git ssb - v1.7: 01FEB2010 · cel/sslh@44f02ddf

Commit 44f02ddf39a9d4c338dae207cfd1fb6bc6bfd1e0

v1.7: 01FEB2010

	Added CentOS init.d script (Andre Krajnik).

	Fixed default ssl address inconsistancy, now
	defaults to "localhost:443" and fixed documentation
	accordingly (pointed by Markus Schalke).

	Children no longer bind to the listen socket, so
	parent server can be stopped without killing an
	active child (pointed by Matthias Buecher).

	Inetd support (Dima Barsky).

Yves Rutschle committed on 7/10/2013, 9:11:40 PM
Parent: 0658982705270b6f79c5387db43e95e7c1f67465

Files changed

Makefile	changed
README	changed
scripts/etc.init.d.sslh	changed
scripts/etc.rc.d.init.d.sslh.centos	added
sslh.c	changed
sslh.pod	changed
ChangeLog	added

MakefileView
		@@ -1,7 +1,7 @@
1	1	# Configuration
2	2
3		-VERSION="v1.6i"
	3	+VERSION="v1.7a"
4	4	USELIBWRAP=1 # Use libwrap?
5	5	PREFIX=/usr/local
6	6
7	7	MAN=sslh.8.gz # man page name

READMEView
		@@ -15,9 +15,10 @@
15	15
16	16
17	17	Otherwise:
18	18
19		-Compilation instructions:
	19	+Compilation instructions (the binary produced won't contain
	20	+the version number, which is stored only in the Makefile)
20	21
21	22	Solaris:
22	23	cc -o sslh sslh.c -lresolv -lsocket -lnsl
23	24
		@@ -35,11 +36,15 @@
35	36	To install:
36	37
37	38	make
38	39	cp sslh /usr/local/sbin
39		-cp scripts/etc.init.d.sslh /etc/init.d/sslh
40	40	cp scripts/etc.default.sslh /etc/default/sslh
41	41
	42	+For Debian:
	43	+cp scripts/etc.init.d.sslh /etc/init.d/sslh
	44	+For CentOS:
	45	+cp scripts/etc.rc.d.init.d.sslh /etc/rc.d/init.d/sslh
	46	+
42	47	and probably create links in /etc/rc<x>.d so that the server
43	48	start automatically at boot-up, e.g. under Debian:
44	49	update-rc.d sslh defaults
45	50
		@@ -59,57 +64,52 @@
59	64	coming from inside your network don't need to go through
60	65	sslh, and sslh is only there as a frontal for connections
61	66	coming from the internet.
62	67
	68	+Note that 'external name' in this context refers to the
	69	+actual IP address of the machine as seen from your network,
	70	+i.e. that that is not 127.0.0.1 in the output of
	71	+ifconfig(8).
63	72
64	73	==== Libwrap support ====
65	74
66	75	Sslh can optionnaly perform libwrap checks for the sshd
67	76	service: because the connection to sshd will be coming
68	77	locally from sslh, sshd cannot determine the IP of the
69	78	client.
70	79
71		-Comments? questions? sslh@rutschle.net
	80	+==== OpenVPN support ====
72	81
73		-HISTORY
	82	+OpenVPN clients reportedly take more than one second between
	83	+the time the TCP connexion is established and the time they
	84	+send the first data packet. This results in sslh with
	85	+default settings timing out and assuming an SSH connexion.
	86	+To support OpenVPN connexions reliably, it is necessary to
	87	+increase sslh's timeout to 5 seconds.
74	88
75		-v1.6: 25APR2009
76		- Added -V, version option.
77		- Install target directory configurable in Makefile
78		- Changed syslog prefix in auth.log to "sslh[%pid]"
79		- Man page
80		- new 'make install' and 'make install-debian' targets
81		- PID file now specified using -P command line option
82		- Actually fixed zombie generation (the v1.5 patch got
83		- lost, doh!)
	89	+==== IP_TPROXY support ====
84	90
	91	+There is a netfilter patch that adds an option to the Linux
	92	+TCP/IP stack to allow a program to set the source address
	93	+of an IP packet that it sends. This could let sslh set the
	94	+address of packets to that of the actual client, so that
	95	+sshd would see and log the IP address of the client, making
	96	+sslh transparent.
85	97
86		-v1.5: 10DEC2008
87		- Fixed zombie generation.
88		- Added support scripts (), Makefile.
89		- Changed all 'connexions' to 'connections' to please
90		- pesky users. Damn users.
	98	+This is not, and won't be, implemented in sslh for the
	99	+following reasons (in increasing order of importance):
91	100
92		-v1.4: 13JUL2008
93		- Added libwrap support for ssh service (Christian Weinberger)
94		- Only SSH is libwraped, not SSL.
	101	+ * It's not vital: the real connecting IP address can be
	102	+ found in logs. Little gain.
	103	+ * It's Linux only: it means increased complexity for no
	104	+ gain to some users.
	105	+ * It's a patch: it means it'd only be useful to Linux
	106	+ users who compile their own kernel.
	107	+ * Only root can use the feature: that's a definite no-no.
	108	+ Sslh should not, must not, will never run as root.
95	109
96		-v1.3: 14MAY2008
97		- Added parsing for local interface to listen on
98		- Changed default SSL connection to port 442 (443 doesn't make
99		- sense as a default as we're already listening on 443)
100		- Syslog incoming connections
	110	+This isn't to mean that it won't eventually get implemented,
	111	+when/if the feature finds its way into the main kernel and
	112	+it becomes usuable by non-root processes.
101	113
102		-v1.2: 12MAY2008
103		- Fixed compilation warning for AMD64 (Thx Daniel Lange)
104	114
105		-v1.1: 21MAY2007
106		- Making sslhc more like a real daemon:
107		- * If $PIDFILE is defined, write first PID to it upon startup
108		- * Fork at startup (detach from terminal)
109		- (thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
110		- * Less memory usage (?)
111		-
112		-v1.0:
113		- * Basic functionality: privilege dropping, target hostnames and ports
114		- configurable.
115		-
	115	+Comments? questions? sslh@rutschle.net

scripts/etc.init.d.sslhView
		@@ -37,9 +37,8 @@
37	37	stop()
38	38	{
39	39	echo "Stop services: sslh"
40	40	killall $DAEMON
41		- rm ${PIDFILE}
42	41	logger -t ${tag} -p ${facility} -i 'Stopped sslh'
43	42	}
44	43
45	44

scripts/etc.rc.d.init.d.sslh.centosView
		@@ -1,0 +1,77 @@
	1	+#!/bin/bash
	2	+#
	3	+# /etc/rc.d/init.d/sslh
	4	+# sslh This shell script takes care of starting and stopping
	5	+# sslh - a daemon switching incoming connection between SSH and SSL/HTTPS servers
	6	+#
	7	+# Author: Andre Krajnik akrajnik@gmail.com
	8	+#
	9	+# chkconfig: 2345 13 87
	10	+# description: sslh - a daemon switching incoming connection between SSH and SSL/HTTPS servers
	11	+
	12	+# Source function library.
	13	+. /etc/init.d/functions
	14	+
	15	+# ./sslh -p 0.0.0.0:8443 -l 127.0.0.1:443 -s 127.0.0.1:22
	16	+
	17	+SSLH='/usr/local/sbin/sslh'
	18	+PIDFILE='/var/run/sslh'
	19	+
	20	+OPTIONS='-p 0.0.0.0:8443 -l 127.0.0.1:443 -s 127.0.0.1:22 -P $PIDFILE'
	21	+
	22	+if [ -f /etc/sysconfig/sslh ]; then
	23	+ . /etc/sysconfig/sslh
	24	+fi
	25	+
	26	+
	27	+start() {
	28	+ echo -n "Starting SSL-SSH-Switch: "
	29	+ if [ -f $PIDFILE ]; then
	30	+ PID=`cat $PIDFILE`
	31	+ echo sslh already running: $PID
	32	+ exit 2;
	33	+ elif [ -f $PIDFILE ]; then
	34	+ PID=`cat $PIDFILE`
	35	+ echo sslh already running: $PID
	36	+ exit 2;
	37	+ else
	38	+ cd $SLAPD_DIR
	39	+ daemon $SSLH $OPTIONS
	40	+ RETVAL=$?
	41	+ echo
	42	+ [ $RETVAL -eq 0 ] && touch $PIDFILE
	43	+ return $RETVAL
	44	+ fi
	45	+
	46	+}
	47	+
	48	+stop() {
	49	+ echo -n "Shutting down SSL-SSH-Switch: "
	50	+ echo
	51	+ killproc sslh
	52	+ echo
	53	+ rm -f $PIDFILE
	54	+ return 0
	55	+}
	56	+
	57	+case "$1" in
	58	+ start)
	59	+ start
	60	+ ;;
	61	+ stop)
	62	+ stop
	63	+ ;;
	64	+ status)
	65	+ status sslh
	66	+ ;;
	67	+ restart)
	68	+ stop
	69	+ start
	70	+ ;;
	71	+ *)
	72	+ echo "Usage: {start\|stop\|status\|restart}"
	73	+ exit 1
	74	+ ;;
	75	+esac
	76	+exit $?
	77	+

sslh.cView
		@@ -41,8 +41,11 @@
41	41	#include <tcpd.h>
42	42	int allow_severity =0, deny_severity = 0;
43	43	#endif
44	44
	45	+#ifndef VERSION
	46	+#define VERSION "v?"
	47	+#endif
45	48
46	49	#define CHECK_RES_DIE(res, str) \
47	50	if (res == -1) { \
48	51	perror(str); \
		@@ -52,15 +55,16 @@
52	55	#define USAGE_STRING \
53	56	"sslh " VERSION "\n" \
54	57	"usage:\n" \
55	58	"\tsslh [-t <timeout>] -u <username> -p [listenaddr:]<listenport> \n" \
56		-"\t\t-s [sshhost:]port -l [sslhost:]port [-P pidfile] [-v] [-V]\n\n" \
	59	+"\t\t-s [sshhost:]port -l [sslhost:]port [-P pidfile] [-v] [-i] [-V]\n\n" \
57	60	"-v: verbose\n" \
58	61	"-V: version\n" \
59	62	"-p: address and port to listen on. default: 0.0.0.0:443\n" \
60	63	"-s: SSH address: where to connect an SSH connection. default: localhost:22\n" \
61	64	"-l: SSL address: where to connect an SSL connection.\n" \
62		-"-P: PID file. Default: /var/run/sslh.pid\n" \
	65	+"-P: PID file. Default: /var/run/sslh.pid.\n" \
	66	+"-i: Run as a inetd service.\n" \
63	67	""
64	68
65	69	int verbose = 0; /* That's really quite global */
66	70
		@@ -350,9 +354,9 @@
350	354	setuid(pw->pw_uid);
351	355	CHECK_RES_DIE(res, "setuid");
352	356	}
353	357
354		-/* Writes my PID if $PIDFILE is defined */
	358	+/* Writes my PID */
355	359	void write_pid_file(char* pidfile)
356	360	{
357	361	FILE *f;
358	362
		@@ -391,17 +395,18 @@
391	395
392	396	/* Init defaults */
393	397	char *user_name = "nobody";
394	398	char listen_str[] = "0.0.0.0:443";
395		- char ssl_str[] = "localhost:442";
	399	+ char ssl_str[] = "localhost:443";
396	400	char ssh_str[] = "localhost:22";
397	401	char *pid_file = "/var/run/sslh.pid";
	402	+ char inetd = 0;
398	403
399	404	resolve_name(&addr_listen, listen_str);
400	405	resolve_name(&addr_ssl, ssl_str);
401	406	resolve_name(&addr_ssh, ssh_str);
402	407
403		- while ((c = getopt(argc, argv, "t:l:s:p:P:vVu:")) != EOF) {
	408	+ while ((c = getopt(argc, argv, "t:l:s:p:P:ivVu:")) != EOF) {
404	409	switch (c) {
405	410
406	411	case 't':
407	412	timeout = atoi(optarg);
		@@ -418,8 +423,12 @@
418	423	case 's':
419	424	resolve_name(&addr_ssh, optarg);
420	425	break;
421	426
	427	+ case 'i':
	428	+ inetd = 1;
	429	+ break;
	430	+
422	431	case 'v':
423	432	verbose += 1;
424	433	break;
425	434
		@@ -440,8 +449,15 @@
440	449	exit(2);
441	450	}
442	451	}
443	452
	453	+ if(inetd)
	454	+ {
	455	+ verbose = 0;
	456	+ start_shoveler(0);
	457	+ exit(0);
	458	+ }
	459	+
444	460	if (verbose)
445	461	printsettings();
446	462
447	463	setup_signals();
		@@ -468,8 +484,9 @@
468	484	if (verbose) fprintf(stderr, "accepted fd %d\n", in_socket);
469	485
470	486	if (!fork())
471	487	{
	488	+ close(listen_socket);
472	489	start_shoveler(in_socket);
473	490	exit(0);
474	491	}
475	492	close(in_socket);

sslh.podView
		@@ -5,9 +5,9 @@
5	5	sslh - ssl/ssh multiplexer
6	6
7	7	=head1 SYNOPSIS
8	8
9		-sslh [ B<-t> I<num> ] [B<-p> I<listening address>] [B<-l> I<target address for SSL>] [B<-s> I<target address for SSH>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-V]
	9	+sslh [ B<-t> I<num> ] [B<-p> I<listening address>] [B<-l> I<target address for SSL>] [B<-s> I<target address for SSH>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-i] [-V]
10	10
11	11	=head1 DESCRIPTION
12	12
13	13	B<sslh> lets one accept both HTTPS and SSH connections on
		@@ -65,9 +65,9 @@
65	65
66	66	Interface and port on which to forward SSL connection,
67	67	typically I<localhost:443>.
68	68
69		-Defaults to I<localhost:442> (this assumes you would
	69	+Defaults to I<localhost:443> (this assumes you would
70	70	configure your B<httpd> process to listen to port 443).
71	71
72	72	Note that you can set B<sslh> to listen on I<ext_ip:443> and
73	73	B<httpd> to listen on I<localhost:443>: this allows clients
		@@ -96,8 +96,13 @@
96	96
97	97	Specifies the file in which to write the PID of the main
98	98	server. Defaults to I</var/run/sslh.pid>.
99	99
	100	+=item B<-i>
	101	+
	102	+Runs as an I<inetd> server. Options B<-P> (PID file), B<-p>
	103	+(listen address), B<-U> (user) are ignored.
	104	+
100	105	=back
101	106
102	107	=head1 FILES
103	108
		@@ -109,9 +114,9 @@
109	114	B<restart> are supported.
110	115
111	116	=item F</etc/default/sslh>
112	117
113		-Server configuration. These are environement variables
	118	+Server configuration. These are environment variables
114	119	loaded by the start-up script and passed to B<sslh> as
115	120	command-line arguments. Refer to the OPTIONS section for a
116	121	detailed explanation of the variables used by B<sslh>.
117	122

ChangeLogView
		@@ -1,0 +1,65 @@
	1	+v1.7: 01FEB2010
	2	+ Added CentOS init.d script (Andre Krajnik).
	3	+
	4	+ Fixed default ssl address inconsistancy, now
	5	+ defaults to "localhost:443" and fixed documentation
	6	+ accordingly (pointed by Markus Schalke).
	7	+
	8	+ Children no longer bind to the listen socket, so
	9	+ parent server can be stopped without killing an
	10	+ active child (pointed by Matthias Buecher).
	11	+
	12	+ Inetd support (Dima Barsky).
	13	+
	14	+v1.6: 25APR2009
	15	+ Added -V, version option.
	16	+
	17	+ Install target directory configurable in Makefile
	18	+
	19	+ Changed syslog prefix in auth.log to "sslh[%pid]"
	20	+
	21	+ Man page
	22	+
	23	+ new 'make install' and 'make install-debian' targets
	24	+
	25	+ PID file now specified using -P command line option
	26	+
	27	+ Actually fixed zombie generation (the v1.5 patch got
	28	+ lost, doh!)
	29	+
	30	+
	31	+v1.5: 10DEC2008
	32	+ Fixed zombie generation.
	33	+
	34	+ Added support scripts (), Makefile.
	35	+
	36	+ Changed all 'connexions' to 'connections' to please
	37	+ pesky users. Damn users.
	38	+
	39	+v1.4: 13JUL2008
	40	+ Added libwrap support for ssh service (Christian Weinberger)
	41	+ Only SSH is libwraped, not SSL.
	42	+
	43	+v1.3: 14MAY2008
	44	+ Added parsing for local interface to listen on
	45	+
	46	+ Changed default SSL connection to port 442 (443 doesn't make
	47	+ sense as a default as we're already listening on 443)
	48	+
	49	+ Syslog incoming connections
	50	+
	51	+v1.2: 12MAY2008
	52	+ Fixed compilation warning for AMD64 (Thx Daniel Lange)
	53	+
	54	+v1.1: 21MAY2007
	55	+ Making sslhc more like a real daemon:
	56	+ * If $PIDFILE is defined, write first PID to it upon startup
	57	+ * Fork at startup (detach from terminal)
	58	+ (thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
	59	+ * Less memory usage (?)
	60	+
	61	+v1.0:
	62	+ Basic functionality: privilege dropping, target hostnames and ports
	63	+ configurable.
	64	+
	65	+

Built with git-ssb-web

cel / sslh

Commit 44f02ddf39a9d4c338dae207cfd1fb6bc6bfd1e0

v1.7: 01FEB2010

Files changed