Using libpam when setting up SOCKS Dante server
Good day to all. Faced with the need to configure SOCKS5, I found that on the Internet and in particular on Habré, when setting up authorization for dante-server , the “username” method is used.
This method is not safe at all. This was written more than once ( for example ) and many comparisons were made with 3proxy, which uses a separate password file for authorization. Anyone interested in the implementation of this feature in Dante please under the cat.
I will not describe the installation and basic settings, there are a lot of these articles and in general there is nothing difficult in them. I will only touch on the topic of a separate password file. All commands will be listed for Ubuntu, but doing the same on other distributions is also not difficult.
It is necessary to make a reservation that the data sheet for this functionality should be compiled with PAM support, in the installation articles this is indicated by the fact that the following line should be in the source configuration status:
')
If you install a package from the repository, then PAM is already in its dependencies.
So, first we need additional components:
The libpam-pwdfile package provides the ability to authenticate against a separate / etc / passwd file format.
After installation, edit the file /etc/pam.d/sockd
Enter the following into the file:
Here we set the file with passwords for our service. Replace $ {DIR_FOR_PASSWD_FILE} with the directory where you will have the password file (for example / opt / dante).
The password file itself has the format of the / etc / passwd file, which means a separate line for each user in the form of parameters separated by a colon. The first parameter is the username, the second is the encrypted password.
Encrypted passwords can be obtained using the mkpasswd utility from the whois package as follows:
After we have all prepared, it remains only to enable the appropriate authorization method in Dante. To do this, edit your /etc/sockd.conf file and change the next line.
on this
We reboot Dante and get authorization for a separate password file.
PS
The PAM service name used by Dante by default is sockd. Also, if you want to use the configuration file libpam_pwdfile from another configured service, or use several configurations, you can use the pamservicename directive in the Dante configuration file. Usage example:
For a more complete understanding of the use of this directive, I recommend to refer to the Dante documentation, the link to which is given below.
Used materials:
Dante documentation. PAM Autentication.
Description of the libpam-pwdfile module on GitHub
This method is not safe at all. This was written more than once ( for example ) and many comparisons were made with 3proxy, which uses a separate password file for authorization. Anyone interested in the implementation of this feature in Dante please under the cat.
I will not describe the installation and basic settings, there are a lot of these articles and in general there is nothing difficult in them. I will only touch on the topic of a separate password file. All commands will be listed for Ubuntu, but doing the same on other distributions is also not difficult.
It is necessary to make a reservation that the data sheet for this functionality should be compiled with PAM support, in the installation articles this is indicated by the fact that the following line should be in the source configuration status:
')
PAM: Enabled If you install a package from the repository, then PAM is already in its dependencies.
So, first we need additional components:
aptitude install libpam-pwdfile The libpam-pwdfile package provides the ability to authenticate against a separate / etc / passwd file format.
After installation, edit the file /etc/pam.d/sockd
nano /etc/pam.d/sockd Enter the following into the file:
auth required pam_pwdfile.so pwdfile ${DIR_FOR_PASSWD_FILE}/sockd.passwd account required pam_permit.so Here we set the file with passwords for our service. Replace $ {DIR_FOR_PASSWD_FILE} with the directory where you will have the password file (for example / opt / dante).
The password file itself has the format of the / etc / passwd file, which means a separate line for each user in the form of parameters separated by a colon. The first parameter is the username, the second is the encrypted password.
SomeUser:$1$1bhzkYnM$cfYSzS9Vx17AypWYAnnhn0 Encrypted passwords can be obtained using the mkpasswd utility from the whois package as follows:
mkpasswd --method=md5 SomeStrongPassword After we have all prepared, it remains only to enable the appropriate authorization method in Dante. To do this, edit your /etc/sockd.conf file and change the next line.
socksmethod: username on this
socksmethod: pam.username We reboot Dante and get authorization for a separate password file.
PS
The PAM service name used by Dante by default is sockd. Also, if you want to use the configuration file libpam_pwdfile from another configured service, or use several configurations, you can use the pamservicename directive in the Dante configuration file. Usage example:
client pass { from: 0.0.0.0/0 to: 0.0.0.0/0 #the servicename should differ from the servicename in socks-rules pamservicename: pam_host } For a more complete understanding of the use of this directive, I recommend to refer to the Dante documentation, the link to which is given below.
Used materials:
Dante documentation. PAM Autentication.
Description of the libpam-pwdfile module on GitHub
Source: https://habr.com/ru/post/354274/
All Articles