La version Francaise de ce document
(c)2003 Jérôme KIEFFER <kieffer at terre-adelie dor org .org>.
All
the sesame project is licensed under the GPL
The main source is at
: http://www.terre-adelie.org/sesame
A
mirror can be found at :
http://www.crans.org/~kieffer/sesame/
French
(original) version by Jérôme KIEFFER <kieffer at
terre-adelie dot org>
English version by Kenn Sebesta <kenn
at eissQ dot com>
To authorize access to a network
by dynamically changing iptables firewall rules using a system based
on an SSL-encrypted web page. This system connects (or not) users to
your wireless network.
There are two types of access: fixed IP
address users and tickets which are only active for a certain
timespan, e.g. one hour. The groups aren't managed the same. For
instance, you can create a ticket, but not modify it, like a prepaid
telephone card.
Obviously NoCat (also GPL'ed) inspired this work.
Sesame's web pages and framework come directly from NoCat. (If you
don't like the web page layout, feel free to contact me with
suggestions. I am not a webmaster.) However, Sesame is significantly
different from NoCat. It is completely written in Python, whereas
NoCat is written in Perl, and was designed to run on a single
machine. Thus, the gateway machine is also the webserver.
Many
thanks to rob@nocat.net.
The
idea behind Sesame is the same as that proposed by
NASA.
Linux kernel 2.4 or later
apache-ssl
Python 2.2 or later
A preexisting firewall. Sesame only makes some small changes to the rules for opening or closing ports. (TODO: provide a default firewall configuration).
sudo (for modifying the firewall as root via sudo iptables.)
Unzip the archive into your
directory of choice. I suggest /usr/local/sesame.
By default, you have to redefine the home variable at the beginning
of each executable. (TODO: create a makefile that installs more
cleanly)
Install and configure apache-SSL, and point the root
directory to sesame/htdocs.
In apache, authorize the CGI scripts and point the cgi-bin directory
to sesame/cgi-bin
Configure
the firewall rules in ~/lib/sesame.py
Install
sudo and add the rule in /usr/local/sesame/etc/sudo
to your /etc/sudoers (in
order to authorize www-data to execute iptables.)
Configure cron
to close inactive connections. In order to do this, copy
/usr/local/sesame/etc/cron.d
to /etc/cron.d/sesame.
Doing this is simply a matter of
running /sesame/bin/edit-sesame
in a shell. You must input name, password, MAC of the network card,
and IP address and can input some other optional info (email,
address). The program edits the file sesame/etc/passwd.
In
order to remove a user, without a doubt the easiest way is to delete
the corresponding line in the passwd file.
TODO: create a new
administration interface in Ncurses or, even better, in
HTML+cgi-bin. In fact, it wouldn't be so bad to automatically modify
/etc/dhcp.conf in order to
automatically change the fixed IP addresses.
An “internet-ticket” is a
login/password that lets anyone connect to the network. There is no
MAC filter because the CGI script reads the client's IP address and
determines the MAC according to the ARP table. A DHCP configuration
with dynamic IP addresses is thus completely appropriate. You can
create a new “internet-ticket” simply by running the
program sesame/bin/new-ticket
and setting the duration of the ticket (1m
= one minute, 0.25h = fifteen
minutes, etc...).
TODO: generate a pdf and/or print the ticket.
A client can get a static IP address through DHCP. The DHCP
server can be on the router or elsewhere, but the servers must be
synchronized. In order to access the Internet from a local network,
e.g. your wireless network, the client connects to the web-ssl
server https://router,
if your router is named router. This communication encrypted
in order to stop others from sniffing the password. Once authorized,
sesame opens a port in the firewall and lets out packets coming from
the authorized MAC/IP address combo. The ports are automatically
closed after 2 minutes of inactivity or if the ticket is no longer
valid.
For bug reports or other feedback, or if you want to give me a hand, send me an email (en français or in English) to kieffer@crans.org
Version 0.1 :
All of the web
part works, the firewall updates work, but a beginner's error kept
the program from working (Jérôme: repeat Rusty
Russel's advanced firewalling howto 10x with your eyes closed)
Version 0.2 :
Iptables is now
directly controlled by Python. You have to authorize iptables in
sudo. This doesn't seem to decrease performance, but it's cleaner
than a sudo'ed Python calling Python (which causes problems,
although I don't understand why).
Version 0.3 :
Pointless to reload the firewall if the contable hasn't been modified.
Logs users in separate files.
Logs seconds in unix time.
CGI disconnect page (identification by IP address only).
Copied all the functions into a library ds /lib.
Connection following page.
Add a use and time in /etc/connected according to time connected.
Version 0.4 :
Tool console for changing passwords and other info.
User invoicing between two dates.
Creating an Internet-ticket for a limited time-span (10 minutes, 3 hours).
I also need to start thinking about...
Interaction with a remote password server.
Dynamic DHCP, synchronization between the DHCP database and that of Sesame. Management of time/credit... Make a “pretty” tool which outputs the connection time of a user during a given period and makes a real receipt. (You need to know the price/hour, e.g. $1/hr)
Rather than regularly flushing the chains and recreating them, it would be cleaner to flush only the out-of-date rules.
How to protect against: http://airsnarf.shmoo.com.
Is
it worth busting my butt? Without a doubt, yes, but VPN solutions
won't be ubiquitous for several years yet, and certainly not for
public wireless hotspots.