Hello,
NB : this patch is provided as alpha version : it handles only 1 request at a time for each administrative and ident servers.
Why to use this patch ? This patch can be useful when : - you provide access to Internet via your stunnel server and when your legislation enforces you to keep logs of who connected where and when. In this case, you will have Squid logs filled with identification of stunnel clients in a very simple way : nothing to ask to the client as it uses automatically its certificate to fill in the identity fields. - you want to implement several profile access for your clients accessing your web proxy/server : as the proxy will ask ident request to stunnel, you can create filter groups to allow / denied access (with redirection to a page that you can customize) depending on stunnel answer : see filtergroups option of DansGuardian or acl options in squid.
Patch to version : 4.26
Type : new feature
Description : Identification Propagation using stunnel client certificates
The patch proposes to extend the identification propagation provided by the directive 'EXEC=' to directive 'CONNECT=' when using client certificates. With EXEC directive, Subject name and Issuer Name of clients are put in environment variables, which allows the program to determine identity of the stunnel client. This patch adds an ident server functionality to stunnel, compliant with RFC 1413, to allow propagation of identification to remote hosts specified by the service directive 'CONNECT='. Additionnaly, this patch provides an admnistrative server "bound" to the Ident server : on the administrative socket (default port 127.0.0.1:790), you can request number of users currently connected and list them.
How to use this patch ? You just have to add a 'identServer=yes' directive to services that you want to propagate identification.
For example, you can use this patch when connecting to a DansGuardian web proxy (installed on proxy.example.com) with the option authplugin = '/etc/dansguardian/ authplugins/ident.conf' enabled in the configuration file (or when connecting to a Squid web proxy compiled with --enable-ident-lookups option), and the following stunnel configuration file (located in /etc/ssl/stunnel/stunnel-ident.conf) :
... [WEB] accept=8080 connect=proxy.example.com:8080 identServer=yes ...
Stunnel will create a listening socket on 0.0.0.0:113 and answer requests initiated by DansGuardian.
-- Christophe Nanteuil
Hello, Since there is a new file included in the compilation process, you need to do the following to apply the patch : tar -xzf stunnel-4.26.tar.gz -C /your/path/ cd /your/path/stunnel-4.26 patch -p1 < attachment-0001.bin aclocal && autoconf && automake && ./configure && make
You can safely ignore the error on the last file when applying the patch (it seems it lacks a carriage return).
On Monday 12 January 2009, Christophe Nanteuil wrote:
Hello,
Moin,
thanks for this mail. Now the compiler went through without problems. The ident server is running.
Now I must learn how to query for ident data.
Thanks again!
2009/1/13 Michael Renner michael.renner@gmx.de:
On Monday 12 January 2009, Christophe Nanteuil wrote:
Hello,
Now I must learn how to query for ident data.
There are 2 servers :
- ident server, compliant to RFC 1413, listens on 0.0.0.0:113 (default). see http://www.faqs.org/rfcs/rfc1413.html
- administrative server, listens on 127.0.0.1:790 (default): available requests are : - list_users : list users currently connected and number of connections for each user - max_users : maximum number of simultaneous users since start - max_conns : maximum number of simultaneous connections since start - max_conns_user : maximum number of simultaneous connections for 1 user since start - nb_users : current number of users connected - nb_conns : current number of simultaneous connections
to test administrative server : echo "nb_users" | nc localhost 790
-- Christophe Nanteuil
Hello,
I improved the patch for propagating authentication made by stunnel to "connect server" using ident protocol (RC 1413) : - Better implementation of RFC 1413 protocol (error replies) - multi-threading of the ident server and ident admin server : they can answer multiple requests (thanks to the great code of stunnel which permits easy generalization of code and multiplatform support) - servers keep connections open which allows several requests without connecting/disconnecting each time. - some bugs correction.
This patch allow the "connect server " to just ask stunnel about the client identity using ident protocol. No double authentication needed (as far as you use client certificates with stunnel)... It is useful when, on your "connect server" (for example Apache with mod_ident or squid or dansguardian), you want to : - keep relevant log of who/when connected - implement profile access
Refs : For Apache : http://httpd.apache.org/docs/2.2/mod/mod_ident.html For Squid : http://www.squid-cache.org/Doc/config/ident_lookup_access/ For Dansguardian : http://dansguardian.org/downloads/detailedinstallation2.html (see Username identification methods)
Feedback welcomed,
-
Christophe Nanteuil -
Michael Renner