Bill,
> Marcus J Ranum <mjr @
TIS .
COM> writes:
> marcus> If you have to, a captive login program that does a chroot to
> marcus> someplace and drops the user into a simple shell that lets them telnet,
> marcus> or rlogin to other machines, will do 95% of what you want.
>
> this is what i was thinking. comments from others? has anyone
> written this? if not, i'll post it here after i do. ;-)
I have real reservations about responding to this but what the hey... I have
hacked something together that has been in use here for a while. There are
some assumptions made that may not apply to all. I am putting this out as
a starting point for others. I'd be happy to hear constructive ideas but
please, no heavy duty flames of "how dumb can you be!" :-) I needed something
cheap and this definitely fit the bill... :-) The sources are available via
FTP from sparky.sterling.com as /local/gau.tar.Z. I'd be happy to roll in
any enhancements others make. I was planning on adding some additional ftp
commands for dealing with ftp from the firewall to internal systems but we
are NFS mounting the transfer area at present. There are some stubs in place
if you wish to modify it further to not need NFS. You will need to edit the
file telout.c to set up the GATEWAY and DOMAIN defines. Please examine the
following overview carefully and if you retrieve the sources, do the same to
them as well. All the mods should be bracketed within the GATEWAY ifdefs.
These tools also supports checking the load of the gateway host, /etc/nologin
semantics, configurable MOTD, as well as they can be configured to log transfers
to and from the gateway system.
Like everything I release...
**
** Use of this software constitutes acceptance for use in an AS IS
** condition. There are NO warranties with regard to this software.
** In no event shall the author(s) be liable for any damages whatsoever
** arising out of or in connection with the use or performance of this
** software. Any use of this software is at the user's own risk.
**
-Kent+
--
Kent Landfield INTERNET: kent @
sterling .
com
Sterling Software UUCP: uunet!sparky!kent
Phone: (402) 291-8300 FAX: (402) 291-4362
Please send comp.sources.misc-related mail to kent @
uunet .
uu .
net .
=============================================================================
FTP-Availability: sparky.sterling.com:/local/gau.tar.Z
Tested Environment: SunOS4.1.2
This README is an overview of the GATEWAY Access Utilities and how to
install them. This package currently supports access to the Internet
through the use of a firewall system. All internal systems are hidden
behind a firewall (or gateway) from the Internet.
These utilities allow users from inside the network to get to archives and
services on the Internet without requiring that they have an account on the
gateway system.
The general design is as follows. There are two special accounts setup
to specifically allow use of a modified telnet and ftp program from the
gateway host. The access programs telout and ftpout are installed on hosts
which are internal to the network. There are currently two different network
access utilities supported, telnet and ftp. On the gateway host, two different
executables, acftp and actelnet, are installed. These are actually a version
of telnet and ftp which have been modified to better support gateway usage.
--------------------------------------- Internet --------------------
||
||
||
||
__________ ______________
|Internal | | Gateway Host |
| Host | Internal | [Firewall] |
| |---------------| |
| (telout) | LAN | (actelnet) |
| (ftpout) | | (acftp) |
|__________| |______________|
The internal user executes the ftpout or telout program which setups the
user's privilege as that of the special accounts ftpout or telout. The
program then rlogins into the appropriate account on the gateway system.
The user is thrown into either actelnet or acftp applications as appropriate.
These applications are setup as the account's login shells. The internal
user is then free to access hosts and services on the Internet. Files
retrieved to the gateway are available to the user internally via NFS.
The user can remove files transfered into the directories created during
the acftp session startup but they cannot remove the directories. Empty
directories can be removed via a process run periodically from cron if
they are bothersome but it is unnecessary.
All access to the Internet is logged to a file, /var/log/outbound on the
loghost as delivered. The time in seconds of the connection is logged as
well for possible use in accounting for use of the network connections.
=====================================================================
GATEWAY HOST SETUP:
=====================================================================
1. Add the following entries to /etc/passwd,
ftpout:*:85:85:Internal FTP Account:/tmp/ftp:/usr/local/bin/acftp
telout:*:86:86:Internal Telnet Account:/tmp/.tel:/usr/local/bin/actelnet
NOTE: The accounts are setup so that there is no direct login capability
allowed. The login shell is specified as the application so that
the user cannot get directory to the shell.
2. Add the following entry to /etc/group,
ftpout:*:85:
telout:*:86:
3. Edit the /etc/syslog.conf file and add the following entries:
local0.info ifdef(`LOGHOST', /var/log/outbound, @loghost)
local0.err ifdef(`LOGHOST', /var/log/outbound, @loghost)
NOTE: Since the syslog.conf file is actually run through m4, assure
that the fields are separated by tab characters.
4. Create /var/log/outbound and assure that the ownership and modes
allow it to be written by syslogd. Restart syslogd with a -HUP so
that it processes your changes.
5. Create the file /etc/outbound.cfg configuration file with the following
type of information;
#
# MOTD is the Message that you wish displayed when the user logs
# into the gateway via the telout of ftpout facility. The contents
# of MOTD should be the full disk path to file to be displayed.
#
# LOAD is the load limit at which logins to the gateway system are
# disabled with a "Sorry, try again" type message.
#
MOTD=/etc/Outbound.motd
LOAD=6
Create and edit your welcome message so that it is displayed to the
user upon login.
Telout:
6. Create a home directory for the telout account.
7. Create a .hushlogin file in the telout home directory.
8. Create a .rhosts file in the telout home directory. The contents
of the .rhosts file should consist a host's fully qualified domain
name and the account name "telout". If I have a system nomad in the
DDP.Sterling.COM domain the .rhosts file entry for that system is:
nomad.DDP.Sterling.COM telout
Add an entry for each host that you are going to install the telout
access software on.
9. Change the modes and ownership on the telout home directory and
the files within to reflect the following;
drwxr-sr-x 2 root wheel 512 May 21 00:19 .
-r--r--r-- 1 root wheel 0 May 12 10:47 .hushlogin
-r--r--r-- 1 root wheel 32 May 21 00:19 .rhosts
Ftpout:
10. Create a home directory for the ftpout account.
11. Create a .hushlogin file in the ftpout home directory.
12. Create a .rhosts file in the ftpout home directory. The contents
of the .rhosts file should consist a host's fully qualified domain
name and the account name "ftpout". If I have a system nomad in the
DDP.Sterling.COM domain the .rhosts file entry for that system is:
nomad.DDP.Sterling.COM ftpout
Add an entry for each host that you are going to install the ftpout
access software on.
13. Change the modes and ownership on the ftpout home directory and
the files within to reflect the following;
drwxrwsr-t 3 ftpout ftpout 512 May 20 23:44 .
-r--r--r-- 1 root wheel 0 May 20 23:01 .hushlogin
-r--r--r-- 1 root wheel 32 May 20 21:18 .rhosts
14. Edit the /etc/exports files to allow those systems that are to have
telout and ftpout programs installed so that the FTP transfer area
can be NFS mounted from the internal system.
15. Next compile and install the acftp executable.
a. Make the executable acftp.
b. cp acftp /usr/local/bin
c. chgrp kmem /usr/local/bin/acftp
d. chown ftpout /usr/local/bin/acftp
f. chmod 2755 /usr/local/bin/acftp
16. Next compile and install the actelnet executable.
a. Make the executable actelnet.
b. cp actelnet /usr/local/bin
c. chgrp kmem /usr/local/bin/actelnet
d. chown telout /usr/local/bin/actelnet
f. chmod 2755 /usr/local/bin/actelnet
NOTE: That the executables are installed with setgid to the group kmem
so that the program can read the load average out of /dev/kmem
when the programs start up. Once kmem is read actelnet and acftp
reset the group id to the real group id. All files retrieved
via ftp will have a group ownership of ftpout, not kmem.
=====================================================================
INTERNAL HOSTS SETUP:
=====================================================================
1. Add the following entries to /etc/passwd,
ftpout:NOLOGIN:85:85:Internal FTP Account:/tmp:/dev/null
telout:NOLOGIN:86:85:Internal Telnet Account:/tmp:/dev/null
2. Add the following entries to /etc/group,
ftpout:*:85:
telout:*:86:
3. Next compile and install the telout and ftpout executables.
a. Edit telout.c and assure the GATEWAY and DOMAIN defines
are correct and then make the executables.
b. cp ftpout telout /usr/local/bin
c. chgrp ftpout /usr/local/bin/ftpout
c. chgrp telout /usr/local/bin/telout
d. chown ftpout /usr/local/bin/ftpout
e. chown telout /usr/local/bin/telout
f. chmod 6755 /usr/local/bin/ftpout /usr/local/bin/telout
4. Edit the /etc/fstab and add an entry so as to allow the ftp transfer
area to be accessible from the internal systems. (automount 'em if
you got'em)
5. Mount the gateway's transfer area.
=====================================================================
The Internal host setup will need to be completed for each host that
you wish to allow external access from.
These facilities recognize the semantics of /etc/nologin and will display
its contents if the file's size is greater that 0 bytes. They also use the
LOAD value specified in the config file to determine when to disallow access
because the gateway is too busy.
The sources to telnet were originally from the BSD sources and modified to
become actelnet. The sources to ftp were grabbed from gatekeeper.dec.com.
Originally BSD sources, ftp was modified by Paul Vixie (vixie @
pa .
dec .
com)
and then later modified to become acftp with gateway support added.
Telout.c was written by Kent Landfield (kent @
sterling .
com) to glue this
all together.
References:
|
|
