping request. # mysql_auth_fallback_to_guest=1 # mysql_auth_guest_username="guest" # mysql_auth_guest_userid=0 # mysql_auth_guest_groupid=99 ############################################################## # ipauth_guest: ip authentication module ############################################################## # Set the name of user that will be returned if there is no one # connected at the source IP. # ipauth_guest_username = "guest" ############################################################## # ulogd2 ############################################################## # Logs (for packets) can be sent to ulogd2, using the UNIXSOCK # module. # absolute path to the unix socket created by ulogd2 # ulogd2_socket="/var/run/ulogd2.sock"