Satyr Manual

4. Configuring Zorp Authentication Agent (Satyr)

4.1. Configuring on Microsoft Windows platforms

4.1.1. Registry entries

Some settings of Zorp Authentication Agent (Satyr) can be modified via the Windows Registry. Launch the registry editor by issuing the regedit command (either from a command prompt or via the Start menu / Run application menu item).

The parameters of the Zorp Authentication Agent are located under HKEY_LOCAL_MACHINE\SOFTWARE\BalaBit\Satyr.

The component column contains the name of the component related to the parameter. This component has to be restarted if a value is modified (i.e. the Satyr Multiplexer service for Multiplexer, the Satyr Client application for Client).

To restart the Multiplexer right click on the Satyr Multiplexer element of the Start menu / Settings / Control panel / Administrative Tools / Services list and select Restart.

The following settings are available from the registry:

Name

Description

Default value

Component

aliasfile

The name and path (e.g.: C:\tmp\aliases) of a text file. Using the information contained in this file, the Satyr Multiplexer can redirect the authentication of certain users to a different user in multiuser environments. E.g.: to redirect the connection authentication of the Administrator user to MainUser enter the following line: Administrator: MainUser.

1

Multiplexer

Automatic

Enables the automatic Kerberos authentication if set to 1.

1

Client

Can Remember

The user can set the client to remember his/her password if set to 1. This option is disabled if the value of this parameter is 0.

1

Client

Details

The authentication agent displays the details of the connection in the popup dialog if this parameter is set to 1. The following information is displayed: name of the application initiating the connection, IP address and port of the destination server, name of the Zorp service started, and the type of the connection (TCP/UDP). If the details are disabled, only the name of the service is displayed.

0

Client

Has Preferences

Enable the Preferences menu item in the local menu of the authentication agent (right click on the tray icon). The Preferences menu item is displayed only if this parameter is set to 1.

1

Client

Forget Password Interval

Instructs the authentication agent to forget the stored password after the set period (in minutes). That way no unauthorized connections can be initiated from an unattended machine.

1

Client

Forget Password

The authentication agent can store the set password indefinitely if this parameter is set to False. Practically this sets the Forget Password Interval to infinite.

1

Client

LOG_CLIENT

The verbosity level of the authentication client, ranging from 0 (lowest) to 9. Setting it to higher than 3 can result in very large log files, thus should be used only if needed (e.g.: for debugging purposes). The log files are stored in the %SystemRoot%\Debug folder (e.g.: C:\Winnt\Debug).

0

Client

LOG

The verbosity level of the Multiplexer, ranging from 0 (lowest) to 9. Setting it to higher than 3 can result in very large log files, thus should be used only if needed (e.g.: for debugging purposes). The log files are stored in the %SystemRoot%\Debug folder (e.g.: C:\Winnt\Debug).

0

Multiplexer

SSL

The Multiplexer accepts only SSL-encrypted if this parameter is set to 1.

1

Multiplexer

4.1.2. Command line parameters (Windows)

The version number of the client can be displayed from the command line via the satyr-client.exe --version command. The Satyr Multiplexer (satyr-mpxd.exe) has the following command-line options:

--install_service

Register the Satyr Multiplexer service.

--remove_service

Remove the Satyr Multiplexer service.

--start_service

Start the Satyr Multiplexer service.

--stop_service

Stop the Satyr Multiplexer service.

4.1.3. Configuring SSL connections (Windows)

Satyr Multiplexer and Zorp can communicate via an SSL-encrypted channel. For this, a certificate has to be available on the Zorp firewall that Zorp uses to authenticate the connection to the Multiplexer. The Multiplexer verifies this certificate using the certificate of the CA issuing Zorp's certificate, therefore the certificate of the CA has to be imported to the machine running the Zorp Authentication Agent.

[Note] Note

It is highly recommended to encrypt the communication between Zorp and the authentication agent, since without it anyone can connect to the Satyr Multiplexer, resulting in the authentication information obtained by unauthorized people. It is essential to use encryption when password authentication is used.

To enable encryption between Zorp and the authentication agent complete the following steps. See Chapter 14, Key and certificate management in Zorp in the Zorp Administrator`s Guide for the steps to be completed from ZMC.

Procedure 5. Encrypting the communication between Zorp and the authentication agent (Windows)

  1. Create a CA (e.g.: Satyr_CA) using the Zorp Management Console (ZMC). This CA will be used to sign the certificates shown by the Zorp firewalls to the authentication agents.

  2. Export the CA certificate into DER format.

  3. Generate certificate request(s) for the Zorp firewall(s) and sign it with the CA created in Step 1.

    [Note] Note

    Every firewall should have its own certificate. Do not forget to set the firewall as the Owner host of the certificate.

  4. Distribute the certificates to the firewalls.

  5. Install the Zorp Authentication Agent (Satyr) application to the workstations and import to each machine the CA certificate exported in Step 2.

    There are three ways to import the CA certificate:

    1. Using the installer of the Zorp Authentication Agent.

    2. Manually using the addcert and getcert programs (see Section 4.1.3.1, “Using the addcert and getcert programs”).

    3. Using the Microsoft Management Console (see Section 4.1.3.2, “Importing the CA certificate using Microsoft Management Console (MMC)”).

  6. Create the appropriate outband authentication policies in ZMC and reference them in the services of Zorp. See Chapter 18, Connection authentication and authorization in the Zorp Administrator`s Guide for details.

4.1.3.1. Using the addcert and getcert programs

To import the certificate of the CA complete the following steps.

Procedure 6. Importing the CA certificate manually

  1. The certificate can be imported using the addcert.exe program located in the installation folder of the Satyr client (C:\Program Files\Satyr client by default). The program can be started from a command prompt or via the Run application item of the Start menu. Supply the name and path of the DER-format certificate is as an input parameter. E.g.:


    C:\Program Files\Satyr client\addcert C:\temp\Satyr_CA.crt

    [Note] Note

    Running addcert.exe requires administrator privileges.

  2. Verify that the certificate has been successfully imported by running getcert.exe. Running getcert.exe lists the Subject of all imported certificates.

  3. Restart the Satyr Multiplexer service.

4.1.3.2. Importing the CA certificate using Microsoft Management Console (MMC)

To import the certificate of the CA complete the following steps.

Procedure 7. Importing the CA certificate using MMC

  1. Start Microsoft Management Console by executing mmc.exe (Start menu Run application).

    [Note] Note

    Running mmc.exe requires administrator privileges.

  2. Adding a snap-in

    Figure 10. Adding a snap-in

    Click on the Add/Remove snap-in) item of the File).

  3. Adding certificates

    Figure 11. Adding certificates

    Click Add, select the Certificates module, and click Add.

  4. Selecting the service account

    Figure 12. Selecting the service account

    Select Service account in the displayed window and click Next.

  5. Selecting the managed computer

    Figure 13. Selecting the managed computer

    Select Local menu and click Next.

  6. Selecting the service

    Figure 14. Selecting the service

    Select the Satyr Multiplexer service from the displayed list and click Finish.

    With the above steps a snap-in module has been configured that enables to conveniently manage the certificates related to the Satyr Multiplexer.

  7. Importing the CA certificate

    Figure 15. Importing the CA certificate

    Navigate to Certificates - Service (Satyr Multiplexer) \ satyr-mpxd \ Personal \ Certificates), and click Add.

  8. Right-click on the Certificates) folder and from the appearing menu select All tasks / Import. The Certificate Import Wizard will be displayed. Click Next.

  9. Selecting the certificate to import

    Figure 16. Selecting the certificate to import

    Select the certificate to import (e.g.: C:/tmp/Satyr_CA.crt) and click Next.

  10. Selecting the certificate store

    Figure 17. Selecting the certificate store

    Windows offers a suitable certificate store by default, so click Next.

  11. Summary

    Figure 18. Summary

    Click Finish on the summary window and OK on the window that marks the successful importing of the certificate. The main window of MMC is displayed with the imported certificate.

    The imported certificate

    Figure 19. The imported certificate

  12. Restarting the Satyr Multiplexer

    Figure 20. Restarting the Satyr Multiplexer

    Restart the Satyr Multiplexer service. Navigate to Start menu / Settings / Control panel / Administrative Tools / Services) and right-click in the Satyr Multiplexer element of the list. Select the Restart option.

4.1.4. Configuring X.509 certificate based authentication (Windows)

For authentication based on X.509 certificates the certificate and the private key of the user has to be deployed onto the workstation. Import the certificate of the user into his/her personal certificate store. This can be accomplished most easily via the Internet Explorer:

  1. Start Internet Explorer from the Start menu or from a command prompt by running iexplore.exe.

  2. From the Tools) menu select Internet Options.

  3. The certificates of the user

    Figure 21. The certificates of the user

    On the Contents tab click on Certificates.

  4. The certificates of the user

    Figure 22. The certificates of the user

    The certificates of the user are displayed on the Personal tab. Click Import.

    [Note] Note

    Hardware keys and tokens (e.g.: Aladdin) having a suitable driver for Windows are also displayed in this store and can be used from the Zorp Authentication Agent.

  5. Import the certificate using the Certificate Import Wizard.

4.2. Configuration on Debian GNU/Linux platforms

4.2.1. Command line parameters (Linux)

The graphical client (satyr-gtk) has the following command line parameters:

--help or -?

Display a brief help message.

--version or -V

Display version number and compilation information.

--automatic or -a

Enables automatic Kerberos authentication.

--no-syslog or -l

Send log messages to the standard output instead of syslog.

--verbose <verbosity> or -v <verbosity>

Set verbosity level to <verbosity>. Default the verbosity level is 3; possible values are 0-10.

--logtags; or -T

Prepend log category and log level to each message.

Satyr Multiplexer (satyr-mpxd) has the following command line parameters:

--help or -?

Display a brief help message.

--version or -V

Display the version number of satyr-mpxd

--no-syslog or -l

Send log messages to the standard output instead of syslog.

--verbose <verbosity> or -v <verbosity>

Set verbosity level to <verbosity>. Default the verbosity level is 3; possible values are 0-10.

--logtags; or -T

Prepend log category and log level to each message.

--aliasfile; or -a

The name (including full path) of a text file (e.g.: /tmp/aliases) used by Satyr Multiplexer to redirect the authentication requests of certain users to a different user in multiuser environments. E.g.: to redirect all authentication request of the root user to MainUser add the following line to the file: root: MainUser.

--log-spec; or -s

Set verbosity mask on a per category basis. Each log message has an assigned multi-level category, where levels are separated by a dot. For example, HTTP requests are logged under http.request. <spec> is a comma separated list of log specifications. A single log specification consists of a wildcard matching log category, a colon, and a number specifying the verbosity level of that given category. Categories match from left to right. E.g.: --logspec 'http.*:5,core:3'. The last matching entry will be used as the verbosity of the given category. If no match is found the default verbosity specified with --verbose is used.

--no-require-ssl; or -S

Disable the SSL encryption of the communication between Zorp and the Multiplexer.

--bind-address; or -b and, --bind-port; or -p

The IP address and the port the Multiplexer is accepting connections on.

--crt-dir; or -t

Path of the directory containing the certificate of the CA that issued the certificate of the Zorp firewall.

--crl-dir; or -r

Path of the directory containing the Certificate Revocation List (CRL) related to the above CA.

4.2.2. Configuring SSL-encrypted connections (Linux)

To enable encryption between Zorp and the authentication agent complete the following steps. See Chapter 14, Key and certificate management in Zorp in the Zorp Administrator`s Guide for the steps to be completed from ZMC.

Procedure 9. Encrypting the communication between Zorp and the authentication agent (Linux)

  1. Create a CA (e.g.: Satyr_CA) using the Zorp Management Console (ZMC). This CA will be used to sign the certificates shown by the Zorp firewalls to the authentication agents.

  2. Export the CA certificate into PEM format.

  3. Generate certificate request(s) for the Zorp firewall(s) and sign it with the CA created in Step 1.

    [Note] Note

    Every firewall should have its own certificate. Do not forget to set the firewall as the Owner host of the certificate.

  4. Distribute the certificates to the firewalls.

  5. Install the Zorp Authentication Agent (Satyr) application to the workstations and import to each machine the CA certificate exported in Step 2.

    To import the CA certificate complete the following steps:

    1. Create the /etc/satyr/ca directory:

      mkdir /etc/satyr/ca

    2. Copy the certificate exported into PEM format in Step 2 into the /etc/satyr/ca directory.

    3. Verify the hash of the CA certificate:

      openssl x509 -in /etc/satyr/ca/cacert.pem -hash -noout

    4. Create a symlink to the certificate file using the hash received in the above step. Add the .0 suffix (or the next free suffix if .0 is already taken) to the file as an extension, e.g.:

      ln -s /etc/satyr/ca/cacert.pem /etc/satyr/ca/6d2962a8.0

    5. Restart the Satyr Multiplexer daemon:

      /etc/init.d/satyr-mpxd restart

      The authentication client is now ready to accept encrypted connections from Zorp.

  6. Create the appropriate outband authentication policies in ZMC and reference them in the services of Zorp. See Chapter 18, Connection authentication and authorization in the Zorp Administrator`s Guide for details.

4.2.3. Configuring X.509 certificate based authentication (Linux)

For authentication based on X.509 certificates the certificate and the private key of the user has to be deployed onto the workstation. Create a directory called .satyr in the home folder of the user and copy the certificate and private key of the user in PEM format into this directory. Use the cert.pem and key.pem filenames, or create symlinks with these names pointing to the certificate and the key file. The authentication agent will automatically use the certificate found in this directory.

© 2006 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com

Prev     
3. Installing the Zorp Authentication Agent (Satyr)  Home | ToC