OpenBSD in CSCF (obsolete)
CSCF's ability to support
OpenBSD is very limited. In mid-2007, CSCF starting looking at
OpenBSD for low-cost network load balancing using CARP/pfsync and relayd (formerly hoststated). CSCF is not looking at
OpenBSD for firewalling (yet), as a pair of Netscreen 500 appliances serve that purpose quite nicely.
User Accounts
Since OpenBSD does not support LDAP, one needs to create account in the local database using the
useradd
command. The good news is that OpenBSD supports external authentication such as
radius
and
krb5
. We use
radius
to authenticate off the
TwoFactor service, which essentially involves:
- Creating a new user class named
twofactor
that uses radius
authentication. See login.conf(5)
and login_radius(8)
for details.
- Creating
/etc/raddb/servers
to store the shared secrets.
- Ensure users are created with
useradd -L twofactor
Notes
- OpenBSD 4.2 doesn't work properly with the NET0 and NET1 ports on the Sun Fire X4200 M2 server. This has been fixed for version 4.3 (out in Spring 2008). We worked around the issue by rebuilding the 4.2 kernel with a patch.
Resources
--
JasonTestart - 12 Dec 2007