diff --git a/ChangeLog b/ChangeLog new file mode 100644 index 0000000..23fa368 --- /dev/null +++ b/ChangeLog @@ -0,0 +1,65 @@ +v1.7: 01FEB2010 + Added CentOS init.d script (Andre Krajnik). + + Fixed default ssl address inconsistancy, now + defaults to "localhost:443" and fixed documentation + accordingly (pointed by Markus Schalke). + + Children no longer bind to the listen socket, so + parent server can be stopped without killing an + active child (pointed by Matthias Buecher). + + Inetd support (Dima Barsky). + +v1.6: 25APR2009 + Added -V, version option. + + Install target directory configurable in Makefile + + Changed syslog prefix in auth.log to "sslh[%pid]" + + Man page + + new 'make install' and 'make install-debian' targets + + PID file now specified using -P command line option + + Actually fixed zombie generation (the v1.5 patch got + lost, doh!) + + +v1.5: 10DEC2008 + Fixed zombie generation. + + Added support scripts (), Makefile. + + Changed all 'connexions' to 'connections' to please + pesky users. Damn users. + +v1.4: 13JUL2008 + Added libwrap support for ssh service (Christian Weinberger) + Only SSH is libwraped, not SSL. + +v1.3: 14MAY2008 + Added parsing for local interface to listen on + + Changed default SSL connection to port 442 (443 doesn't make + sense as a default as we're already listening on 443) + + Syslog incoming connections + +v1.2: 12MAY2008 + Fixed compilation warning for AMD64 (Thx Daniel Lange) + +v1.1: 21MAY2007 + Making sslhc more like a real daemon: + * If $PIDFILE is defined, write first PID to it upon startup + * Fork at startup (detach from terminal) + (thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist) + * Less memory usage (?) + +v1.0: + Basic functionality: privilege dropping, target hostnames and ports + configurable. + + diff --git a/Makefile b/Makefile index ca51a6c..3ccb2a7 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # Configuration -VERSION="v1.6i" +VERSION="v1.7a" USELIBWRAP=1 # Use libwrap? PREFIX=/usr/local diff --git a/README b/README index fcf60e1..cd23eb7 100644 --- a/README +++ b/README @@ -16,7 +16,8 @@ make install Otherwise: -Compilation instructions: +Compilation instructions (the binary produced won't contain +the version number, which is stored only in the Makefile) Solaris: cc -o sslh sslh.c -lresolv -lsocket -lnsl @@ -36,9 +37,13 @@ To install: make cp sslh /usr/local/sbin -cp scripts/etc.init.d.sslh /etc/init.d/sslh cp scripts/etc.default.sslh /etc/default/sslh +For Debian: +cp scripts/etc.init.d.sslh /etc/init.d/sslh +For CentOS: +cp scripts/etc.rc.d.init.d.sslh /etc/rc.d/init.d/sslh + and probably create links in /etc/rc.d so that the server start automatically at boot-up, e.g. under Debian: update-rc.d sslh defaults @@ -60,6 +65,10 @@ coming from inside your network don't need to go through sslh, and sslh is only there as a frontal for connections coming from the internet. +Note that 'external name' in this context refers to the +actual IP address of the machine as seen from your network, +i.e. that that is not 127.0.0.1 in the output of +ifconfig(8). ==== Libwrap support ==== @@ -68,48 +77,39 @@ service: because the connection to sshd will be coming locally from sslh, sshd cannot determine the IP of the client. +==== OpenVPN support ==== + +OpenVPN clients reportedly take more than one second between +the time the TCP connexion is established and the time they +send the first data packet. This results in sslh with +default settings timing out and assuming an SSH connexion. +To support OpenVPN connexions reliably, it is necessary to +increase sslh's timeout to 5 seconds. + +==== IP_TPROXY support ==== + +There is a netfilter patch that adds an option to the Linux +TCP/IP stack to allow a program to set the source address +of an IP packet that it sends. This could let sslh set the +address of packets to that of the actual client, so that +sshd would see and log the IP address of the client, making +sslh transparent. + +This is not, and won't be, implemented in sslh for the +following reasons (in increasing order of importance): + + * It's not vital: the real connecting IP address can be + found in logs. Little gain. + * It's Linux only: it means increased complexity for no + gain to some users. + * It's a patch: it means it'd only be useful to Linux + users who compile their own kernel. + * Only root can use the feature: that's a definite no-no. + Sslh should not, must not, will never run as root. + +This isn't to mean that it won't eventually get implemented, +when/if the feature finds its way into the main kernel and +it becomes usuable by non-root processes. + + Comments? questions? sslh@rutschle.net - -HISTORY - -v1.6: 25APR2009 - Added -V, version option. - Install target directory configurable in Makefile - Changed syslog prefix in auth.log to "sslh[%pid]" - Man page - new 'make install' and 'make install-debian' targets - PID file now specified using -P command line option - Actually fixed zombie generation (the v1.5 patch got - lost, doh!) - - -v1.5: 10DEC2008 - Fixed zombie generation. - Added support scripts (), Makefile. - Changed all 'connexions' to 'connections' to please - pesky users. Damn users. - -v1.4: 13JUL2008 - Added libwrap support for ssh service (Christian Weinberger) - Only SSH is libwraped, not SSL. - -v1.3: 14MAY2008 - Added parsing for local interface to listen on - Changed default SSL connection to port 442 (443 doesn't make - sense as a default as we're already listening on 443) - Syslog incoming connections - -v1.2: 12MAY2008 - Fixed compilation warning for AMD64 (Thx Daniel Lange) - -v1.1: 21MAY2007 - Making sslhc more like a real daemon: - * If $PIDFILE is defined, write first PID to it upon startup - * Fork at startup (detach from terminal) - (thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist) - * Less memory usage (?) - -v1.0: - * Basic functionality: privilege dropping, target hostnames and ports - configurable. - diff --git a/scripts/etc.init.d.sslh b/scripts/etc.init.d.sslh index 27b8694..8a5171f 100755 --- a/scripts/etc.init.d.sslh +++ b/scripts/etc.init.d.sslh @@ -38,7 +38,6 @@ stop() { echo "Stop services: sslh" killall $DAEMON - rm ${PIDFILE} logger -t ${tag} -p ${facility} -i 'Stopped sslh' } diff --git a/scripts/etc.rc.d.init.d.sslh.centos b/scripts/etc.rc.d.init.d.sslh.centos new file mode 100755 index 0000000..c96d967 --- /dev/null +++ b/scripts/etc.rc.d.init.d.sslh.centos @@ -0,0 +1,77 @@ +#!/bin/bash +# +# /etc/rc.d/init.d/sslh +# sslh This shell script takes care of starting and stopping +# sslh - a daemon switching incoming connection between SSH and SSL/HTTPS servers +# +# Author: Andre Krajnik akrajnik@gmail.com +# +# chkconfig: 2345 13 87 +# description: sslh - a daemon switching incoming connection between SSH and SSL/HTTPS servers + +# Source function library. +. /etc/init.d/functions + +# ./sslh -p 0.0.0.0:8443 -l 127.0.0.1:443 -s 127.0.0.1:22 + +SSLH='/usr/local/sbin/sslh' +PIDFILE='/var/run/sslh' + +OPTIONS='-p 0.0.0.0:8443 -l 127.0.0.1:443 -s 127.0.0.1:22 -P $PIDFILE' + +if [ -f /etc/sysconfig/sslh ]; then + . /etc/sysconfig/sslh +fi + + +start() { + echo -n "Starting SSL-SSH-Switch: " + if [ -f $PIDFILE ]; then + PID=`cat $PIDFILE` + echo sslh already running: $PID + exit 2; + elif [ -f $PIDFILE ]; then + PID=`cat $PIDFILE` + echo sslh already running: $PID + exit 2; + else + cd $SLAPD_DIR + daemon $SSLH $OPTIONS + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && touch $PIDFILE + return $RETVAL + fi + +} + +stop() { + echo -n "Shutting down SSL-SSH-Switch: " + echo + killproc sslh + echo + rm -f $PIDFILE + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + status) + status sslh + ;; + restart) + stop + start + ;; + *) + echo "Usage: {start|stop|status|restart}" + exit 1 + ;; +esac +exit $? + diff --git a/sslh.c b/sslh.c index a62ae15..3bf205f 100644 --- a/sslh.c +++ b/sslh.c @@ -42,6 +42,9 @@ int allow_severity =0, deny_severity = 0; #endif +#ifndef VERSION +#define VERSION "v?" +#endif #define CHECK_RES_DIE(res, str) \ if (res == -1) { \ @@ -53,13 +56,14 @@ if (res == -1) { \ "sslh " VERSION "\n" \ "usage:\n" \ "\tsslh [-t ] -u -p [listenaddr:] \n" \ -"\t\t-s [sshhost:]port -l [sslhost:]port [-P pidfile] [-v] [-V]\n\n" \ +"\t\t-s [sshhost:]port -l [sslhost:]port [-P pidfile] [-v] [-i] [-V]\n\n" \ "-v: verbose\n" \ "-V: version\n" \ "-p: address and port to listen on. default: 0.0.0.0:443\n" \ "-s: SSH address: where to connect an SSH connection. default: localhost:22\n" \ "-l: SSL address: where to connect an SSL connection.\n" \ -"-P: PID file. Default: /var/run/sslh.pid\n" \ +"-P: PID file. Default: /var/run/sslh.pid.\n" \ +"-i: Run as a inetd service.\n" \ "" int verbose = 0; /* That's really quite global */ @@ -351,7 +355,7 @@ void drop_privileges(char* user_name) CHECK_RES_DIE(res, "setuid"); } -/* Writes my PID if $PIDFILE is defined */ +/* Writes my PID */ void write_pid_file(char* pidfile) { FILE *f; @@ -392,15 +396,16 @@ int main(int argc, char *argv[]) /* Init defaults */ char *user_name = "nobody"; char listen_str[] = "0.0.0.0:443"; - char ssl_str[] = "localhost:442"; + char ssl_str[] = "localhost:443"; char ssh_str[] = "localhost:22"; char *pid_file = "/var/run/sslh.pid"; + char inetd = 0; resolve_name(&addr_listen, listen_str); resolve_name(&addr_ssl, ssl_str); resolve_name(&addr_ssh, ssh_str); - while ((c = getopt(argc, argv, "t:l:s:p:P:vVu:")) != EOF) { + while ((c = getopt(argc, argv, "t:l:s:p:P:ivVu:")) != EOF) { switch (c) { case 't': @@ -419,6 +424,10 @@ int main(int argc, char *argv[]) resolve_name(&addr_ssh, optarg); break; + case 'i': + inetd = 1; + break; + case 'v': verbose += 1; break; @@ -441,6 +450,13 @@ int main(int argc, char *argv[]) } } + if(inetd) + { + verbose = 0; + start_shoveler(0); + exit(0); + } + if (verbose) printsettings(); @@ -469,6 +485,7 @@ int main(int argc, char *argv[]) if (!fork()) { + close(listen_socket); start_shoveler(in_socket); exit(0); } diff --git a/sslh.pod b/sslh.pod index b428c37..6d7b513 100644 --- a/sslh.pod +++ b/sslh.pod @@ -6,7 +6,7 @@ =head1 SYNOPSIS -sslh [ B<-t> I ] [B<-p> I] [B<-l> I] [B<-s> I] [B<-u> I] [B<-P> I] [-v] [-V] +sslh [ B<-t> I ] [B<-p> I] [B<-l> I] [B<-s> I] [B<-u> I] [B<-P> I] [-v] [-i] [-V] =head1 DESCRIPTION @@ -66,7 +66,7 @@ available interfaces). Interface and port on which to forward SSL connection, typically I. -Defaults to I (this assumes you would +Defaults to I (this assumes you would configure your B process to listen to port 443). Note that you can set B to listen on I and @@ -97,6 +97,11 @@ run under its own UID). Specifies the file in which to write the PID of the main server. Defaults to I. +=item B<-i> + +Runs as an I server. Options B<-P> (PID file), B<-p> +(listen address), B<-U> (user) are ignored. + =back =head1 FILES @@ -110,7 +115,7 @@ B are supported. =item F -Server configuration. These are environement variables +Server configuration. These are environment variables loaded by the start-up script and passed to B as command-line arguments. Refer to the OPTIONS section for a detailed explanation of the variables used by B.