openssh unix dev - Feb 2018 - Is there socksify script for dynamics forwardings to unix domain sockets?

Am Di, 20. Feb 2018, 23:13:16 -0800 schrieb Dan
Kaminsky:
> Date: Tue, 20 Feb 2018 23:13:16 -0800
> From: Dan Kaminsky <dan at doxpara.com>
> To: J? Fahlke <jorrit at jorrit.de>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: Is there socksify script for dynamics forwardings to unix
>  domain sockets?
> 
> Whoa.  That's pretty cool.
> 
> Empirically, how well do LD_PRELOAD scripts work in grabbing all socket
> calls?
Good point, I did not check that before, so I tried now (with tsocks on Debian
stretch and the "ssh -D" socks port on a random port on localhost) and
got
mixed results.  Generally, anything name-lookup related does not seem to work
and I have to use IP addresses.

- ipmiconsole did not work with tsocks, the connection simply times out.  No
  idea why, and not a big deal, as it is console-based I can ssh into the
  login host and use it from there.

- chromium did not work at all.  (I get "This site can?t be
  reached"/"10.xx.xx.xx unexpectedly closed the
  connection."/ERR_CONNECTION_CLOSED) I heard somewhere that it uses
AppArmor
  or something, so maybe that is interfering.

- firefox works well, even to the point where I get graphical remote KVM,
  despite the management web-interfaces's warning that it is supposedly
  missing some features required for that.

Regards,
J?.

-- 
Jorrit (J?) Fahlke, Institute for Computational und Applied Mathematics,
University of M?nster, Orleans-Ring 10, D-48149 M?nster
Tel: +49 251 83 35146 Fax: +49 251 83 32729

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180221/6120d044/attachment.asc>

On Wed, 21 Feb 2018, J? Fahlke wrote:
> Am Di, 20. Feb 2018, 23:13:16 -0800 schrieb Dan Kaminsky:
> > Date: Tue, 20 Feb 2018 23:13:16 -0800
> > From: Dan Kaminsky <dan at doxpara.com>
> > To: J? Fahlke <jorrit at jorrit.de>
> > Cc: openssh-unix-dev at mindrot.org
> > Subject: Re: Is there socksify script for dynamics forwardings to unix
> >  domain sockets?
> > 
> > Whoa.  That's pretty cool.
> > 
> > Empirically, how well do LD_PRELOAD scripts work in grabbing all
socket
> > calls?
> 
> Good point, I did not check that before, so I tried now (with tsocks on
Debian
> stretch and the "ssh -D" socks port on a random port on
localhost) and got
> mixed results.  Generally, anything name-lookup related does not seem to
work
> and I have to use IP addresses.
Yeah, IMO it would be better to write a small userspace NAT helper e.g.
using IPPROTO_DIVERT that proxied things via SOCKS (assuming someone
hasn't already done this).

-d

On Wed, Feb 21, 2018 at 4:59 PM Damien Miller <djm at mindrot.org> wrote:
> On Wed, 21 Feb 2018, J? Fahlke wrote:
>
> > Am Di, 20. Feb 2018, 23:13:16 -0800 schrieb Dan Kaminsky:
> > > Date: Tue, 20 Feb 2018 23:13:16 -0800
> > > From: Dan Kaminsky <dan at doxpara.com>
> > > To: J? Fahlke <jorrit at jorrit.de>
> > > Cc: openssh-unix-dev at mindrot.org
> > > Subject: Re: Is there socksify script for dynamics forwardings to
unix
> > >  domain sockets?
> > >
> > > Whoa.  That's pretty cool.
> > >
> > > Empirically, how well do LD_PRELOAD scripts work in grabbing all
socket
> > > calls?
> >
> > Good point, I did not check that before, so I tried now (with tsocks
on
> Debian
> > stretch and the "ssh -D" socks port on a random port on
localhost) and
> got
> > mixed results.  Generally, anything name-lookup related does not seem
to
> work
> > and I have to use IP addresses.
>
> Yeah, IMO it would be better to write a small userspace NAT helper e.g.
> using IPPROTO_DIVERT that proxied things via SOCKS (assuming someone
> hasn't already done this).
>
> -d

There?s a couple strategies I?ve been looking at for other reasons
(universal TLS on all sockets, mainly). Seccomp trapping, expanding of the
preload to DNS calls, using some other security hooks. Will report back.
>

On 2/21/2018 7:53 PM, Damien Miller wrote:
> Yeah, IMO it would be better to write a small userspace NAT helper e.g.
> using IPPROTO_DIVERT that proxied things via SOCKS (assuming someone
> hasn't already done this).
I haven't used them, but they exist:

https://github.com/darkk/redsocks
https://github.com/cybozu-go/transocks

These use tun, but achieve a similar goal:

https://github.com/normanr/socks-tun
https://github.com/ambrop72/badvpn/wiki/Tun2socks

The LD_PRELOAD method can intercept getaddrinfo()/gethostbyname() to 
handle name resolution on a per-process basis, which is an advantage to 
that method (dsocks does this).

Of course as OpenSSH doesn't implement the UDP interfaces of SOCKS5, 
that limits what any client can do (although tun2socks has a UDP gateway 
to work around this).

-- 
Carson Gaspar

Am Do, 22. Feb 2018, 11:53:52 +1100 schrieb Damien
Miller:
> On Wed, 21 Feb 2018, J? Fahlke wrote:
> > Good point, I did not check that before, so I tried now (with tsocks
on Debian
> > stretch and the "ssh -D" socks port on a random port on
localhost) and got
> > mixed results.  Generally, anything name-lookup related does not seem
to work
> > and I have to use IP addresses.
> 
> Yeah, IMO it would be better to write a small userspace NAT helper e.g.
> using IPPROTO_DIVERT that proxied things via SOCKS (assuming someone
> hasn't already done this).
Although dante's socksify does some trickery to support name lookup.  They
seem to make up an IP address for each requested name and keep a database of
those around.  Works well enough for firefox.

Here is how that looks like:
=====================================================================joe at
paranoia:~$ SOCKS5_SERVER=127.0.0.1:7778 socksify getent hosts sky-bmc
epic-bmc
0.0.0.1         sky-bmc
0.0.0.2         epic-bmc
joe at paranoia:~$ SOCKS5_SERVER=127.0.0.1:7778 socksify ssh epic-bmc
The authenticity of host 'epic-bmc (0.0.0.1)' can't be established.
RSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no)? ^C
=====================================================================
Regards,
J?.

-- 
Jorrit (J?) Fahlke, Institute for Computational und Applied Mathematics,
University of M?nster, Orleans-Ring 10, D-48149 M?nster
Tel: +49 251 83 35146 Fax: +49 251 83 32729

Spa? mit I18N.  Hier StumpWM/clisp:
WARNUNG: DEFUN/DEFMACRO(GET-WM-CLASS): #<PACKAGE XLIB> ist abgeschlossen.
         Das Schloss umgehen und weitermachen.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180222/4032bcdb/attachment.asc>