From 44f02ddf39a9d4c338dae207cfd1fb6bc6bfd1e0 Mon Sep 17 00:00:00 2001 From: Yves Rutschle Date: Wed, 10 Jul 2013 23:11:40 +0200 Subject: [PATCH] v1.7: 01FEB2010 Added CentOS init.d script (Andre Krajnik). Fixed default ssl address inconsistancy, now defaults to "localhost:443" and fixed documentation accordingly (pointed by Markus Schalke). Children no longer bind to the listen socket, so parent server can be stopped without killing an active child (pointed by Matthias Buecher). Inetd support (Dima Barsky). --- ChangeLog | 65 ++++++++++++++++++++ Makefile | 2 +- README | 92 ++++++++++++++--------------- scripts/etc.init.d.sslh | 1 - scripts/etc.rc.d.init.d.sslh.centos | 77 ++++++++++++++++++++++++ sslh.c | 27 +++++++-- sslh.pod | 11 +++- 7 files changed, 219 insertions(+), 56 deletions(-) create mode 100644 ChangeLog create mode 100755 scripts/etc.rc.d.init.d.sslh.centos diff --git a/ChangeLog b/ChangeLog new file mode 100644 index 0000000..23fa368 --- /dev/null +++ b/ChangeLog @@ -0,0 +1,65 @@ +v1.7: 01FEB2010 + Added CentOS init.d script (Andre Krajnik). + + Fixed default ssl address inconsistancy, now + defaults to "localhost:443" and fixed documentation + accordingly (pointed by Markus Schalke). + + Children no longer bind to the listen socket, so + parent server can be stopped without killing an + active child (pointed by Matthias Buecher). + + Inetd support (Dima Barsky). + +v1.6: 25APR2009 + Added -V, version option. + + Install target directory configurable in Makefile + + Changed syslog prefix in auth.log to "sslh[%pid]" + + Man page + + new 'make install' and 'make install-debian' targets + + PID file now specified using -P command line option + + Actually fixed zombie generation (the v1.5 patch got + lost, doh!) + + +v1.5: 10DEC2008 + Fixed zombie generation. + + Added support scripts (), Makefile. + + Changed all 'connexions' to 'connections' to please + pesky users. Damn users. + +v1.4: 13JUL2008 + Added libwrap support for ssh service (Christian Weinberger) + Only SSH is libwraped, not SSL. + +v1.3: 14MAY2008 + Added parsing for local interface to listen on + + Changed default SSL connection to port 442 (443 doesn't make + sense as a default as we're already listening on 443) + + Syslog incoming connections + +v1.2: 12MAY2008 + Fixed compilation warning for AMD64 (Thx Daniel Lange) + +v1.1: 21MAY2007 + Making sslhc more like a real daemon: + * If $PIDFILE is defined, write first PID to it upon startup + * Fork at startup (detach from terminal) + (thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist) + * Less memory usage (?) + +v1.0: + Basic functionality: privilege dropping, target hostnames and ports + configurable. + + diff --git a/Makefile b/Makefile index ca51a6c..3ccb2a7 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # Configuration -VERSION="v1.6i" +VERSION="v1.7a" USELIBWRAP=1 # Use libwrap? PREFIX=/usr/local diff --git a/README b/README index fcf60e1..cd23eb7 100644 --- a/README +++ b/README @@ -16,7 +16,8 @@ make install Otherwise: -Compilation instructions: +Compilation instructions (the binary produced won't contain +the version number, which is stored only in the Makefile) Solaris: cc -o sslh sslh.c -lresolv -lsocket -lnsl @@ -36,9 +37,13 @@ To install: make cp sslh /usr/local/sbin -cp scripts/etc.init.d.sslh /etc/init.d/sslh cp scripts/etc.default.sslh /etc/default/sslh +For Debian: +cp scripts/etc.init.d.sslh /etc/init.d/sslh +For CentOS: +cp scripts/etc.rc.d.init.d.sslh /etc/rc.d/init.d/sslh + and probably create links in /etc/rc.d so that the server start automatically at boot-up, e.g. under Debian: update-rc.d sslh defaults @@ -60,6 +65,10 @@ coming from inside your network don't need to go through sslh, and sslh is only there as a frontal for connections coming from the internet. +Note that 'external name' in this context refers to the +actual IP address of the machine as seen from your network, +i.e. that that is not 127.0.0.1 in the output of +ifconfig(8). ==== Libwrap support ==== @@ -68,48 +77,39 @@ service: because the connection to sshd will be coming locally from sslh, sshd cannot determine the IP of the client. +==== OpenVPN support ==== + +OpenVPN clients reportedly take more than one second between +the time the TCP connexion is established and the time they +send the first data packet. This results in sslh with +default settings timing out and assuming an SSH connexion. +To support OpenVPN connexions reliably, it is necessary to +increase sslh's timeout to 5 seconds. + +==== IP_TPROXY support ==== + +There is a netfilter patch that adds an option to the Linux +TCP/IP stack to allow a program to set the source address +of an IP packet that it sends. This could let sslh set the +address of packets to that of the actual client, so that +sshd would see and log the IP address of the client, making +sslh transparent. + +This is not, and won't be, implemented in sslh for the +following reasons (in increasing order of importance): + + * It's not vital: the real connecting IP address can be + found in logs. Little gain. + * It's Linux only: it means increased complexity for no + gain to some users. + * It's a patch: it means it'd only be useful to Linux + users who compile their own kernel. + * Only root can use the feature: that's a definite no-no. + Sslh should not, must not, will never run as root. + +This isn't to mean that it won't eventually get implemented, +when/if the feature finds its way into the main kernel and +it becomes usuable by non-root processes. + + Comments? questions? sslh@rutschle.net - -HISTORY - -v1.6: 25APR2009 - Added -V, version option. - Install target directory configurable in Makefile - Changed syslog prefix in auth.log to "sslh[%pid]" - Man page - new 'make install' and 'make install-debian' targets - PID file now specified using -P command line option - Actually fixed zombie generation (the v1.5 patch got - lost, doh!) - - -v1.5: 10DEC2008 - Fixed zombie generation. - Added support scripts (), Makefile. - Changed all 'connexions' to 'connections' to please - pesky users. Damn users. - -v1.4: 13JUL2008 - Added libwrap support for ssh service (Christian Weinberger) - Only SSH is libwraped, not SSL. - -v1.3: 14MAY2008 - Added parsing for local interface to listen on - Changed default SSL connection to port 442 (443 doesn't make - sense as a default as we're already listening on 443) - Syslog incoming connections - -v1.2: 12MAY2008 - Fixed compilation warning for AMD64 (Thx Daniel Lange) - -v1.1: 21MAY2007 - Making sslhc more like a real daemon: - * If $PIDFILE is defined, write first PID to it upon startup - * Fork at startup (detach from terminal) - (thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist) - * Less memory usage (?) - -v1.0: - * Basic functionality: privilege dropping, target hostnames and ports - configurable. - diff --git a/scripts/etc.init.d.sslh b/scripts/etc.init.d.sslh index 27b8694..8a5171f 100755 --- a/scripts/etc.init.d.sslh +++ b/scripts/etc.init.d.sslh @@ -38,7 +38,6 @@ stop() { echo "Stop services: sslh" killall $DAEMON - rm ${PIDFILE} logger -t ${tag} -p ${facility} -i 'Stopped sslh' } diff --git a/scripts/etc.rc.d.init.d.sslh.centos b/scripts/etc.rc.d.init.d.sslh.centos new file mode 100755 index 0000000..c96d967 --- /dev/null +++ b/scripts/etc.rc.d.init.d.sslh.centos @@ -0,0 +1,77 @@ +#!/bin/bash +# +# /etc/rc.d/init.d/sslh +# sslh This shell script takes care of starting and stopping +# sslh - a daemon switching incoming connection between SSH and SSL/HTTPS servers +# +# Author: Andre Krajnik akrajnik@gmail.com +# +# chkconfig: 2345 13 87 +# description: sslh - a daemon switching incoming connection between SSH and SSL/HTTPS servers + +# Source function library. +. /etc/init.d/functions + +# ./sslh -p 0.0.0.0:8443 -l 127.0.0.1:443 -s 127.0.0.1:22 + +SSLH='/usr/local/sbin/sslh' +PIDFILE='/var/run/sslh' + +OPTIONS='-p 0.0.0.0:8443 -l 127.0.0.1:443 -s 127.0.0.1:22 -P $PIDFILE' + +if [ -f /etc/sysconfig/sslh ]; then + . /etc/sysconfig/sslh +fi + + +start() { + echo -n "Starting SSL-SSH-Switch: " + if [ -f $PIDFILE ]; then + PID=`cat $PIDFILE` + echo sslh already running: $PID + exit 2; + elif [ -f $PIDFILE ]; then + PID=`cat $PIDFILE` + echo sslh already running: $PID + exit 2; + else + cd $SLAPD_DIR + daemon $SSLH $OPTIONS + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && touch $PIDFILE + return $RETVAL + fi + +} + +stop() { + echo -n "Shutting down SSL-SSH-Switch: " + echo + killproc sslh + echo + rm -f $PIDFILE + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + status) + status sslh + ;; + restart) + stop + start + ;; + *) + echo "Usage: {start|stop|status|restart}" + exit 1 + ;; +esac +exit $? + diff --git a/sslh.c b/sslh.c index a62ae15..3bf205f 100644 --- a/sslh.c +++ b/sslh.c @@ -42,6 +42,9 @@ int allow_severity =0, deny_severity = 0; #endif +#ifndef VERSION +#define VERSION "v?" +#endif #define CHECK_RES_DIE(res, str) \ if (res == -1) { \ @@ -53,13 +56,14 @@ if (res == -1) { \ "sslh " VERSION "\n" \ "usage:\n" \ "\tsslh [-t ] -u -p [listenaddr:] \n" \ -"\t\t-s [sshhost:]port -l [sslhost:]port [-P pidfile] [-v] [-V]\n\n" \ +"\t\t-s [sshhost:]port -l [sslhost:]port [-P pidfile] [-v] [-i] [-V]\n\n" \ "-v: verbose\n" \ "-V: version\n" \ "-p: address and port to listen on. default: 0.0.0.0:443\n" \ "-s: SSH address: where to connect an SSH connection. default: localhost:22\n" \ "-l: SSL address: where to connect an SSL connection.\n" \ -"-P: PID file. Default: /var/run/sslh.pid\n" \ +"-P: PID file. Default: /var/run/sslh.pid.\n" \ +"-i: Run as a inetd service.\n" \ "" int verbose = 0; /* That's really quite global */ @@ -351,7 +355,7 @@ void drop_privileges(char* user_name) CHECK_RES_DIE(res, "setuid"); } -/* Writes my PID if $PIDFILE is defined */ +/* Writes my PID */ void write_pid_file(char* pidfile) { FILE *f; @@ -392,15 +396,16 @@ int main(int argc, char *argv[]) /* Init defaults */ char *user_name = "nobody"; char listen_str[] = "0.0.0.0:443"; - char ssl_str[] = "localhost:442"; + char ssl_str[] = "localhost:443"; char ssh_str[] = "localhost:22"; char *pid_file = "/var/run/sslh.pid"; + char inetd = 0; resolve_name(&addr_listen, listen_str); resolve_name(&addr_ssl, ssl_str); resolve_name(&addr_ssh, ssh_str); - while ((c = getopt(argc, argv, "t:l:s:p:P:vVu:")) != EOF) { + while ((c = getopt(argc, argv, "t:l:s:p:P:ivVu:")) != EOF) { switch (c) { case 't': @@ -419,6 +424,10 @@ int main(int argc, char *argv[]) resolve_name(&addr_ssh, optarg); break; + case 'i': + inetd = 1; + break; + case 'v': verbose += 1; break; @@ -441,6 +450,13 @@ int main(int argc, char *argv[]) } } + if(inetd) + { + verbose = 0; + start_shoveler(0); + exit(0); + } + if (verbose) printsettings(); @@ -469,6 +485,7 @@ int main(int argc, char *argv[]) if (!fork()) { + close(listen_socket); start_shoveler(in_socket); exit(0); } diff --git a/sslh.pod b/sslh.pod index b428c37..6d7b513 100644 --- a/sslh.pod +++ b/sslh.pod @@ -6,7 +6,7 @@ =head1 SYNOPSIS -sslh [ B<-t> I ] [B<-p> I] [B<-l> I] [B<-s> I] [B<-u> I] [B<-P> I] [-v] [-V] +sslh [ B<-t> I ] [B<-p> I] [B<-l> I] [B<-s> I] [B<-u> I] [B<-P> I] [-v] [-i] [-V] =head1 DESCRIPTION @@ -66,7 +66,7 @@ available interfaces). Interface and port on which to forward SSL connection, typically I. -Defaults to I (this assumes you would +Defaults to I (this assumes you would configure your B process to listen to port 443). Note that you can set B to listen on I and @@ -97,6 +97,11 @@ run under its own UID). Specifies the file in which to write the PID of the main server. Defaults to I. +=item B<-i> + +Runs as an I server. Options B<-P> (PID file), B<-p> +(listen address), B<-U> (user) are ignored. + =back =head1 FILES @@ -110,7 +115,7 @@ B are supported. =item F -Server configuration. These are environement variables +Server configuration. These are environment variables loaded by the start-up script and passed to B as command-line arguments. Refer to the OPTIONS section for a detailed explanation of the variables used by B.