socks5 support

Michael Robinton michael at bizsystems.com
Sat May 11 12:27:33 EST 2002


> Winton--
>
>     Excellent!  Absolutely wonderful.
>
>     I'm wondering which apps/encapsulators support 4A?  This gets me
>     around
> the DNS leakage problem quite nicely.
>
>     Incidentally, we do need SOCKS5 support -- if for no other
>     reason, the
> fact that there's *operating system* level support in OSX for SOCKS5
> redirection.  So OpenSSH can become a completely transparent VPN
> system in OSX w/ SOCKS5.
>
>     Even without OSX, a decent number of apps only support SOCKS5
>     proxying.
>

Good luck, I sent in a patch for socks5 support back in October of last
year and got blown out of the water by the "developers".

The patch consists of three files:

 README.patch
 patch_Applied-2-openssh-2.9.9p2.diff
 do_configure.sh

which you will find attached :-)

The one drawback that I saw when rummaging around in openssh code is that
it is nicely set up to support ipv6 and the socks stuff only works for
ipv4. The socks support is identical to that supplied in the pre-openssh
ssh-1.2.xx stuff. I have not tested the socks4 support.

Michael
-------------- next part --------------

--with-socks5 patch

apply the patch
regenerate config.h.in

autoheader configure.in > config.h.in

regenerate configure

autoconf configure.in > configure

then build the configuration

this example is for Linux

#!/bin/sh
CFLAGS="-O2 -Wall" ./configure \
	--prefix=/usr \
	--sysconfdir=/etc/ssh \
	--without-pam \
	--with-md5-passwords \
	--with-tcp-wrappers \
	--with-socks5 \
	--disable-scp-stats \
	--with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin/i386-slackware-linux

this script can be found in
do_configure.sh
-------------- next part --------------
#!/bin/sh
CFLAGS="-O2 -Wall" ./configure \
	--prefix=/usr \
	--sysconfdir=/etc/ssh \
	--without-pam \
	--with-md5-passwords \
	--with-tcp-wrappers \
	--with-socks5 \
	--disable-scp-stats \
	--with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin/i386-slackware-linux
-------------- next part --------------
diff -u openssh-2.9.9p2.old/acconfig.h openssh-2.9.9p2/acconfig.h
--- openssh-2.9.9p2.old/acconfig.h	Thu Sep 20 12:43:41 2001
+++ openssh-2.9.9p2/acconfig.h	Sat Oct  6 17:44:07 2001
@@ -111,6 +111,9 @@
  * message at run-time. */
 #undef RSAREF
 
+/* Define to disable scp statistics */
+#undef DISABLE_SCP_STATISTICS
+
 /* struct timeval */
 #undef HAVE_STRUCT_TIMEVAL
 
@@ -332,6 +335,30 @@
 
 /* Define if you want smartcard support */
 #undef SMARTCARD
+
+/* The code in sshconnect.c is written for SOCKS4. If SOCKS5 should be used
+   these needs redefining */
+#undef Rconnect
+#undef Rgetsockname
+#undef Rgetpeername
+#undef Rbind
+#undef Raccept
+#undef Rlisten
+#undef Rselect
+#undef Rrecvfrom
+#undef Rsendto
+#undef Rrecv
+#undef Rsend
+#undef Rread
+#undef Rwrite
+#undef Rrresvport
+#undef Rshutdown
+#undef Rlisten
+#undef Rclose
+#undef Rdup
+#undef Rdup2
+#undef Rfclose
+#undef Rgethostbyname
 
 @BOTTOM@
 
diff -u openssh-2.9.9p2.old/channels.c openssh-2.9.9p2/channels.c
--- openssh-2.9.9p2.old/channels.c	Mon Sep 17 22:53:12 2001
+++ openssh-2.9.9p2/channels.c	Sat Oct  6 17:09:30 2001
@@ -2481,7 +2481,12 @@
 		struct hostent *he;
 		struct in_addr my_addr;
 
+#if defined(SOCKS5)
+		he = Rgethostbyname(hostname);
+#else
+
 		he = gethostbyname(hostname);
+#endif
 		if (he == NULL) {
 			error("[X11-broken-fwd-hostname-workaround] Could not get "
 				"IP address for hostname %s.", hostname);
diff -u openssh-2.9.9p2.old/configure.in openssh-2.9.9p2/configure.in
--- openssh-2.9.9p2.old/configure.in	Tue Sep 25 15:39:38 2001
+++ openssh-2.9.9p2/configure.in	Sat Oct  6 17:41:54 2001
@@ -480,6 +480,141 @@
 	]
 )
 
+dnl checkfor SOCKS support
+AC_MSG_CHECKING(whether to support SOCKS)
+AC_ARG_WITH(socks,
+	[  --with-socks            Build with SOCKS firewall support.],
+	[ case "$withval" in
+  no)            
+	AC_MSG_RESULT(no)
+	;;           
+  yes)           
+	AC_MSG_RESULT(yes)
+	AC_CHECK_LIB(socks5, SOCKSconnect, [
+            socks=5
+            LIBS="-lsocks5 $LIBS"], [
+        AC_CHECK_LIB(socks, Rconnect, [
+            socks=4
+            LIBS="-lsocks $LIBS"], [
+                AC_MSG_ERROR(SOCKS library missing.  You must first install socks.) ] ) ] )
+    ;;
+  esac ],        
+	AC_MSG_RESULT(no)
+)                
+
+if test "x$socks" = "x"; then
+        AC_MSG_CHECKING(whether to support SOCKS5)
+        AC_ARG_WITH(socks5,
+        [  --with-socks5[=PATH]    Build with SOCKS5 firewall support.],
+        [ case "$withval" in
+  no)    
+	AC_MSG_RESULT(no)
+        ;;   
+  *)     
+	AC_MSG_RESULT(yes)
+            socks=5
+            if test "x$withval" = "xyes"; then
+              withval="-lsocks5"
+            else 
+              if test -d "$withval"; then
+                if test -d "$withval/include"; then
+                  CFLAGS="$CFLAGS -I$withval/include"
+                else
+                  CFLAGS="$CFLAGS -I$withval"
+                fi
+                if test -d "$withval/lib"; then
+                  withval="-L$withval/lib -lsocks5"
+                else
+                  withval="-L$withval -lsocks5"
+                fi
+              fi 
+            fi   
+            LIBS="$withval $LIBS"
+            # If Socks was compiled with Kerberos support, we will need
+            # to link against kerberos libraries.  Temporarily append
+            # to LIBS.  This is harmless if there is no kerberos support.
+            TMPLIBS="$LIBS"
+            LIBS="$LIBS $KERBEROS_LIBS"
+            AC_TRY_LINK([],
+                        [ SOCKSconnect(); ],
+                        [],
+                        [ AC_MSG_ERROR(Could not find the $withval library. You must first install socks5.) ])
+            LIBS="$TMPLIBS"
+            ;;   
+          esac ],
+          AC_MSG_RESULT(no)
+  )        
+fi
+
+if test "x$socks" = "x"; then
+        AC_MSG_CHECKING(whether to support SOCKS4)
+        AC_ARG_WITH(socks4,
+        [  --with-socks4[=PATH]    Compile with SOCKS4 firewall traversal
+support.],
+        [ case "$withval" in
+          no)    
+            AC_MSG_RESULT(no)
+            ;;   
+          *)     
+            AC_MSG_RESULT(yes)
+            socks=4
+            if test "x$withval" = "xyes"; then
+              withval="-lsocks"
+            else 
+              if test -d "$withval"; then
+                withval="-L$withval -lsocks"
+              fi 
+            fi   
+            LIBS="$withval $LIBS"
+            AC_TRY_LINK([],
+                        [ Rconnect(); ],
+                        [],
+                        [ AC_MSG_ERROR(Could not find the $withval library. 
+You must first install socks.) ])
+            ;;   
+          esac ],
+          AC_MSG_RESULT(no)
+ )        
+fi               
+
+
+
+if test "x$socks" = "x4"; then
+    AC_DEFINE(SOCKS)
+    AC_DEFINE(SOCKS4)
+    CPPFLAGS="$CPPFLAGS -I/usr/local/include"
+    LDFLAGS="$LDFLAGS -L/usr/local/lib"
+fi               
+
+if test "x$socks" = "x5"; then
+    AC_DEFINE(SOCKS)
+    AC_DEFINE(SOCKS5)
+    AC_DEFINE(Rconnect,SOCKSconnect)
+    AC_DEFINE(Rgetsockname,SOCKSgetsockname)
+    AC_DEFINE(Rgetpeername,SOCKSgetpeername)
+    AC_DEFINE(Rbind,SOCKSbind)
+    AC_DEFINE(Raccept,SOCKSaccept)
+    AC_DEFINE(Rlisten,SOCKSlisten)
+    AC_DEFINE(Rselect,SOCKSselect)
+    AC_DEFINE(Rrecvfrom,SOCKSrecvfrom)
+    AC_DEFINE(Rsendto,SOCKSsendto)
+    AC_DEFINE(Rrecv,SOCKSrecv)
+    AC_DEFINE(Rsend,SOCKSsend)
+    AC_DEFINE(Rread,SOCKSread)
+    AC_DEFINE(Rwrite,SOCKSwrite)
+    AC_DEFINE(Rrresvport,SOCKSrresvport)
+    AC_DEFINE(Rshutdown,SOCKSshutdown)
+    AC_DEFINE(Rlisten,SOCKSlisten)
+    AC_DEFINE(Rclose,SOCKSclose)
+    AC_DEFINE(Rdup,SOCKSdup)
+    AC_DEFINE(Rdup2,SOCKSdup2)
+    AC_DEFINE(Rfclose,SOCKSfclose)
+    AC_DEFINE(Rgethostbyname,SOCKSgethostbyname)
+    CPPFLAGS="$CPPFLAGS -I/usr/local/include"
+    CFLAGS="$CFLAGS -DSOCKS"
+    LDFLAGS="$LDFLAGS -L/usr/local/lib"
+fi               
+
 dnl    Checks for library functions.
 AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa clock dirname fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getopt getnameinfo getrlimit getrusage getttyent glob inet_aton inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty readpassphrase realpath rresvport_af setdtablesize setenv setegid seteuid setlogin setproctitle setresgid setreuid setrlimit setsid setvbuf sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp utimes vsnprintf vhangup waitpid _getpty __b64_ntop)
 dnl    Checks for time functions
@@ -1838,6 +1973,12 @@
 	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
 	[ AC_DEFINE(DISABLE_PUTUTXLINE) ]
 )
+AC_ARG_ENABLE(scp-stats,
+[  --disable-scp-stats             disable scp statistics display [no]],
+       AC_DEFINE(DISABLE_SCP_STATISTICS)
+       AC_MSG_RESULT(yes)
+)
+
 AC_ARG_WITH(lastlog,
   [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
 	[
diff -u openssh-2.9.9p2.old/includes.h openssh-2.9.9p2/includes.h
--- openssh-2.9.9p2.old/includes.h	Wed Sep 19 19:07:51 2001
+++ openssh-2.9.9p2/includes.h	Sat Oct  6 17:10:37 2001
@@ -23,6 +23,11 @@
 
 #include "openbsd-compat/bsd-nextstep.h"
 
+#if defined(SOCKS5)
+/* does not support IPV6 */
+#include "socks.h"
+#endif
+
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/ioctl.h>
diff -u openssh-2.9.9p2.old/scp.c openssh-2.9.9p2/scp.c
--- openssh-2.9.9p2.old/scp.c	Wed Sep 19 17:57:56 2001
+++ openssh-2.9.9p2/scp.c	Sat Oct  6 17:42:08 2001
@@ -128,7 +128,11 @@
 int verbose_mode = 0;
 
 /* This is set to zero if the progressmeter is not desired. */
+#if defined(DISABLE_SCP_STATISTICS)
+int showprogress = 0;
+#else
 int showprogress = 1;
+#endif
 
 /* This is the program to execute for the secured connection. ("ssh" or -S) */
 char *ssh_program = _PATH_SSH_PROGRAM;
diff -u openssh-2.9.9p2.old/sshconnect.c openssh-2.9.9p2/sshconnect.c
--- openssh-2.9.9p2.old/sshconnect.c	Tue Aug  7 15:29:09 2001
+++ openssh-2.9.9p2/sshconnect.c	Sat Oct  6 17:10:55 2001
@@ -15,8 +15,6 @@
 #include "includes.h"
 RCSID("$OpenBSD: sshconnect.c,v 1.110 2001/07/25 14:35:18 markus Exp $");
 
-#include <openssl/bn.h>
-
 #include "ssh.h"
 #include "xmalloc.h"
 #include "rsa.h"
@@ -182,7 +180,12 @@
 	 */
 	if (privileged) {
 		int p = IPPORT_RESERVED - 1;
+#if defined(SOCKS)
+/* does not support IPV6 */
+		sock = Rrresvport(&p);
+#else /* SOCKS */  
 		sock = rresvport_af(&p, family);
+#endif /* SOCKS */
 		if (sock < 0)
 			error("rresvport: af=%d %.100s", family, strerror(errno));
 		else
@@ -326,7 +329,12 @@
 			 * the remote uid as root.
 			 */
 			temporarily_use_uid(pw);
-			if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
+#if defined(SOCKS)
+			if (Rconnect(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
+#else /* SOCKS */
+			if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) 
+#endif /* SOCKS */
+			{
 				/* Successful connection. */
 				memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
 				restore_uid();


More information about the openssh-unix-dev mailing list