[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: iauth broken ?

To: ircd-users@xxxxxxx
Subject: Re: iauth broken ?
From: Piotr Kucharski <chopin@xxxxxxxxxx>
Date: Tue, 12 Jan 1999 18:48:36 +0100
Delivered-to: ircd-users-out@irc.org
Delivered-to: ircd-users@irc.org
In-reply-to: <19990112164750.H24812@sgh.waw.pl>; from Piotr Kucharski on Tue, Jan 12, 1999 at 04:47:50PM +0100
Mail-followup-to: ircd-users@irc.org
References: <19990112163420.H736@is-europe.net> <19990112164750.H24812@sgh.waw.pl>

On Tue, Jan 12, 1999 at 04:47:50PM +0100, Piotr Kucharski wrote:
> On Tue, Jan 12, 1999 at 04:34:20PM +0100, Frank Altpeter wrote:
> > - socks4... forbidden.
> > - socks5... forbidden by ruleset.
> > Is there any bugfix that i have missed yet ?
> It's known. 
> Jonathan Chapman <mr@xxxxxxxx> (iauth socks check is based on
> his code) blames NEC release of socks5, which seems broken and
> not following RFC. Maybe it's high time to tell that to NEC crew.

I've reread RFC1928 once more and I have to disagree with Jonathan's
opinion. They say:

   When a TCP-based client wishes to establish a connection to an object
   that is reachable only via a firewall (such determination is left up
   to the implementation), it must open a TCP connection to the
   appropriate SOCKS port on the SOCKS server system.  The SOCKS service
   is conventionally located on TCP port 1080.  If the connection
   request succeeds, the client enters a negotiation for the
   authentication method to be used, authenticates with the chosen
   method, then sends a relay request.  The SOCKS server evaluates the
   request, and either establishes the appropriate connection or denies
   it.

Here are the stages, once again (if you remember my mail dated
28th, Aug), of gaining socks5 access:

1. tcp connect at 1080 usually
2. client sends METHODS request
3. server answers with list of acceptable METHODS
   3a. NO AUTH
   3b. GSSAPI
   3c. USER/PASS
   3d. other
4. connect requests after appropriate authentification

Answers 3b, 3c (and 3d, most probably) are closed proxies, but
3a -- not necessarily, as RFC says: "either establishes [...]
connection or denies it". Denying connection is based on rules
configured in socks.

Ircd now checks only for 'NO AUTH' method and denies connection,
while this proxy may be perfectly secured with allow/deny rules. 
However, if we start checking for rules, malicious administrator 
may deny connections from irc server requesting connect to itself 
(as now is being done). On the other hand, this check was meant 
to deny connections from misconfigured sites, who were abused by 
third parties.

Once again: "NO AUTH" method doesn't mean proxy is open. Ircd now
classifies it as open.

Piotr

References:
- iauth broken ?
  - From: Frank Altpeter
- Re: iauth broken ?
  - From: Piotr Kucharski

Prev by Date: Re: iauth broken ?
Next by Date: Re: irc proxy with masq
Previous by thread: Re: iauth broken ?
Next by thread: Re: iauth broken ?
Index(es):
- Date
- Thread