moparisthebest
/
sslh
mirror of https://github.com/moparisthebest/sslh
1
0
Fork 0
Code Issues Releases Wiki Activity

v1.7: 01FEB2010 

Added CentOS init.d script (Andre Krajnik).

	Fixed default ssl address inconsistancy, now
	defaults to "localhost:443" and fixed documentation
	accordingly (pointed by Markus Schalke).

	Children no longer bind to the listen socket, so
	parent server can be stopped without killing an
	active child (pointed by Matthias Buecher).

	Inetd support (Dima Barsky).
This commit is contained in:
Yves Rutschle 2013-07-10 23:11:40 +02:00
parent 0658982705
commit 44f02ddf39
7 changed files with 219 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
ChangeLog Normal file
View File

@ -0,0 +1,65 @@
v1.7: 01FEB2010
Added CentOS init.d script (Andre Krajnik).
Fixed default ssl address inconsistancy, now
defaults to "localhost:443" and fixed documentation
accordingly (pointed by Markus Schalke).
Children no longer bind to the listen socket, so
parent server can be stopped without killing an
active child (pointed by Matthias Buecher).
Inetd support (Dima Barsky).
v1.6: 25APR2009
Added -V, version option.
Install target directory configurable in Makefile
Changed syslog prefix in auth.log to "sslh[%pid]"
Man page
new 'make install' and 'make install-debian' targets
PID file now specified using -P command line option
Actually fixed zombie generation (the v1.5 patch got
lost, doh!)
v1.5: 10DEC2008
Fixed zombie generation.
Added support scripts (), Makefile.
Changed all 'connexions' to 'connections' to please
pesky users. Damn users.
v1.4: 13JUL2008
Added libwrap support for ssh service (Christian Weinberger)
Only SSH is libwraped, not SSL.
v1.3: 14MAY2008
Added parsing for local interface to listen on
Changed default SSL connection to port 442 (443 doesn't make
sense as a default as we're already listening on 443)
Syslog incoming connections
v1.2: 12MAY2008
Fixed compilation warning for AMD64 (Thx Daniel Lange)
v1.1: 21MAY2007
Making sslhc more like a real daemon:
* If $PIDFILE is defined, write first PID to it upon startup
* Fork at startup (detach from terminal)
(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
* Less memory usage (?)
v1.0:
Basic functionality: privilege dropping, target hostnames and ports
configurable.

2
Makefile
View File

@ -1,6 +1,6 @@
# Configuration
VERSION="v1.6i"
VERSION="v1.7a"
USELIBWRAP=1 # Use libwrap?
PREFIX=/usr/local

92
README
View File

@ -16,7 +16,8 @@ make install
Otherwise:
Compilation instructions:
Compilation instructions (the binary produced won't contain
the version number, which is stored only in the Makefile)
Solaris:
cc -o sslh sslh.c -lresolv -lsocket -lnsl
@ -36,9 +37,13 @@ To install:
make
cp sslh /usr/local/sbin
cp scripts/etc.init.d.sslh /etc/init.d/sslh
cp scripts/etc.default.sslh /etc/default/sslh
For Debian:
cp scripts/etc.init.d.sslh /etc/init.d/sslh
For CentOS:
cp scripts/etc.rc.d.init.d.sslh /etc/rc.d/init.d/sslh
and probably create links in /etc/rc<x>.d so that the server
start automatically at boot-up, e.g. under Debian:
update-rc.d sslh defaults
@ -60,6 +65,10 @@ coming from inside your network don't need to go through
sslh, and sslh is only there as a frontal for connections
coming from the internet.
Note that 'external name' in this context refers to the
actual IP address of the machine as seen from your network,
i.e. that that is not 127.0.0.1 in the output of
ifconfig(8).
==== Libwrap support ====
@ -68,48 +77,39 @@ service: because the connection to sshd will be coming
locally from sslh, sshd cannot determine the IP of the
client.
==== OpenVPN support ====
OpenVPN clients reportedly take more than one second between
the time the TCP connexion is established and the time they
send the first data packet. This results in sslh with
default settings timing out and assuming an SSH connexion.
To support OpenVPN connexions reliably, it is necessary to
increase sslh's timeout to 5 seconds.
==== IP_TPROXY support ====
There is a netfilter patch that adds an option to the Linux
TCP/IP stack to allow a program to set the source address
of an IP packet that it sends. This could let sslh set the
address of packets to that of the actual client, so that
sshd would see and log the IP address of the client, making
sslh transparent.
This is not, and won't be, implemented in sslh for the
following reasons (in increasing order of importance):
* It's not vital: the real connecting IP address can be
found in logs. Little gain.
* It's Linux only: it means increased complexity for no
gain to some users.
* It's a patch: it means it'd only be useful to Linux
users who compile their own kernel.
* Only root can use the feature: that's a definite no-no.
Sslh should not, must not, will never run as root.
This isn't to mean that it won't eventually get implemented,
when/if the feature finds its way into the main kernel and
it becomes usuable by non-root processes.
Comments? questions? sslh@rutschle.net
HISTORY
v1.6: 25APR2009
Added -V, version option.
Install target directory configurable in Makefile
Changed syslog prefix in auth.log to "sslh[%pid]"
Man page
new 'make install' and 'make install-debian' targets
PID file now specified using -P command line option
Actually fixed zombie generation (the v1.5 patch got
lost, doh!)
v1.5: 10DEC2008
Fixed zombie generation.
Added support scripts (), Makefile.
Changed all 'connexions' to 'connections' to please
pesky users. Damn users.
v1.4: 13JUL2008
Added libwrap support for ssh service (Christian Weinberger)
Only SSH is libwraped, not SSL.
v1.3: 14MAY2008
Added parsing for local interface to listen on
Changed default SSL connection to port 442 (443 doesn't make
sense as a default as we're already listening on 443)
Syslog incoming connections
v1.2: 12MAY2008
Fixed compilation warning for AMD64 (Thx Daniel Lange)
v1.1: 21MAY2007
Making sslhc more like a real daemon:
* If $PIDFILE is defined, write first PID to it upon startup
* Fork at startup (detach from terminal)
(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
* Less memory usage (?)
v1.0:
* Basic functionality: privilege dropping, target hostnames and ports
configurable.

1
scripts/etc.init.d.sslh
View File

@ -38,7 +38,6 @@ stop()
{
echo "Stop services: sslh"
killall $DAEMON
rm ${PIDFILE}
logger -t ${tag} -p ${facility} -i 'Stopped sslh'
}

77
scripts/etc.rc.d.init.d.sslh.centos Executable file
View File

@ -0,0 +1,77 @@
#!/bin/bash
#
# /etc/rc.d/init.d/sslh
# sslh This shell script takes care of starting and stopping
# sslh - a daemon switching incoming connection between SSH and SSL/HTTPS servers
#
# Author: Andre Krajnik akrajnik@gmail.com
#
# chkconfig: 2345 13 87
# description: sslh - a daemon switching incoming connection between SSH and SSL/HTTPS servers
# Source function library.
. /etc/init.d/functions
# ./sslh -p 0.0.0.0:8443 -l 127.0.0.1:443 -s 127.0.0.1:22
SSLH='/usr/local/sbin/sslh'
PIDFILE='/var/run/sslh'
OPTIONS='-p 0.0.0.0:8443 -l 127.0.0.1:443 -s 127.0.0.1:22 -P $PIDFILE'
if [ -f /etc/sysconfig/sslh ]; then
. /etc/sysconfig/sslh
fi
start() {
echo -n "Starting SSL-SSH-Switch: "
if [ -f $PIDFILE ]; then
PID=`cat $PIDFILE`
echo sslh already running: $PID
exit 2;
elif [ -f $PIDFILE ]; then
PID=`cat $PIDFILE`
echo sslh already running: $PID
exit 2;
else
cd $SLAPD_DIR
daemon $SSLH $OPTIONS
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $PIDFILE
return $RETVAL
fi
}
stop() {
echo -n "Shutting down SSL-SSH-Switch: "
echo
killproc sslh
echo
rm -f $PIDFILE
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status sslh
;;
restart)
stop
start
;;
*)
echo "Usage: {start|stop|status|restart}"
exit 1
;;
esac
exit $?

27
sslh.c
View File

@ -42,6 +42,9 @@
int allow_severity =0, deny_severity = 0;
#endif
#ifndef VERSION
#define VERSION "v?"
#endif
#define CHECK_RES_DIE(res, str) \
if (res == -1) { \
@ -53,13 +56,14 @@ if (res == -1) { \
"sslh " VERSION "\n" \
"usage:\n" \
"\tsslh [-t <timeout>] -u <username> -p [listenaddr:]<listenport> \n" \
"\t\t-s [sshhost:]port -l [sslhost:]port [-P pidfile] [-v] [-V]\n\n" \
"\t\t-s [sshhost:]port -l [sslhost:]port [-P pidfile] [-v] [-i] [-V]\n\n" \
"-v: verbose\n" \
"-V: version\n" \
"-p: address and port to listen on. default: 0.0.0.0:443\n" \
"-s: SSH address: where to connect an SSH connection. default: localhost:22\n" \
"-l: SSL address: where to connect an SSL connection.\n" \
"-P: PID file. Default: /var/run/sslh.pid\n" \
"-P: PID file. Default: /var/run/sslh.pid.\n" \
"-i: Run as a inetd service.\n" \
""
int verbose = 0; /* That's really quite global */
@ -351,7 +355,7 @@ void drop_privileges(char* user_name)
CHECK_RES_DIE(res, "setuid");
}
/* Writes my PID if $PIDFILE is defined */
/* Writes my PID */
void write_pid_file(char* pidfile)
{
FILE *f;
@ -392,15 +396,16 @@ int main(int argc, char *argv[])
/* Init defaults */
char *user_name = "nobody";
char listen_str[] = "0.0.0.0:443";
char ssl_str[] = "localhost:442";
char ssl_str[] = "localhost:443";
char ssh_str[] = "localhost:22";
char *pid_file = "/var/run/sslh.pid";
char inetd = 0;
resolve_name(&addr_listen, listen_str);
resolve_name(&addr_ssl, ssl_str);
resolve_name(&addr_ssh, ssh_str);
while ((c = getopt(argc, argv, "t:l:s:p:P:vVu:")) != EOF) {
while ((c = getopt(argc, argv, "t:l:s:p:P:ivVu:")) != EOF) {
switch (c) {
case 't':
@ -419,6 +424,10 @@ int main(int argc, char *argv[])
resolve_name(&addr_ssh, optarg);
break;
case 'i':
inetd = 1;
break;
case 'v':
verbose += 1;
break;
@ -441,6 +450,13 @@ int main(int argc, char *argv[])
}
}
if(inetd)
{
verbose = 0;
start_shoveler(0);
exit(0);
}
if (verbose)
printsettings();
@ -469,6 +485,7 @@ int main(int argc, char *argv[])
if (!fork())
{
close(listen_socket);
start_shoveler(in_socket);
exit(0);
}

11
sslh.pod
View File

@ -6,7 +6,7 @@
=head1 SYNOPSIS
sslh [ B<-t> I<num> ] [B<-p> I<listening address>] [B<-l> I<target address for SSL>] [B<-s> I<target address for SSH>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-V]
sslh [ B<-t> I<num> ] [B<-p> I<listening address>] [B<-l> I<target address for SSL>] [B<-s> I<target address for SSH>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-i] [-V]
=head1 DESCRIPTION
@ -66,7 +66,7 @@ available interfaces).
Interface and port on which to forward SSL connection,
typically I<localhost:443>.
Defaults to I<localhost:442> (this assumes you would
Defaults to I<localhost:443> (this assumes you would
configure your B<httpd> process to listen to port 443).
Note that you can set B<sslh> to listen on I<ext_ip:443> and
@ -97,6 +97,11 @@ run under its own UID).
Specifies the file in which to write the PID of the main
server. Defaults to I</var/run/sslh.pid>.
=item B<-i>
Runs as an I<inetd> server. Options B<-P> (PID file), B<-p>
(listen address), B<-U> (user) are ignored.
=back
=head1 FILES
@ -110,7 +115,7 @@ B<restart> are supported.
=item F</etc/default/sslh>
Server configuration. These are environement variables
Server configuration. These are environment variables
loaded by the start-up script and passed to B<sslh> as
command-line arguments. Refer to the OPTIONS section for a
detailed explanation of the variables used by B<sslh>.