A new release of SOCKS is available for anonymous ftp from host
ftp.inoc.dl.nec.com (143.101.112.3), file pub/security/socks.cstc.4.0.tar.gz.
This version is intended to run with identd user verification (RFC 1413),
which is available as file pub/security/pidentd-2.1.2.tar.gz.
Both of these are in Gnu's compressed form and required gzip to uncompress
them. If you don't already have that you can also pick up the file
pub/gnu/gzip-1.1.2.tar.Z. Remember to download them in binary mode.
There are a few bug fixes: rftp no longer chops off password after
8 characters; 'eq ftp' now works; so does the use of macro
SOCKS_DEFAULT_NS.
I am enclosing the first part of the README.1st file which describes
the new fearures. Besides SunOS 4.1.x, the new version has also been
ported and tested on ULTRIX 4.3, IRIX 4.0.1, and partially on HPUX,
thanks to Ian Dunkin and Anthony Shipman.
Hope you can make good use of the package. Enjoy it.
Ying-Da Lee (214)518-3490 (214)518-3552 (FAX)
Principal Member, Technical Staff
NEC Systems Laboratory, C&C Software Technology Center /
NEC USA, Corporate Network Administration Division
ylee @
syl .
dl .
nec .
com
=======================================================================
This is SOCKS, a package consisting of a proxy server (sockd)
and client programs corresponding to finger, whois, ftp, telnet,
xgopher, and xmosaic, as well as a library module (libsocks.a)
for adapting other applications into new client programs.
The original SOCKS was written by David Koblas <koblas @
netcom .
com>,
which included the library module and finger, whois, and ftp clients.
Clients programs added since the original are:
-telnet: adapted from telnet.91.03.25 by David Borman <dab @
cray .
com>.
This version is supposed to be much easier than the previous one
to port to many different systems.
-xgopher: adapted from xgopher ver. 1.2 by Allan Tuchman <a-tuchman @
uiuc .
edu>.
-xmosaic: adapted from xmosaic ver. 1.2 by NCSA staff (contact
Marc Andreesen, <marca @
ncsa .
uiuc .
edu>).
The SOCKS protocol has changed with this version. Since the server and
the clients must use the same SOCKS protocol, this server does not work
with clients of previous releases, and these clients do not work with
servers of previous releases.
The access control mechanism has been expanded:
-A list of users can be included along with other fields (source address,
destination address, service/port) for permission/denial of access.
-Identd is used (controlled by option -i and -I) in SOCKS server to try
to verify the actual user-ids. The code uses the library written by
Peter Eriksson <pen @
lysator .
liu .
se> and /Pdr Emanuelsson <pell @
lysator .
liu .
se>.
-A shell command can optionally be specified with each line. The command
is executed if the conditions of that line are satisfied. This is adapted
from the same feature and code used in the log_tcp package by Wietse
Venema <wietse @
wzv .
win .
tue .
nl>.
-Special entries (#NO_IDENTD: and #BAD_ID:) can be included to specify
shell commands to be executed when the client host doesn't run identd
and when identd's report doesn't agree with what the client prgram says.
The following can be a reasonable sockd.conf using the new features:
# Permit root on 129.101.64.3 all services
permit *=root 129.101.64.3 0.0.0.0
#
# Permit root and usersa on 129.101.112.10 telnet access to network 222.22.22
permit *=usera,root 129.101.112.10 0.0.0.0 222.22.22.0 0.0.0.255 eq telnet
#
# Permit all users on network 129.101 access to ftp
permit 129.101.0.0 0.0.255.255 eq ftp
#
# Deny everything else. Upon an attempt, finger the client host and pipe
# the result into an email to root with appropriate Subject line.
deny 0.0.0.0 255.255.255.255 : finger @%A | /usr/ucb/mail -s 'SOCKD: rejected -- from %u @
%A to host %Z (service %S)' root
#
# If the client doesn't run identd, tell the user and root there to run it.
#NO_IDENTD: /usr/ucb/mail -s 'Please run identd on %A' %u @
%A root @
%A
#
# Someone is masquerading as someone else. Finger the client host
# and pipe the result into an email message for local root and root on
# the client host with appropriate Subject line.
#BAD_ID: finger @%A | /usr/ucb/mail -s '%U pretends to be %u on host %A' root @
%A root
The test_sockd_conf program can be used to test the access control file,
including the special entries and the execution of shell commands.
The Identd server is available through anonymous ftp from many places.
Consult archie. Or you can pick it up from ftp.inoc.dl.nec.com, the
file is pub/security/pidentd-2.1.2.tar.gz. This copy corrected a mistake
in the INSTALL file: In step 10, second paragraph, the line
TELNET session and enter "4711 , 113", where you replace 4711 with the
should read
TELNET session and enter "113 , 4711", where you replace 4711 with the
The author of pidentd is Peter Eriksson (pen @
lysator .
liu .
se).
Finally, the network/host byte order confusion has been cleaned up. That
should make porting to other systems a lot easier. Only machines for which
the assumptions that short=int=16 bits and long=32 bits do not hold
are still likely to have serious problems.
The package has been ported for ULTRIX 4.3 by Ian Dunkin <imd1707 @
ggr .
co .
uk>
and Anthony Shipman <als @
cpsg .
com .
au>, for IRIX 4.0.1 by Ian Dunkin (again),
and partially for HPUX by Anthony Shipman (again!). (We are a small bunch
of busy bees.) I also include patches by Craig Metz <cmetz @
thor .
tjhsst .
edu>
to SOCKSize xarchie and ncftp. I have not try these patches out
myself though.
I want to thank all the people I have mentioned so far, as well as the
following, who has helped with their bug reports, comments, and suggestions:
Alain Mellan <amellan @
acri .
fr>, Heinz Naef <whna @
nexos .
com>, Rejane Forre
<for @
pttnms .
ewi .
ch>, Michael Lachowski <mlachow @
maverick1 .
erenj .
com>,
Nancy Ball <nancy_ball @
sematech .
org>, David Vincenzetti <vince @
dsi .
unimi .
it>,
LaMont Jones <lamont @
sp1 .
cup .
hp .
com>, Brandon Butterworth
<brandon @
dd .
eng .
bbc .
co .
uk>, Richard Schultz <rich @
ccrwest .
org>.
|
|
