Re: [OpenIndiana-discuss] Does OpenIndiana's sshd obeys TCP wrappers?

[Hubert Garavel]

>> But I tried as you suggested, and managed to start sshd via inetd.
>> The trick is to use inetconv and to run "sshd -i". I can provide
>> detailed explanations on request.
>
> Provide instructions here on the list, please. It may be useful to have
> the knowledge at some point.

OK. I still insist that TCP wrappers should be effective even
if OpenSSH is not started by inetd. This would make OpenIndiana
compatible with Oracle Solaris, where sshd is always protected
by the TCP wrappers ("The Secure Shell (ssh)and sendmail features
of Oracle Solaris are configured to use TCP wrappers").
https://docs.oracle.com/cd/E37838_01/html/E61019/sec-net.html

-o-o-o-o-o-o-o-

These are instructions to start OpenSSH via inetd.

The reservations found in the Oracle manual page about sshd too slow
when started via inetd (see option "-i") seem only relevant for
SSH v1, not SSH v2. The manual page is probably obsolete on this
point.

The standard SSH service started by svc.startd is named
svc:/network/ssh:default. The new SSH service started by inetd
will be named svc:/network/ssh/tcp:default (i.e., "ssh/tcp"
rather than "ssh").

0) Make sure that "ssh" is declared in /etc/services and "sshd"
   in /etc/passwd.

1) Stop the old service
   svcadm disable svc:/network/ssh

2) Create a temporary file /tmp/inetd.ssh containing only one line:
ssh stream tcp nowait root /usr/lib/ssh/sshd sshd -i
   See "man -s 4 inetd.conf" for explanations.

   Note: ideally, "root" should be replaced by "sshd" to get
   privilege separation, and roles should be used. Not done,
   as I think that protecting OpenSSH with TCP wrappers even
   when it is called without option -i will solve the issue
   and avoid launching sshd via inetd.

3) Run the command
inetconv -i /tmp/inetd.ssh
   which creates the following manifest file
/lib/svc/manifest/network/ssh-tcp.xml

4) Enable the new SSH service

inetadm -e svc:/network/ssh/tcp:default

5) Refresh the inetd service:

svcadm refresh inetd

6) Check that the new service is ok

inetadm -l /network/ssh/tcp

   In particular, tcp_wrappers should be TRUE if TCP
   wrappers have been set properly for inetd.





___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] web proxy server w/SSL/TLS termination (on OI)

[Jerry Kemp]

thank you, that does seem to be an interesting twist on my plan.

Jerry


 Original Message 
From: Matjaž M
Sent: Fri, Dec 28, 2018 3:17 PM CST
To: Discussion list for OpenIndiana
Subject: [OpenIndiana-discuss] web proxy server w/SSL/TLS termination (on OI)

Hi Jerry,

perhaps you could take a look at this:

https://github.com/tenox7/wrp 

It is a proxy that renders the website in gif/png/jpeg with clickable imagemap 
for links. Its intent is to make older browsers
usable on modern internet (modern html/css, encryption …)

Here is a blog post about it:

https://virtuallyfun.com/wordpress/2014/03/11/web-rendering-proxy-update/


Cheers, Matjaz


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] web proxy server w/SSL/TLS termination (on OI)

[Matjaž M]

Hi Jerry,

perhaps you could take a look at this:

https://github.com/tenox7/wrp 

It is a proxy that renders the website in gif/png/jpeg with clickable imagemap 
for links. Its intent is to make older browsers usable on modern internet 
(modern html/css, encryption …)

Here is a blog post about it:

https://virtuallyfun.com/wordpress/2014/03/11/web-rendering-proxy-update/ 


Cheers, Matjaz

> On 22 Dec 2018, at 00:18, Jerry Kemp  wrote:
> 
> among other things, I have a personal collection in my home of old 
> workstations (SGI Irix boxes and earlier Sun workstations), older
> Macs, etc.  For example, a recent acquisition was a Sun SPARCserver 1000e 
> system (Sun4d), with several external drive units.  Pics here:
> 
> 
> 
> As most of you are aware, the web as we know it, continues to become 
> increasingly encrypted, with older, commonly used protocols
> such as SSLv3 being depreciated in favor of TLS 1.2, 1.3 and beyond.
> 
> I would like to be able to do some basic web surfing on these older boxes.  
> Emphasis on basic.  The reality is, its very unlikely
> that anyone will ever compile a newer browser for my old stuff, and, I doubt 
> it would have the encryption/decryption horsepower to
> do so, even if modern browser software were available.
> 
> What I'm looking at doing is setting up a web proxy, and, having that web 
> proxy also do the SSL/TLS termination.  Ideally, this
> proxy software would run on OI.
> 
> As expected of anyone here, making a similar request, I did do some homework, 
> and it seems that there are several pieces of Unix
> open-source software that perform this function.   This is just one 
> particular hit, but, sharing it as it has a nice summary list of
> software that has this capability:
> 
> 
> 
> full disclaimer:  This is not for a business, its just for me, in my home. I 
> have no intentions of doing Internet banking or
> anything else questionable.  Just want to be able to do some basic web 
> surfing, download source code, etc.
> 
> Specifically, I'm solely wondering if anyone here has already done something 
> like this, and, if so, is there any software in
> particular you might recommend, or, recommend avoiding.   I'm basically just 
> looking for software recommendations, from there, I can
> run with the compile+technicals.  As commented earlier, what ever software I 
> use would need to compile+run on OI.
> 
> Thanks,
> 
> Jerry
> 
> 
> 
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Does OpenIndiana's sshd obeys TCP wrappers?

[Michal Nowak]

On 12/28/18 06:30 PM, Hubert Garavel wrote:

Hello Michal,


looking at the patch which restores tcp-wrapper support in OpenSSH
(upstream removed it in v6.7), it seems to me that tcp-wrapper is used
only when sshd was started via inetd.


Thanks for the info, this was helpful. On Oracle Solaris 10, the TCP
wrappers are active even when sshd is not started via inetd.


Did you try that? (As I don't know
how to do that, I can't verify this assumption.)


I did not try this at once, since Oracle seems to discourages this
in its sshd manual page ("sshd is normally not run from inetd...")
https://docs.oracle.com/cd/E86824_01/html/E54764/sshd-1m.html

But I tried as you suggested, and managed to start sshd via inetd.
The trick is to use inetconv and to run "sshd -i". I can provide
detailed explanations on request.


Provide instructions here on the list, please. It may be useful to have 
the knowledge at some point.


Thanks,
Michal



So doing, the TCP wrappers become functional.

However, at the moment it works if sshd runs as root (i.e., no
privilege separation). But it may be possible to do better using
roles.


Is anyone using tcp-wrapper support in OpenSSH?


The TCP wrappers are a simple yet effective protection.
OpenSSH has no replacement for it, and IPFilter is much less
easy to set up. There has been reasonable objections when OpenSSH
dropped support for TCP wrappers, see e.g.
https://marc.info/?l=openssh-unix-dev&m=139824330203546&w=4


Unless someone speaks up, I am inclined to remove the tcp-wrapper
support restoration patch (as OmniOS did).


Instead, I would suggest:
 (1) to keep support for the TCP wrapper,
and
 (2) to generalize this support to the case where sshd is not started
via inetd.

This would solve the issue properly.

Best,



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Does OpenIndiana's sshd obeys TCP wrappers?

[Hubert Garavel]

Hello Michal,

> looking at the patch which restores tcp-wrapper support in OpenSSH 
> (upstream removed it in v6.7), it seems to me that tcp-wrapper is used 
> only when sshd was started via inetd. 

Thanks for the info, this was helpful. On Oracle Solaris 10, the TCP
wrappers are active even when sshd is not started via inetd.

> Did you try that? (As I don't know 
> how to do that, I can't verify this assumption.)

I did not try this at once, since Oracle seems to discourages this
in its sshd manual page ("sshd is normally not run from inetd...")
https://docs.oracle.com/cd/E86824_01/html/E54764/sshd-1m.html

But I tried as you suggested, and managed to start sshd via inetd.
The trick is to use inetconv and to run "sshd -i". I can provide
detailed explanations on request.

So doing, the TCP wrappers become functional.

However, at the moment it works if sshd runs as root (i.e., no
privilege separation). But it may be possible to do better using
roles.

> Is anyone using tcp-wrapper support in OpenSSH?

The TCP wrappers are a simple yet effective protection.
OpenSSH has no replacement for it, and IPFilter is much less
easy to set up. There has been reasonable objections when OpenSSH
dropped support for TCP wrappers, see e.g.
https://marc.info/?l=openssh-unix-dev&m=139824330203546&w=4

> Unless someone speaks up, I am inclined to remove the tcp-wrapper 
> support restoration patch (as OmniOS did).

Instead, I would suggest:
(1) to keep support for the TCP wrapper,
and
(2) to generalize this support to the case where sshd is not started
via inetd.

This would solve the issue properly.

Best,



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Does OpenIndiana's sshd obeys TCP wrappers?

[Michal Nowak]

On 12/23/18 11:39 AM, Hubert Garavel wrote:


By default, support for TCP wrappers was removed from  OpenSSH, unless
it is compiled with the proper option. This seems to be indeed the case
for OI's sshd:

# ldd /usr/lib/ssh/sshd
libwrap.so.1 =>  /usr/lib/64/libwrap.so.1

However, after setting "/etc/hosts.deny" to "ALL: ALL" and
"/etc/hosts.allow" to a single line "sendmail: localhost",
sshd still accepts incoming connections from other hosts,
whereas such incoming SSH connections should be blocked by
the TCP wrappers.

Any idea?


Hello Hubert,

looking at the patch which restores tcp-wrapper support in OpenSSH 
(upstream removed it in v6.7), it seems to me that tcp-wrapper is used 
only when sshd was started via inetd. Did you try that? (As I don't know 
how to do that, I can't verify this assumption.)


Is anyone using tcp-wrapper support in OpenSSH?

Unless someone speaks up, I am inclined to remove the tcp-wrapper 
support restoration patch (as OmniOS did).


Michal

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] web proxy server w/SSL/TLS termination (on OI)

[Jonathan Adams]

Hi,

we use Squid on OI, and it works well, but I don't think you'll be able to
do what you want with your older sparc kit.

when the browser connects to SSL, it opens up a tunnel through the proxy,
over HTTP, and the browser still does all the work of TLS/SSL ...

unless you're going to accelerate each individually named host, via
something like the Apache HTTPD accelerator, I don't think you'll be able
to do what you want.

Jon

On Mon, 24 Dec 2018 at 21:19, Tim Mooney  wrote:

> In regard to: [OpenIndiana-discuss] web proxy server w/SSL/TLS
> termination...:
>
> > I would like to be able to do some basic web surfing on these older
> > boxes.
>
> TLS is going to be just one of the issues you encounter.  Poor or missing
> support for HTML 5, CSS, and JavaScript in older browsers are going to be
> an impediment too.
>
> > What I'm looking at doing is setting up a web proxy, and, having that
> > web proxy also do the SSL/TLS termination.  Ideally, this proxy software
> > would run on OI.
>
> Ok, you're talking about a *forward* proxy.
>
> A TLS or SSL terminating proxy is more often used in a reverse proxy
> config, but as the wiki article you linked mentions, there are reasons
> to do encryption termination even with a forward proxy.
>
> I have a bunch of experience with reverse proxies, but not much with
> forward proxies.
>
> Still, if I were trying to do what you're trying, I would start with
> Apache httpd.  It supports forward proxying, there's a ton of
> documentation on Apache httpd, and a recent version is part of OI.
> Some googling makes it look like forward proxying is (like reverse
> proxying) pretty easy to set up:
>
> https://theheat.dk/blog/?p=929
>
> The thing to be very careful with is restricting access, so that your
> system doesn't become an open web proxy.  Any documentation on forward
> proxying with httpd will likely stress that.
>
> Good luck!
>
> Tim
> --
> Tim Mooney tim.moo...@ndsu.edu
> Enterprise Computing & Infrastructure  701-231-1076 (Voice)
> Room 242-J6, Quentin Burdick Building  701-231-8541 (Fax)
> North Dakota State University, Fargo, ND 58105-5164
>
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss