Ivo Timmermans
2000-Sep-10 16:35 UTC
tinc SECURITY INFORMATION - Unauthorized access to VPN
Although we (the authors of tinc) have done our best to make tinc as secure as possible, an unfortunate combination of encryption and key exchange techniques has created a hole in at least all versions of tinc >= 0.3, including the current CVS version. Exploit: If somebody can intercept the meta protocol to a host that is running a tinc daemon, it is possible to decrypt the passphrase, which can then be used to gain unauthorized access to the VPN, and become a part of it. Workaround: Add firewall rules so that only trusted hosts can connect to the tinc daemon. Fix: We are currently working on the implementation of a new protocol, with a different authentication scheme. We expect to have a working version in CVS around next weekend, we will release a new version (1.0pre3) when this becomes stable. Guus Sliepen Ivo Timmermans -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://brouwer.uvt.nl/pipermail/tinc-devel/attachments/20000910/7afc8968/attachment.pgp
While I don't normally consider myself a clueless newbie, I'm quite lost
with tinc right now.
Situation: remote machine is the tinc server, let's say internet ip
148.94.168.23. (ip's changed to protect the guilty) It's name is Shire.
Local machine is tinc client, internet ip 205.64.36.65. It's name is
Gondor.
Here are the tinc.confs:
Shire:
ListenPort = 8080
MyOwnVPNIP = 192.168.111.1/24
VpnMask = 255.255.255.0
TapDevice = /dev/tap0
Passphrases=/etc/tinc/passphrases
Gondor:
ConnectTo = 148.94.168.23
ConnectPort=8080
MyOwnVPNIP = 192.168.111.2/24
VpnMask = 255.255.255.0
Passphrases=/etc/tinc/passphrases/
TapDevice=/dev/tap0
Ifconfigs:
Shire:
eth0 Link encap:Ethernet HWaddr 00:60:97:A2:00:34
inet addr:148.94.168.23 Bcast:148.94.168.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1471912 errors:0 dropped:0 overruns:0 frame:0
TX packets:2228760 errors:0 dropped:0 overruns:0 carrier:1
collisions:4035 txqueuelen:100
Interrupt:11 Base address:0xe000
tap0 Link encap:Ethernet HWaddr FD:F0:C0:A8:6F:01
inet addr:192.168.111.1 Bcast:192.168.111.255
Mask:255.255.255.0
UP BROADCAST RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:56 errors:0 dropped:0 overruns:0 frame:0
TX packets:265 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
Interrupt:5
Gondor:
eth0 Link encap:Ethernet HWaddr 00:20:78:16:69:8B
inet addr:205.64.36.65 Bcast:205.64.36.255
Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1
RX packets:1340858 errors:0 dropped:0 overruns:0 frame:0
TX packets:535249 errors:0 dropped:0 overruns:0 carrier:0
collisions:4259 txqueuelen:100
Interrupt:17 Base address:0xef40
tap0 Link encap:Ethernet HWaddr FD:F0:C0:A8:6F:02
inet addr:192.168.111.2 Bcast:192.168.111.255
Mask:255.255.255.0
UP BROADCAST RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
Interrupt:5
And routes:
shire:
148.94.168.23 0.0.0.0 255.255.255.0 U 0 0 0
eth0
192.168.111.0 0.0.0.0 255.255.255.0 U 0 0 0
tap0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 148.94.168.1 0.0.0.0 UG 1 0 0
eth0
gondor:
192.168.111.0 0.0.0.0 255.255.255.0 U 0 0 0
tap0
205.64.36.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 205.64.36.1 0.0.0.0 UG 0 0 0 eth0
I can apparently create the connection just fine (snippits from logs
coming in a second), but no data gets pushed. Each machine can ping
themselves on the tap device just fine, but can't ping each other.
Here's some /var/log/messages bits:
shire:
Sep 11 19:56:18 shire tinc[31989]: tincd 1.0pre2 (Sep 8 2000 11:13:43)
starting, debug level 2.
Sep 11 19:56:18 shire tinc[31989]: Generating 128 bits keys.
Sep 11 19:56:18 shire tinc[31989]: Ready: listening on port 8080.
Sep 11 19:56:35 shire tinc[31989]: Connection from 205.64.36.65:1609
Sep 11 19:56:36 shire tinc[31989]: Connection with 205.64.36.65
activated.
Sep 11 20:01:23 shire tinc[31989]: 192.168.111.2 wants to quit
Sep 11 20:05:32 shire tinc[31989]: Closing connection with 205.64.36.65.
Sep 11 20:09:26 shire tinc[31989]: Got TERM signal
Sep 11 20:09:26 shire tinc[31989]: Terminating.
Sep 11 20:09:26 shire tinc[31989]: Total bytes written: tap 5600, socket
4504; bytes read: tap 26280, socket 5376.
Gondor:
Sep 11 21:00:55 oddworld tinc[6729]: tincd 1.0pre2 (Sep 8 2000
12:03:59) starting, debug level 2.
Sep 11 21:00:55 oddworld tinc[6729]: Generating 128 bits keys.
Sep 11 21:00:55 oddworld tinc[6729]: Ready: listening on port 655.
Sep 11 21:00:55 oddworld tinc[6729]: Connected to 209.39.43.250:8080
Sep 11 21:00:59 oddworld tinc[6729]: Connection with 209.39.43.250
activated.
Sep 11 21:02:40 oddworld tinc[6729]: Got TERM signal
Sep 11 21:02:40 oddworld tinc[6729]: Terminating.
Sep 11 21:02:40 oddworld tinc[6729]: Total bytes written: tap 0, socket
1056; bytes read: tap 1100, socket 0.
What concerns me is the difference in bytes written lines.
I have both the netlink_dev and ethertap modules loaded.
Anyone have any ideas?
-
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://ftp.nl.linux.org/pub/linux/tinc/
On Mon, 11 Sep 2000, Jason Ostermann wrote:> tap0 Link encap:Ethernet HWaddr FD:F0:C0:A8:6F:01 > inet addr:192.168.111.1 Bcast:192.168.111.255> tap0 Link encap:Ethernet HWaddr FD:F0:C0:A8:6F:02 > inet addr:192.168.111.2 Bcast:192.168.111.255As I reviewed your original setup, I also say your MAC addresses are wrong. They should all start with FE:FD: insteal of FD:F0:. ------------------------------------------- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.warande.net> ------------------------------------------- See also: http://tinc.nl.linux.org/ http://www.kernelbench.org/ ------------------------------------------- - Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://ftp.nl.linux.org/pub/linux/tinc/