mirror of
https://github.com/moparisthebest/sslh
synced 2024-12-21 23:08:58 -05:00
v1.7: 01FEB2010
Added CentOS init.d script (Andre Krajnik). Fixed default ssl address inconsistancy, now defaults to "localhost:443" and fixed documentation accordingly (pointed by Markus Schalke). Children no longer bind to the listen socket, so parent server can be stopped without killing an active child (pointed by Matthias Buecher). Inetd support (Dima Barsky).
This commit is contained in:
parent
0658982705
commit
44f02ddf39
65
ChangeLog
Normal file
65
ChangeLog
Normal file
@ -0,0 +1,65 @@
|
||||
v1.7: 01FEB2010
|
||||
Added CentOS init.d script (Andre Krajnik).
|
||||
|
||||
Fixed default ssl address inconsistancy, now
|
||||
defaults to "localhost:443" and fixed documentation
|
||||
accordingly (pointed by Markus Schalke).
|
||||
|
||||
Children no longer bind to the listen socket, so
|
||||
parent server can be stopped without killing an
|
||||
active child (pointed by Matthias Buecher).
|
||||
|
||||
Inetd support (Dima Barsky).
|
||||
|
||||
v1.6: 25APR2009
|
||||
Added -V, version option.
|
||||
|
||||
Install target directory configurable in Makefile
|
||||
|
||||
Changed syslog prefix in auth.log to "sslh[%pid]"
|
||||
|
||||
Man page
|
||||
|
||||
new 'make install' and 'make install-debian' targets
|
||||
|
||||
PID file now specified using -P command line option
|
||||
|
||||
Actually fixed zombie generation (the v1.5 patch got
|
||||
lost, doh!)
|
||||
|
||||
|
||||
v1.5: 10DEC2008
|
||||
Fixed zombie generation.
|
||||
|
||||
Added support scripts (), Makefile.
|
||||
|
||||
Changed all 'connexions' to 'connections' to please
|
||||
pesky users. Damn users.
|
||||
|
||||
v1.4: 13JUL2008
|
||||
Added libwrap support for ssh service (Christian Weinberger)
|
||||
Only SSH is libwraped, not SSL.
|
||||
|
||||
v1.3: 14MAY2008
|
||||
Added parsing for local interface to listen on
|
||||
|
||||
Changed default SSL connection to port 442 (443 doesn't make
|
||||
sense as a default as we're already listening on 443)
|
||||
|
||||
Syslog incoming connections
|
||||
|
||||
v1.2: 12MAY2008
|
||||
Fixed compilation warning for AMD64 (Thx Daniel Lange)
|
||||
|
||||
v1.1: 21MAY2007
|
||||
Making sslhc more like a real daemon:
|
||||
* If $PIDFILE is defined, write first PID to it upon startup
|
||||
* Fork at startup (detach from terminal)
|
||||
(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
|
||||
* Less memory usage (?)
|
||||
|
||||
v1.0:
|
||||
Basic functionality: privilege dropping, target hostnames and ports
|
||||
configurable.
|
||||
|
||||
|
2
Makefile
2
Makefile
@ -1,6 +1,6 @@
|
||||
# Configuration
|
||||
|
||||
VERSION="v1.6i"
|
||||
VERSION="v1.7a"
|
||||
USELIBWRAP=1 # Use libwrap?
|
||||
PREFIX=/usr/local
|
||||
|
||||
|
92
README
92
README
@ -16,7 +16,8 @@ make install
|
||||
|
||||
Otherwise:
|
||||
|
||||
Compilation instructions:
|
||||
Compilation instructions (the binary produced won't contain
|
||||
the version number, which is stored only in the Makefile)
|
||||
|
||||
Solaris:
|
||||
cc -o sslh sslh.c -lresolv -lsocket -lnsl
|
||||
@ -36,9 +37,13 @@ To install:
|
||||
|
||||
make
|
||||
cp sslh /usr/local/sbin
|
||||
cp scripts/etc.init.d.sslh /etc/init.d/sslh
|
||||
cp scripts/etc.default.sslh /etc/default/sslh
|
||||
|
||||
For Debian:
|
||||
cp scripts/etc.init.d.sslh /etc/init.d/sslh
|
||||
For CentOS:
|
||||
cp scripts/etc.rc.d.init.d.sslh /etc/rc.d/init.d/sslh
|
||||
|
||||
and probably create links in /etc/rc<x>.d so that the server
|
||||
start automatically at boot-up, e.g. under Debian:
|
||||
update-rc.d sslh defaults
|
||||
@ -60,6 +65,10 @@ coming from inside your network don't need to go through
|
||||
sslh, and sslh is only there as a frontal for connections
|
||||
coming from the internet.
|
||||
|
||||
Note that 'external name' in this context refers to the
|
||||
actual IP address of the machine as seen from your network,
|
||||
i.e. that that is not 127.0.0.1 in the output of
|
||||
ifconfig(8).
|
||||
|
||||
==== Libwrap support ====
|
||||
|
||||
@ -68,48 +77,39 @@ service: because the connection to sshd will be coming
|
||||
locally from sslh, sshd cannot determine the IP of the
|
||||
client.
|
||||
|
||||
==== OpenVPN support ====
|
||||
|
||||
OpenVPN clients reportedly take more than one second between
|
||||
the time the TCP connexion is established and the time they
|
||||
send the first data packet. This results in sslh with
|
||||
default settings timing out and assuming an SSH connexion.
|
||||
To support OpenVPN connexions reliably, it is necessary to
|
||||
increase sslh's timeout to 5 seconds.
|
||||
|
||||
==== IP_TPROXY support ====
|
||||
|
||||
There is a netfilter patch that adds an option to the Linux
|
||||
TCP/IP stack to allow a program to set the source address
|
||||
of an IP packet that it sends. This could let sslh set the
|
||||
address of packets to that of the actual client, so that
|
||||
sshd would see and log the IP address of the client, making
|
||||
sslh transparent.
|
||||
|
||||
This is not, and won't be, implemented in sslh for the
|
||||
following reasons (in increasing order of importance):
|
||||
|
||||
* It's not vital: the real connecting IP address can be
|
||||
found in logs. Little gain.
|
||||
* It's Linux only: it means increased complexity for no
|
||||
gain to some users.
|
||||
* It's a patch: it means it'd only be useful to Linux
|
||||
users who compile their own kernel.
|
||||
* Only root can use the feature: that's a definite no-no.
|
||||
Sslh should not, must not, will never run as root.
|
||||
|
||||
This isn't to mean that it won't eventually get implemented,
|
||||
when/if the feature finds its way into the main kernel and
|
||||
it becomes usuable by non-root processes.
|
||||
|
||||
|
||||
Comments? questions? sslh@rutschle.net
|
||||
|
||||
HISTORY
|
||||
|
||||
v1.6: 25APR2009
|
||||
Added -V, version option.
|
||||
Install target directory configurable in Makefile
|
||||
Changed syslog prefix in auth.log to "sslh[%pid]"
|
||||
Man page
|
||||
new 'make install' and 'make install-debian' targets
|
||||
PID file now specified using -P command line option
|
||||
Actually fixed zombie generation (the v1.5 patch got
|
||||
lost, doh!)
|
||||
|
||||
|
||||
v1.5: 10DEC2008
|
||||
Fixed zombie generation.
|
||||
Added support scripts (), Makefile.
|
||||
Changed all 'connexions' to 'connections' to please
|
||||
pesky users. Damn users.
|
||||
|
||||
v1.4: 13JUL2008
|
||||
Added libwrap support for ssh service (Christian Weinberger)
|
||||
Only SSH is libwraped, not SSL.
|
||||
|
||||
v1.3: 14MAY2008
|
||||
Added parsing for local interface to listen on
|
||||
Changed default SSL connection to port 442 (443 doesn't make
|
||||
sense as a default as we're already listening on 443)
|
||||
Syslog incoming connections
|
||||
|
||||
v1.2: 12MAY2008
|
||||
Fixed compilation warning for AMD64 (Thx Daniel Lange)
|
||||
|
||||
v1.1: 21MAY2007
|
||||
Making sslhc more like a real daemon:
|
||||
* If $PIDFILE is defined, write first PID to it upon startup
|
||||
* Fork at startup (detach from terminal)
|
||||
(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
|
||||
* Less memory usage (?)
|
||||
|
||||
v1.0:
|
||||
* Basic functionality: privilege dropping, target hostnames and ports
|
||||
configurable.
|
||||
|
||||
|
@ -38,7 +38,6 @@ stop()
|
||||
{
|
||||
echo "Stop services: sslh"
|
||||
killall $DAEMON
|
||||
rm ${PIDFILE}
|
||||
logger -t ${tag} -p ${facility} -i 'Stopped sslh'
|
||||
}
|
||||
|
||||
|
77
scripts/etc.rc.d.init.d.sslh.centos
Executable file
77
scripts/etc.rc.d.init.d.sslh.centos
Executable file
@ -0,0 +1,77 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# /etc/rc.d/init.d/sslh
|
||||
# sslh This shell script takes care of starting and stopping
|
||||
# sslh - a daemon switching incoming connection between SSH and SSL/HTTPS servers
|
||||
#
|
||||
# Author: Andre Krajnik akrajnik@gmail.com
|
||||
#
|
||||
# chkconfig: 2345 13 87
|
||||
# description: sslh - a daemon switching incoming connection between SSH and SSL/HTTPS servers
|
||||
|
||||
# Source function library.
|
||||
. /etc/init.d/functions
|
||||
|
||||
# ./sslh -p 0.0.0.0:8443 -l 127.0.0.1:443 -s 127.0.0.1:22
|
||||
|
||||
SSLH='/usr/local/sbin/sslh'
|
||||
PIDFILE='/var/run/sslh'
|
||||
|
||||
OPTIONS='-p 0.0.0.0:8443 -l 127.0.0.1:443 -s 127.0.0.1:22 -P $PIDFILE'
|
||||
|
||||
if [ -f /etc/sysconfig/sslh ]; then
|
||||
. /etc/sysconfig/sslh
|
||||
fi
|
||||
|
||||
|
||||
start() {
|
||||
echo -n "Starting SSL-SSH-Switch: "
|
||||
if [ -f $PIDFILE ]; then
|
||||
PID=`cat $PIDFILE`
|
||||
echo sslh already running: $PID
|
||||
exit 2;
|
||||
elif [ -f $PIDFILE ]; then
|
||||
PID=`cat $PIDFILE`
|
||||
echo sslh already running: $PID
|
||||
exit 2;
|
||||
else
|
||||
cd $SLAPD_DIR
|
||||
daemon $SSLH $OPTIONS
|
||||
RETVAL=$?
|
||||
echo
|
||||
[ $RETVAL -eq 0 ] && touch $PIDFILE
|
||||
return $RETVAL
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
stop() {
|
||||
echo -n "Shutting down SSL-SSH-Switch: "
|
||||
echo
|
||||
killproc sslh
|
||||
echo
|
||||
rm -f $PIDFILE
|
||||
return 0
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
start
|
||||
;;
|
||||
stop)
|
||||
stop
|
||||
;;
|
||||
status)
|
||||
status sslh
|
||||
;;
|
||||
restart)
|
||||
stop
|
||||
start
|
||||
;;
|
||||
*)
|
||||
echo "Usage: {start|stop|status|restart}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
exit $?
|
||||
|
27
sslh.c
27
sslh.c
@ -42,6 +42,9 @@
|
||||
int allow_severity =0, deny_severity = 0;
|
||||
#endif
|
||||
|
||||
#ifndef VERSION
|
||||
#define VERSION "v?"
|
||||
#endif
|
||||
|
||||
#define CHECK_RES_DIE(res, str) \
|
||||
if (res == -1) { \
|
||||
@ -53,13 +56,14 @@ if (res == -1) { \
|
||||
"sslh " VERSION "\n" \
|
||||
"usage:\n" \
|
||||
"\tsslh [-t <timeout>] -u <username> -p [listenaddr:]<listenport> \n" \
|
||||
"\t\t-s [sshhost:]port -l [sslhost:]port [-P pidfile] [-v] [-V]\n\n" \
|
||||
"\t\t-s [sshhost:]port -l [sslhost:]port [-P pidfile] [-v] [-i] [-V]\n\n" \
|
||||
"-v: verbose\n" \
|
||||
"-V: version\n" \
|
||||
"-p: address and port to listen on. default: 0.0.0.0:443\n" \
|
||||
"-s: SSH address: where to connect an SSH connection. default: localhost:22\n" \
|
||||
"-l: SSL address: where to connect an SSL connection.\n" \
|
||||
"-P: PID file. Default: /var/run/sslh.pid\n" \
|
||||
"-P: PID file. Default: /var/run/sslh.pid.\n" \
|
||||
"-i: Run as a inetd service.\n" \
|
||||
""
|
||||
|
||||
int verbose = 0; /* That's really quite global */
|
||||
@ -351,7 +355,7 @@ void drop_privileges(char* user_name)
|
||||
CHECK_RES_DIE(res, "setuid");
|
||||
}
|
||||
|
||||
/* Writes my PID if $PIDFILE is defined */
|
||||
/* Writes my PID */
|
||||
void write_pid_file(char* pidfile)
|
||||
{
|
||||
FILE *f;
|
||||
@ -392,15 +396,16 @@ int main(int argc, char *argv[])
|
||||
/* Init defaults */
|
||||
char *user_name = "nobody";
|
||||
char listen_str[] = "0.0.0.0:443";
|
||||
char ssl_str[] = "localhost:442";
|
||||
char ssl_str[] = "localhost:443";
|
||||
char ssh_str[] = "localhost:22";
|
||||
char *pid_file = "/var/run/sslh.pid";
|
||||
char inetd = 0;
|
||||
|
||||
resolve_name(&addr_listen, listen_str);
|
||||
resolve_name(&addr_ssl, ssl_str);
|
||||
resolve_name(&addr_ssh, ssh_str);
|
||||
|
||||
while ((c = getopt(argc, argv, "t:l:s:p:P:vVu:")) != EOF) {
|
||||
while ((c = getopt(argc, argv, "t:l:s:p:P:ivVu:")) != EOF) {
|
||||
switch (c) {
|
||||
|
||||
case 't':
|
||||
@ -419,6 +424,10 @@ int main(int argc, char *argv[])
|
||||
resolve_name(&addr_ssh, optarg);
|
||||
break;
|
||||
|
||||
case 'i':
|
||||
inetd = 1;
|
||||
break;
|
||||
|
||||
case 'v':
|
||||
verbose += 1;
|
||||
break;
|
||||
@ -441,6 +450,13 @@ int main(int argc, char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
if(inetd)
|
||||
{
|
||||
verbose = 0;
|
||||
start_shoveler(0);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
if (verbose)
|
||||
printsettings();
|
||||
|
||||
@ -469,6 +485,7 @@ int main(int argc, char *argv[])
|
||||
|
||||
if (!fork())
|
||||
{
|
||||
close(listen_socket);
|
||||
start_shoveler(in_socket);
|
||||
exit(0);
|
||||
}
|
||||
|
11
sslh.pod
11
sslh.pod
@ -6,7 +6,7 @@
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
sslh [ B<-t> I<num> ] [B<-p> I<listening address>] [B<-l> I<target address for SSL>] [B<-s> I<target address for SSH>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-V]
|
||||
sslh [ B<-t> I<num> ] [B<-p> I<listening address>] [B<-l> I<target address for SSL>] [B<-s> I<target address for SSH>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-i] [-V]
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
@ -66,7 +66,7 @@ available interfaces).
|
||||
Interface and port on which to forward SSL connection,
|
||||
typically I<localhost:443>.
|
||||
|
||||
Defaults to I<localhost:442> (this assumes you would
|
||||
Defaults to I<localhost:443> (this assumes you would
|
||||
configure your B<httpd> process to listen to port 443).
|
||||
|
||||
Note that you can set B<sslh> to listen on I<ext_ip:443> and
|
||||
@ -97,6 +97,11 @@ run under its own UID).
|
||||
Specifies the file in which to write the PID of the main
|
||||
server. Defaults to I</var/run/sslh.pid>.
|
||||
|
||||
=item B<-i>
|
||||
|
||||
Runs as an I<inetd> server. Options B<-P> (PID file), B<-p>
|
||||
(listen address), B<-U> (user) are ignored.
|
||||
|
||||
=back
|
||||
|
||||
=head1 FILES
|
||||
@ -110,7 +115,7 @@ B<restart> are supported.
|
||||
|
||||
=item F</etc/default/sslh>
|
||||
|
||||
Server configuration. These are environement variables
|
||||
Server configuration. These are environment variables
|
||||
loaded by the start-up script and passed to B<sslh> as
|
||||
command-line arguments. Refer to the OPTIONS section for a
|
||||
detailed explanation of the variables used by B<sslh>.
|
||||
|
Loading…
Reference in New Issue
Block a user