> Winton--
>
> Excellent! Absolutely wonderful.
>
> I'm wondering which apps/encapsulators support 4A? This gets me
> around
> the DNS leakage problem quite nicely.
>
> Incidentally, we do need SOCKS5 support -- if for no other
> reason, the
> fact that there's *operating system* level support in OSX for SOCKS5
> redirection. So OpenSSH can become a completely transparent VPN
> system in OSX w/ SOCKS5.
>
> Even without OSX, a decent number of apps only support SOCKS5
> proxying.
>
Good luck, I sent in a patch for socks5 support back in October of last
year and got blown out of the water by the "developers".
The patch consists of three files:
README.patch
patch_Applied-2-openssh-2.9.9p2.diff
do_configure.sh
which you will find attached :-)
The one drawback that I saw when rummaging around in openssh code is that
it is nicely set up to support ipv6 and the socks stuff only works for
ipv4. The socks support is identical to that supplied in the pre-openssh
ssh-1.2.xx stuff. I have not tested the socks4 support.
Michael
-------------- next part --------------
--with-socks5 patch
apply the patch
regenerate config.h.in
autoheader configure.in > config.h.in
regenerate configure
autoconf configure.in > configure
then build the configuration
this example is for Linux
#!/bin/sh
CFLAGS="-O2 -Wall" ./configure \
--prefix=/usr \
--sysconfdir=/etc/ssh \
--without-pam \
--with-md5-passwords \
--with-tcp-wrappers \
--with-socks5 \
--disable-scp-stats \
--with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin/i386-slackware-linux
this script can be found in
do_configure.sh
-------------- next part --------------
#!/bin/sh
CFLAGS="-O2 -Wall" ./configure \
--prefix=/usr \
--sysconfdir=/etc/ssh \
--without-pam \
--with-md5-passwords \
--with-tcp-wrappers \
--with-socks5 \
--disable-scp-stats \
--with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin/i386-slackware-linux
-------------- next part --------------
diff -u openssh-2.9.9p2.old/acconfig.h openssh-2.9.9p2/acconfig.h
--- openssh-2.9.9p2.old/acconfig.h Thu Sep 20 12:43:41 2001
+++ openssh-2.9.9p2/acconfig.h Sat Oct 6 17:44:07 2001
@@ -111,6 +111,9 @@
* message at run-time. */
#undef RSAREF
+/* Define to disable scp statistics */
+#undef DISABLE_SCP_STATISTICS
+
/* struct timeval */
#undef HAVE_STRUCT_TIMEVAL
@@ -332,6 +335,30 @@
/* Define if you want smartcard support */
#undef SMARTCARD
+
+/* The code in sshconnect.c is written for SOCKS4. If SOCKS5 should be used
+ these needs redefining */
+#undef Rconnect
+#undef Rgetsockname
+#undef Rgetpeername
+#undef Rbind
+#undef Raccept
+#undef Rlisten
+#undef Rselect
+#undef Rrecvfrom
+#undef Rsendto
+#undef Rrecv
+#undef Rsend
+#undef Rread
+#undef Rwrite
+#undef Rrresvport
+#undef Rshutdown
+#undef Rlisten
+#undef Rclose
+#undef Rdup
+#undef Rdup2
+#undef Rfclose
+#undef Rgethostbyname
@BOTTOM@
diff -u openssh-2.9.9p2.old/channels.c openssh-2.9.9p2/channels.c
--- openssh-2.9.9p2.old/channels.c Mon Sep 17 22:53:12 2001
+++ openssh-2.9.9p2/channels.c Sat Oct 6 17:09:30 2001
@@ -2481,7 +2481,12 @@
struct hostent *he;
struct in_addr my_addr;
+#if defined(SOCKS5)
+ he = Rgethostbyname(hostname);
+#else
+
he = gethostbyname(hostname);
+#endif
if (he == NULL) {
error("[X11-broken-fwd-hostname-workaround] Could not get "
"IP address for hostname %s.", hostname);
diff -u openssh-2.9.9p2.old/configure.in openssh-2.9.9p2/configure.in
--- openssh-2.9.9p2.old/configure.in Tue Sep 25 15:39:38 2001
+++ openssh-2.9.9p2/configure.in Sat Oct 6 17:41:54 2001
@@ -480,6 +480,141 @@
]
)
+dnl checkfor SOCKS support
+AC_MSG_CHECKING(whether to support SOCKS)
+AC_ARG_WITH(socks,
+ [ --with-socks Build with SOCKS firewall support.],
+ [ case "$withval" in
+ no)
+ AC_MSG_RESULT(no)
+ ;;
+ yes)
+ AC_MSG_RESULT(yes)
+ AC_CHECK_LIB(socks5, SOCKSconnect, [
+ socks=5
+ LIBS="-lsocks5 $LIBS"], [
+ AC_CHECK_LIB(socks, Rconnect, [
+ socks=4
+ LIBS="-lsocks $LIBS"], [
+ AC_MSG_ERROR(SOCKS library missing. You must first install
socks.) ] ) ] )
+ ;;
+ esac ],
+ AC_MSG_RESULT(no)
+)
+
+if test "x$socks" = "x"; then
+ AC_MSG_CHECKING(whether to support SOCKS5)
+ AC_ARG_WITH(socks5,
+ [ --with-socks5[=PATH] Build with SOCKS5 firewall support.],
+ [ case "$withval" in
+ no)
+ AC_MSG_RESULT(no)
+ ;;
+ *)
+ AC_MSG_RESULT(yes)
+ socks=5
+ if test "x$withval" = "xyes"; then
+ withval="-lsocks5"
+ else
+ if test -d "$withval"; then
+ if test -d "$withval/include"; then
+ CFLAGS="$CFLAGS -I$withval/include"
+ else
+ CFLAGS="$CFLAGS -I$withval"
+ fi
+ if test -d "$withval/lib"; then
+ withval="-L$withval/lib -lsocks5"
+ else
+ withval="-L$withval -lsocks5"
+ fi
+ fi
+ fi
+ LIBS="$withval $LIBS"
+ # If Socks was compiled with Kerberos support, we will need
+ # to link against kerberos libraries. Temporarily append
+ # to LIBS. This is harmless if there is no kerberos support.
+ TMPLIBS="$LIBS"
+ LIBS="$LIBS $KERBEROS_LIBS"
+ AC_TRY_LINK([],
+ [ SOCKSconnect(); ],
+ [],
+ [ AC_MSG_ERROR(Could not find the $withval library. You
must first install socks5.) ])
+ LIBS="$TMPLIBS"
+ ;;
+ esac ],
+ AC_MSG_RESULT(no)
+ )
+fi
+
+if test "x$socks" = "x"; then
+ AC_MSG_CHECKING(whether to support SOCKS4)
+ AC_ARG_WITH(socks4,
+ [ --with-socks4[=PATH] Compile with SOCKS4 firewall traversal
+support.],
+ [ case "$withval" in
+ no)
+ AC_MSG_RESULT(no)
+ ;;
+ *)
+ AC_MSG_RESULT(yes)
+ socks=4
+ if test "x$withval" = "xyes"; then
+ withval="-lsocks"
+ else
+ if test -d "$withval"; then
+ withval="-L$withval -lsocks"
+ fi
+ fi
+ LIBS="$withval $LIBS"
+ AC_TRY_LINK([],
+ [ Rconnect(); ],
+ [],
+ [ AC_MSG_ERROR(Could not find the $withval library.
+You must first install socks.) ])
+ ;;
+ esac ],
+ AC_MSG_RESULT(no)
+ )
+fi
+
+
+
+if test "x$socks" = "x4"; then
+ AC_DEFINE(SOCKS)
+ AC_DEFINE(SOCKS4)
+ CPPFLAGS="$CPPFLAGS -I/usr/local/include"
+ LDFLAGS="$LDFLAGS -L/usr/local/lib"
+fi
+
+if test "x$socks" = "x5"; then
+ AC_DEFINE(SOCKS)
+ AC_DEFINE(SOCKS5)
+ AC_DEFINE(Rconnect,SOCKSconnect)
+ AC_DEFINE(Rgetsockname,SOCKSgetsockname)
+ AC_DEFINE(Rgetpeername,SOCKSgetpeername)
+ AC_DEFINE(Rbind,SOCKSbind)
+ AC_DEFINE(Raccept,SOCKSaccept)
+ AC_DEFINE(Rlisten,SOCKSlisten)
+ AC_DEFINE(Rselect,SOCKSselect)
+ AC_DEFINE(Rrecvfrom,SOCKSrecvfrom)
+ AC_DEFINE(Rsendto,SOCKSsendto)
+ AC_DEFINE(Rrecv,SOCKSrecv)
+ AC_DEFINE(Rsend,SOCKSsend)
+ AC_DEFINE(Rread,SOCKSread)
+ AC_DEFINE(Rwrite,SOCKSwrite)
+ AC_DEFINE(Rrresvport,SOCKSrresvport)
+ AC_DEFINE(Rshutdown,SOCKSshutdown)
+ AC_DEFINE(Rlisten,SOCKSlisten)
+ AC_DEFINE(Rclose,SOCKSclose)
+ AC_DEFINE(Rdup,SOCKSdup)
+ AC_DEFINE(Rdup2,SOCKSdup2)
+ AC_DEFINE(Rfclose,SOCKSfclose)
+ AC_DEFINE(Rgethostbyname,SOCKSgethostbyname)
+ CPPFLAGS="$CPPFLAGS -I/usr/local/include"
+ CFLAGS="$CFLAGS -DSOCKS"
+ LDFLAGS="$LDFLAGS -L/usr/local/lib"
+fi
+
dnl Checks for library functions.
AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa clock dirname
fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist
getopt getnameinfo getrlimit getrusage getttyent glob inet_aton inet_ntoa
inet_ntop innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty
readpassphrase realpath rresvport_af setdtablesize setenv setegid seteuid
setlogin setproctitle setresgid setreuid setrlimit setsid setvbuf sigaction
sigvec snprintf strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp utimes
vsnprintf vhangup waitpid _getpty __b64_ntop)
dnl Checks for time functions
@@ -1838,6 +1973,12 @@
[ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]],
[ AC_DEFINE(DISABLE_PUTUTXLINE) ]
)
+AC_ARG_ENABLE(scp-stats,
+[ --disable-scp-stats disable scp statistics display [no]],
+ AC_DEFINE(DISABLE_SCP_STATISTICS)
+ AC_MSG_RESULT(yes)
+)
+
AC_ARG_WITH(lastlog,
[ --with-lastlog=FILE|DIR specify lastlog location [common locations]],
[
diff -u openssh-2.9.9p2.old/includes.h openssh-2.9.9p2/includes.h
--- openssh-2.9.9p2.old/includes.h Wed Sep 19 19:07:51 2001
+++ openssh-2.9.9p2/includes.h Sat Oct 6 17:10:37 2001
@@ -23,6 +23,11 @@
#include "openbsd-compat/bsd-nextstep.h"
+#if defined(SOCKS5)
+/* does not support IPV6 */
+#include "socks.h"
+#endif
+
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
diff -u openssh-2.9.9p2.old/scp.c openssh-2.9.9p2/scp.c
--- openssh-2.9.9p2.old/scp.c Wed Sep 19 17:57:56 2001
+++ openssh-2.9.9p2/scp.c Sat Oct 6 17:42:08 2001
@@ -128,7 +128,11 @@
int verbose_mode = 0;
/* This is set to zero if the progressmeter is not desired. */
+#if defined(DISABLE_SCP_STATISTICS)
+int showprogress = 0;
+#else
int showprogress = 1;
+#endif
/* This is the program to execute for the secured connection. ("ssh"
or -S) */
char *ssh_program = _PATH_SSH_PROGRAM;
diff -u openssh-2.9.9p2.old/sshconnect.c openssh-2.9.9p2/sshconnect.c
--- openssh-2.9.9p2.old/sshconnect.c Tue Aug 7 15:29:09 2001
+++ openssh-2.9.9p2/sshconnect.c Sat Oct 6 17:10:55 2001
@@ -15,8 +15,6 @@
#include "includes.h"
RCSID("$OpenBSD: sshconnect.c,v 1.110 2001/07/25 14:35:18 markus Exp
$");
-#include <openssl/bn.h>
-
#include "ssh.h"
#include "xmalloc.h"
#include "rsa.h"
@@ -182,7 +180,12 @@
*/
if (privileged) {
int p = IPPORT_RESERVED - 1;
+#if defined(SOCKS)
+/* does not support IPV6 */
+ sock = Rrresvport(&p);
+#else /* SOCKS */
sock = rresvport_af(&p, family);
+#endif /* SOCKS */
if (sock < 0)
error("rresvport: af=%d %.100s", family, strerror(errno));
else
@@ -326,7 +329,12 @@
* the remote uid as root.
*/
temporarily_use_uid(pw);
- if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
+#if defined(SOCKS)
+ if (Rconnect(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
+#else /* SOCKS */
+ if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
+#endif /* SOCKS */
+ {
/* Successful connection. */
memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
restore_uid();