Problem with stunnel/rsync & tcp_wrappers under cygwin
devzero@web.de
devzero@web.de
Wed Feb 26 02:20:00 GMT 2014
Hi,
i have a strange problem with tcp_wrappers in conjunction with stunnel cygwin port. (cc`ing stunnel cygwin maintainer because of that).
I`m trying to secure an rsync which is started in daemon-mode in an inetd-style via stunnel. I`m on Win8 64Bit with a recent 64bit Cygwin installation.
When i put rsync: ALL in "/etc/hosts.allow" all is fine, but when i try to restrict connection to a single IP-Adress it doesn`t work. I spent some time on this but i don`t get this working.
See the log snippets below this mail.
successful connection looks like this:
2014.02.23 12:36:22 LOG7[16424:25770120176]: Released libwrap process #0
2014.02.23 12:36:22 LOG7[16424:25770120176]: Service [rsync] permitted by libwrap from 192.168.0.116:60222
2014.02.23 12:36:22 LOG5[16424:25770120176]: Service [rsync] accepted connection from 192.168.0.116:60222
unsuccessful connection looks like this:
2014.02.23 12:34:34 LOG7[17800:25770120176]: Released libwrap process #0
2014.02.23 12:34:34 LOG4[17800:25770120176]: Service [rsync] REFUSED by libwrap from 192.168.0.116:60221
2014.02.23 12:34:34 LOG7[17800:25770120176]: See hosts_access(5) manual for details
Afaik, tcpwrappers only checks for IP-address , not source port - correct ?
I`m curious about IP:PORT in the logs.
I`m no programmer, but if i get this right, the "accepted_address" is being passed to libwrap to be checked for authentication and libwrap tells if connection is permitted or not. So, i`m curious why "accepted_address" seems to contain IP:PORT where it should possibly only contain "IP".
from the stunnel sources:
client.c
---snipp---
/* authenticate based on retrieved IP address of the client */
accepted_address=s_ntop(&c->peer_addr, c->peer_addr_len);
#ifdef USE_LIBWRAP
libwrap_auth(c, accepted_address);
#endif /* USE_LIBWRAP */
auth_user(c, accepted_address);
s_log(LOG_NOTICE, "Service [%s] accepted connection from %s",
c->opt->servname, accepted_address);
str_free(accepted_address);
}
---snipp---
libwrap.c
---snipp---
#endif /* USE_PTHREAD */
{ /* use original, synchronous libwrap calls */
enter_critical_section(CRIT_LIBWRAP);
result=check(c->opt->servname, c->local_rfd.fd);
leave_critical_section(CRIT_LIBWRAP);
}
if(!result) {
s_log(LOG_WARNING, "Service [%s] REFUSED by libwrap from %s",
c->opt->servname, accepted_address);
s_log(LOG_DEBUG, "See hosts_access(5) manual for details");
longjmp(c->err, 1);
}
s_log(LOG_DEBUG, "Service [%s] permitted by libwrap from %s",
c->opt->servname, accepted_address);
}
---snipp---
Bug ?
I`m out of ideas otherwise...
regards
Roland
stunnel.exe info:
2014.02.23 12:36:16 LOG7[16424:25769803872]: Clients allowed=125
2014.02.23 12:36:16 LOG5[16424:25769803872]: stunnel 4.56 on x86_64-unknown-cygwin platform
2014.02.23 12:36:16 LOG5[16424:25769803872]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
2014.02.23 12:36:16 LOG5[16424:25769803872]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP Auth:LIBWRAP
2014.02.23 12:36:16 LOG5[16424:25769803872]: Reading configuration from file /etc/stunnel/stunnel.conf
This one works:
$ cat /etc/hosts.allow
rsync: ALL
stunnel log:
2014.02.23 12:36:22 LOG7[16424:25770120176]: Acquired libwrap process #0
2014.02.23 12:36:22 LOG7[16424:25770120176]: Releasing libwrap process #0
2014.02.23 12:36:22 LOG7[16424:25770120176]: Released libwrap process #0
2014.02.23 12:36:22 LOG7[16424:25770120176]: Service [rsync] permitted by libwrap from 192.168.0.116:60222
2014.02.23 12:36:22 LOG5[16424:25770120176]: Service [rsync] accepted connection from 192.168.0.116:60222
2014.02.23 12:36:22 LOG7[16424:25770120176]: SSL state (accept): before/accept initialization
2014.02.23 12:36:22 LOG7[16424:25770120176]: SNI: no virtual services defined
2014.02.23 12:36:22 LOG7[16424:25770120176]: SSL state (accept): SSLv3 read client hello A
2014.02.23 12:36:22 LOG7[16424:25770120176]: SSL state (accept): SSLv3 write server hello A
2014.02.23 12:36:22 LOG7[16424:25770120176]: SSL state (accept): SSLv3 write certificate A
2014.02.23 12:36:22 LOG7[16424:25770120176]: SSL state (accept): SSLv3 write key exchange A
2014.02.23 12:36:22 LOG7[16424:25770120176]: SSL state (accept): SSLv3 write certificate request A
All of the following ones do NOT work
$ cat /etc/hosts.allow
rsync: 192.168.0.116
2014.02.23 11:48:01 LOG5[17800:25769803872]: Configuration successful
2014.02.23 11:48:01 LOG7[17800:25769803872]: Service [rsync] (FD=11) bound to 0.0.0.0:1873
2014.02.23 11:48:01 LOG7[17800:25769803872]: Created pid file /var/run/stunnel.pid
2014.02.23 12:34:34 LOG7[17800:25769803872]: Service [rsync] accepted (FD=3) from 192.168.0.116:60221
2014.02.23 12:34:34 LOG7[17800:25770120176]: Service [rsync] started
2014.02.23 12:34:34 LOG7[17800:25770120176]: Waiting for a libwrap process
2014.02.23 12:34:34 LOG7[17800:25770120176]: Acquired libwrap process #0
2014.02.23 12:34:34 LOG7[17800:25770120176]: Releasing libwrap process #0
2014.02.23 12:34:34 LOG7[17800:25770120176]: Released libwrap process #0
2014.02.23 12:34:34 LOG4[17800:25770120176]: Service [rsync] REFUSED by libwrap from 192.168.0.116:60221
2014.02.23 12:34:34 LOG7[17800:25770120176]: See hosts_access(5) manual for details
2014.02.23 12:34:34 LOG5[17800:25770120176]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2014.02.23 12:34:34 LOG7[17800:25770120176]: Local socket (FD=3) closed
2014.02.23 12:34:34 LOG7[17800:25770120176]: Service [rsync] finished (0 left)
2014.02.23 12:34:34 LOG7[17800:25770120176]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s)
2014.02.23 12:36:15 LOG7[17800:25769803872]: Dispatching signals from the signal pipe
$ cat /etc/hosts.allow
rsync: 192.168.0.116 : allow
2014.02.23 12:44:36 LOG7[5248:25770120176]: Waiting for a libwrap process
2014.02.23 12:44:36 LOG7[5248:25770120176]: Acquired libwrap process #0
2014.02.23 12:44:36 LOG7[5248:25770120176]: Releasing libwrap process #0
2014.02.23 12:44:36 LOG7[5248:25770120176]: Released libwrap process #0
2014.02.23 12:44:36 LOG4[5248:25770120176]: Service [rsync] REFUSED by libwrap from 192.168.0.116:60223
2014.02.23 12:44:36 LOG7[5248:25770120176]: See hosts_access(5) manual for details
2014.02.23 12:44:36 LOG5[5248:25770120176]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2014.02.23 12:44:36 LOG7[5248:25770120176]: Local socket (FD=3) closed
2014.02.23 12:44:36 LOG7[5248:25770120176]: Service [rsync] finished (0 left)
2014.02.23 12:44:36 LOG7[5248:25770120176]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s)
$ cat /etc/hosts.allow
rsync: 192.168.0.116/32 : allow
2014.02.23 12:46:02 LOG7[10392:25770120176]: Service [rsync] started
2014.02.23 12:46:02 LOG7[10392:25770120176]: Waiting for a libwrap process
2014.02.23 12:46:02 LOG7[10392:25770120176]: Acquired libwrap process #0
2014.02.23 12:46:02 LOG7[10392:25770120176]: Releasing libwrap process #0
2014.02.23 12:46:02 LOG7[10392:25770120176]: Released libwrap process #0
2014.02.23 12:46:02 LOG4[10392:25770120176]: Service [rsync] REFUSED by libwrap from 192.168.0.116:60224
2014.02.23 12:46:02 LOG7[10392:25770120176]: See hosts_access(5) manual for details
2014.02.23 12:46:02 LOG5[10392:25770120176]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2014.02.23 12:46:02 LOG7[10392:25770120176]: Local socket (FD=3) closed
2014.02.23 12:46:02 LOG7[10392:25770120176]: Service [rsync] finished (0 left)
2014.02.23 12:46:02 LOG7[10392:25770120176]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s)
$ cat /etc/stunnel/stunnel.conf
client = no
foreground = yes
#setuid = root
#setgid = root
#
pid = /var/run/stunnel.pid
debug = 7
output = /var/log/stunnel.log
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_LINGER=1:60
[rsync]
accept = 1873
cert = /etc/stunnel/stunnel.pem
client = no
verify = 0
libwrap = yes
exec = /usr/bin/rsync
execargs = rsync --daemon --config /etc/rsync-ssl/rsync-ssl.conf
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list