OpenBSD in CSCF

CSCF's ability to support OpenBSD is very limited. In mid-2007, CSCF starting looking at OpenBSD for low-cost network load balancing using CARP/pfsync and relayd (formerly hoststated). CSCF is not looking at OpenBSD for firewalling (yet), as a pair of Netscreen 500 appliances serve that purpose quite nicely.

User Accounts

Since OpenBSD does not support LDAP, one needs to create account in the local database using the useradd command. The good news is that OpenBSD supports external authentication such as radius and krb5. We use radius to authenticate off the TwoFactor service, which essentially involves:

  • Creating a new user class named twofactor that uses radius authentication. See login.conf(5) and login_radius(8) for details.
  • Creating /etc/raddb/servers to store the shared secrets.
  • Ensure users are created with useradd -L twofactor

Notes

  • OpenBSD 4.2 doesn't work properly with the NET0 and NET1 ports on the Sun Fire X4200 M2 server. This has been fixed for version 4.3 (out in Spring 2008). We worked around the issue by rebuilding the 4.2 kernel with a patch.

Resources

-- JasonTestart - 12 Dec 2007

Topic revision: r1 - 2007-12-11 - JasonTestart
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback